Contractors that handle Covered Defense Information (CDI) are required to report cyber incidents to the Department of Defense within 72 hours of discovery.
Supporting Extracts from Official Content:
DFARS 252.204-7012(c)(1): “When the Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein, the Contractor shall conduct a review… and rapidly report the cyber incident to DoD within 72 hours of discovery.”
Why Option C is Correct:
The regulation explicitly specifies 72 hours.
Options A (24 hrs), B (48 hrs), and D (96 hrs) do not align with DFARS requirements.
References (Official CMMC v2.0 Content and Source Documents):
DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.
CMMC v2.0 Governance – Source Documents list includes DFARS 252.204-7012.
===========
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit