DoD Demands Cyber Incident Reports: 16,000 Times a Year?
Published Date: 1/5/2026
Notice
Summary
If you’re a business working with the Department of Defense, you’ll need to keep reporting cyber incidents and how you use cloud computing to stay safe. These updates make sure everyone protects important defense info and follows clear rules, with about 2,000 companies expected to report roughly 16,000 times a year. Comments on these rules are open until February 4, 2026, so get ready to stay secure and compliant!
Analyzed Economic Effects
3 provisions identified: 0 benefits, 3 costs, 0 mixed.
Mandatory Cyber Incident Reporting
If you are a business that works with the Department of Defense, you must report cyber incidents that affect covered contractor information systems, covered defense information, or your ability to perform contract work designated as operationally critical support. The rule estimates 1,971 respondents, about 16,223 total responses per year, an average of 0.42 hours per response, and 6,770 annual burden hours in total.
Explain Deviations from NIST SP 800-171
Offerors who propose to vary from the National Institute of Standards and Technology Special Publication 800-171 security controls must submit a written explanation to the contracting officer describing why the control is not applicable or what alternative control will provide equivalent protection. This requirement is set out in DFARS provision 252.204-7008.
Cloud Use Representation and Cloud Incident Reporting
If you respond to a DoD solicitation containing DFARS 252.239-7009, you must state whether you 'anticipate' or 'do not anticipate' using cloud computing services for contract performance. When DoD is purchasing cloud computing services, DFARS 252.239-7010 requires reporting cyber incidents that occur in those cloud services.
Your PRIA Score
Personalized for You
How does this regulation affect your finances?
Sign up for a PRIA Policy Scan to see your personalized alignment score for this federal register document and every other regulation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.
Key Dates
Department and Agencies
Related Federal Register Documents
2026-09067 — Defense Federal Acquisition Regulation Supplement: Mitigating Risks Related to Foreign Ownership, Control, or Influence (DFARS Case 2021-D011)
The Department of Defense is updating rules to make sure companies working with them reveal if they’re owned or controlled by foreign folks. This helps keep our defense projects safe from hidden foreign influence. If you’re a contractor or subcontractor, get ready to share ownership info by July 6, 2026, or risk delays in your contracts.
2026-09038 — Defense Federal Acquisition Regulation Supplement: Disclosure of Greenhouse Gas Emissions (DFARS Case 2024-D021)
Starting May 7, 2026, the Department of Defense won’t make most new defense contractors share their greenhouse gas emissions unless it’s really needed for the contract. This change helps nontraditional contractors avoid extra paperwork, but DoD can still ask for info if it’s directly tied to the job. It’s a smart move to keep things fair and focused without slowing down important defense work.
2026-11150 — Information Collection Requirement; Organizational Conflicts of Interest in Major Defense Acquisition Programs
The Department of Defense is asking to keep collecting info from companies involved in big defense projects to spot any conflicts of interest. This helps make sure contracts are fair and honest. Businesses affected should know this info collection is set to continue for three more years, with comments open until August 3, 2026.
2026-10732 — Information Collection Requirement; Defense Federal Acquisition Regulation Supplement (DFARS), Contract Financing
The Department of Defense is asking to keep collecting info from businesses about contract payments for three more years. This affects about 1,000 companies who respond around 14,000 times a year, spending about 1.2 hours each time. They want your thoughts by July 28, 2026, to make sure the process stays useful and not too time-consuming.
2026-10730 — Information Collection Requirement; Defense Federal Acquisition Regulation Supplement (DFARS) Part 225, Foreign Acquisition and Related Clauses
The Department of Defense wants to keep collecting info from businesses about buying stuff from other countries, and they’re asking for your thoughts by July 28, 2026. This info helps DoD do its job right and affects over 39,000 companies who respond about 10 times a year. No big cost changes, just a smooth extension for three more years to keep things running.
2026-10731 — Information Collection Requirement; Defense Federal Acquisition Regulation Supplement; Subcontracting Policies and Procedures
The Department of Defense wants to keep collecting info from businesses about their subcontracting policies to make sure everything runs smoothly. This info collection is up for renewal and will continue for another three years if approved. If you’re a business involved with DoD contracts, get ready to keep sharing your info, with no big changes or extra costs expected.
Previous / Next Documents
Previous: 2025-24247 — New England Fishery Management Council; Public Meeting
The New England Fishery Management Council is holding a webinar on January 21, 2026, to rethink fishing limits for white hake from 2026 to 2030. This affects fishermen and seafood lovers by aiming to keep fish populations healthy while supporting the fishing industry. They’ll also plan a 2026 workshop to improve how fishing rules adapt to changing ocean conditions.
Next: 2025-24249 — Information Collection Requirement; Defense Federal Acquisition Regulation Supplement (DFARS) Part 237, Service Contracting, and Related Clauses
The Department of Defense is updating rules for companies that audit its finances. If you’re an accounting firm working with the DoD, you’ll need to share info about any past disciplinary actions before getting or renewing contracts. This change affects about a dozen firms, with a small paperwork impact, and comments are open until February 4, 2026.