DoD-Defense Industrial Base Collaborative Information Sharing Environment (DCISE)

A DoD-Approved Medium Assurance Certificate is required to report a cyber incident. However, if you do not yet have a DoD-approved Medium Assurance Certificate and need to report a cyber incident, please email DC3.DCISE@us.af.mil or call the DCISE hotline at (410) 981-0104 for further assistance.

Report a Cyber Incident

DoD contractors shall report as much required information as can be obtained within 72 hours of discovery of any cyber incident involving covered defense information or affected systems. Additional information obtained after the initial submission should be reported via a follow-on ICF.

1. Company name
2. Unique Entity Identifier (UEI)
3. Facility CAGE code
4. Facility Clearance Level
5. Contract Number / PIID
6. Company point of contact information
7. U.S. Government Program Manager point of contact
8. Contract number(s) or agreement affected
9. Contracting Officer or agreement point of contact
10. Contract or agreement clearance level
11. Impact to Covered Defense Information
12. Ability to provide operationally critical support
13. Date incident discovered
14. Location(s) of compromise
15. Incident location CAGE code
16. DoD programs, platforms or systems involved
17. Type of compromise
18. Description of technique or method used
19. Incident outcome
20. Incident narrative and TTPs/IoCs
21. Any additional information

See DFARS 252.204-7012 for more information.

DoD Contractors shall report as much of the required information as can be obtained within one business day of identifying or being notified that a covered article was provided to the Government during contract performance.

1. Contract Number
2. Order Number(s), if applicable
3. Supplier Name
4. Brand
5. Model Number
6. Item Description
7. Any readily available mitigation information

See FAR 52.204-23 and FAR 52.204-25 for more information.

1. Contract information and contracting officer data
2. Contact information for impacted and reporting organizations
3. Details describing vulnerabilities involved
4. Date/time of occurrence and detection
5. Related indicators
6. Threat vectors, if known
7. Prioritization factors
8. Source/destination IP, port, and protocol
9. Operating systems affected
10. Mitigating factors and actions taken
11. System functions
12. Physical system locations
13. Sources, methods, or tools used
14. Any additional relevant information

See DFARS 252.239-7010 for more information.

DIB companies are encouraged to voluntarily report cyber threat activity valuable for U.S. Government analysis and sharing. Recommended reporting includes, but is not limited to:

• Suspected APT activity
• Reconnaissance and exploitation attempts
• Threat actor infrastructure
• Network compromises not impacting DoD information
• Phishing messages
• Suspicious files, activity, or network traffic

DFARS 252.204-7012 requires contractors to isolate and submit malicious files, if available, to DC3 as part of mandatory reporting requirements. If you have a PKI certificate, you can request an EMS account and submit malicious files at https://ems.dc3on.gov.

You may also request a one-time upload link by emailing DC3.DCISE@us.af.mil and including your ICF number in the subject line, or by calling (410) 981-0104.

Do not use email to submit malicious files to DoD.

The Department of Defense finalized the CMMC 2.0 Rule, effective November 10, 2025. Starting this date, new solicitations and contracts may include CMMC requirements based on whether an organization handles Federal Contract Information or Controlled Unclassified Information.

• Level 1 – Foundational: 15 practices per FAR 52.204-21
• Level 2 – Advanced: 110 NIST SP 800-171 requirements
• Level 3 – Expert: Adds NIST SP 800-172 enhancements
• CMMC Alignment to NIST Standards (PDF)

• Phase 1 (Nov 2025): CMMC clauses began appearing in select solicitations
• Phase 2 (Nov 2026): Third-party assessments expand
• Phase 3 (Nov 2027): Level 3 introduced for critical programs
• Phase 4 (Nov 2028): Full implementation across eligible contracts

• Identify systems handling FCI/CUI
• Determine required CMMC level
• Conduct gap analysis and develop POA&M
• Record self-assessment scores in SPRS
• Plan for C3PAO or government assessment
• Flow-down clauses to subcontractors

• 32 CFR Part 236: DoD DIB Cybersecurity Activities
• 32 CFR Part 2002: Controlled Unclassified Information
• DFARS 252.204-7012
• DFARS 252.239-7010
• DFARS 252.204-7018
• DFARS 252.204-7019
• FAR 52.204-23
• FAR 52.204-25
• FAR 52.204-30

NIST SP 800-171 Rev. 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Note: DoD is assessing compliance against Rev 2. A transition to Rev 3 will be announced in the future.

NIST SP 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information

The DoD recognizes the need to help DIB organizations improve cybersecurity posture and operational resilience. Services are available based on specific needs.

DCISE³

Offers real-time monitoring of firewall traffic, threat detection, alerts, and optional blocking of malicious traffic. Email DC3.DCISE@us.af.mil for more information.

DIB-VDP

A voluntary program for DIB companies that provides vulnerability discovery, triaging, and validation. Email AFOSI.DC3.DIB-VDP@us.af.mil.

DC3 ENSITE

Delivers real-time threat intelligence and AI/ML-powered detection through a centralized dashboard. Email DC3.DCISE@us.af.mil for more information.

NSA CCC Services

Includes PDNS+, Attack Surface Management, Autonomous Penetration Testing, and Threat Intelligence Collaboration.

• Stop Ransomware Guide - CISA
• Ransomware Protection and Response - NIST
• Internet Crime Complaint Center - FBI
• #StopRansomware Guide (PDF)

• APEX Accelerators
• CISA CSET
• DoD Procurement Toolbox
• ND-ISAC: C3PAO Shopping Guide
• NIST MEP
• CRWS-BOK Portal

A DoD-approved Medium Assurance Certificate is required to access these capabilities. If you do not yet have one, please email DC3.DCISE@us.af.mil or call the DCISE hotline at (410) 981-0104 for assistance.

Do not send malicious files to the email address.

The DoD established the External Certification Authority Program to support issuance of DoD-approved identification certificates to industry partners and other external entities. These certificates enable secure communications with the DoD and authentication to DoD systems.

The DCISE hotline at (410) 981-0104 operates 24/7. Normal in-office operating hours are from 6:00 A.M. to 6:00 P.M. ET.

Mandatory reporting under DFARS 252.204-7012 is required by many DoD contracts and subcontracts involving covered defense information and/or operationally critical support. Contractors must report relevant cyber incidents within 72 hours of discovery.

Voluntary reporting is the primary channel for DIB participants to share cyber threat information and indicators of compromise that may improve the cybersecurity posture of other DIB participants.

No. DFARS 252.204-7012 requires the impacted company to submit a report on the specific cyber incident.

Contact DC3.DCISE@us.af.mil to submit a Request for Information and learn how DCISE capabilities are cross walked to support CMMC.

Organizations should maintain relationships and contractual sharing obligations with other agencies. The ICF also includes a place to indicate where else information has been shared.

The U.S. Government and law enforcement agencies have access to mandatory reports. Voluntary reporting is anonymized, and the submitter’s identity is shared only with consent from the submitting company.