Who Do DoD Contractors Report CUI Breaches To?PerDFARS 252.204-7012, all DoD contractors handlingControlled Unclassified Information (CUI)must report cyber incidents to theDoD Cyber Crime Center (DC3).
Key Reporting Requirements✅Cyber incidents involving CUI must be reported toDC3 within 72 hours.
✅Reports must be submitted via theDoD's Cyber Incident Reporting Portal.
✅Contractors mustpreserve forensic evidencefor potential investigation.
The FBI (Option A) handles criminal investigations, but DoD contractorsmust report cyber incidents to DC3.
NARA (Option B) oversees the CUI Registry, butis not responsible for breach reporting.
The Under Secretary of Defense for Intelligence and Security (Option D) is responsible for intelligence operations, not incident reporting.
Why "DoD Cyber Crime Center" is Correct?Breakdown of Answer ChoicesOption
Description
Correct?
A. FBI
❌Incorrect–The FBI handlescriminal cases, not CUI breach reporting.
B. NARA
❌Incorrect–NARA manages theCUI Registry, butdoes not handle breaches.
C. DoD Cyber Crime Center
✅Correct – Per DFARS 252.204-7012, cyber incidents involving CUI must be reported to DC3.
D. Under Secretary of Defense for Intelligence and Security
❌Incorrect–This office doesnothandle cyber incident reports.
DFARS 252.204-7012– Requires DoD contractors to report CUI-related cyber incidents toDC3.
DoD Cyber Crime Center (DC3) Website– The official platform forcyber incident reporting.
Official References from CMMC 2.0 and DFARS DocumentationFinal Verification and ConclusionThe correct answer isC. DoD Cyber Crime Center, as perDFARS 252.204-7012, which mandates that all DoD contractors reportCUI breaches to DC3 within 72 hours.
