DoD Urges Quick Cyber Incident Reports from Defense Contractors
Published Date: 1/14/2026
Notice
Summary
If you’re a business working with the Department of Defense, you need to report any cyber incidents and cloud computing issues quickly. This update reminds contractors about the rules and asks for public comments by January 14, 2026. Reporting helps keep defense info safe, and it usually takes less than half an hour per report.
Analyzed Economic Effects
4 provisions identified: 0 benefits, 4 costs, 0 mixed.
Mandatory DoD Cyber Incident Reporting
If you do business with the Department of Defense, you must report cyber incidents that affect covered contractor information systems, covered defense information, or your ability to perform work designated as operationally critical support. The notice lists 1,971 affected respondents, about 16,223 annual responses, an average burden of 0.42 hours per response, and a total annual burden of 6,770 hours; DoD will accept comments through January 14, 2026.
Must Explain Deviations from NIST SP 800-171
If you propose in a solicitation to vary from any National Institute of Standards and Technology (NIST) Special Publication 800-171 security control, you must submit a written explanation to the contracting officer saying why the control is not applicable or what alternative protects the information.
Cloud Use Representation Requirement
Offerors must state in a solicitation whether they "anticipate" or "do not anticipate" using cloud computing services in contract performance; this representation notifies contracting officers whether DFARS cloud requirements may apply.
Cloud Services Cyber Incident Reports Required
When DoD purchases cloud computing services, the DFARS cloud clause (252.239-7010) requires reporting cyber incidents that occur within those cloud services. Contractors providing cloud services to DoD must submit those cyber incident reports as required by the clause.
Your PRIA Score
Personalized for You
How does this regulation affect your finances?
Sign up for a PRIA Policy Scan to see your personalized alignment score for this federal register document and every other regulation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.
Key Dates
Department and Agencies
Related Federal Register Documents
2026-05935 — Information Collection Requirement; Defense Federal Acquisition Regulation Supplement; Rights in Technical Data and Computer Software
The Department of Defense is renewing its paperwork rules about who owns technical data and software rights in defense contracts. This affects over 46,000 businesses that work with the DoD, requiring them to provide info about their software and data rights. Comments on these rules are open until April 27, 2026, and the paperwork takes about 1.6 hours per response.
2026-03870 — Information Collection Requirement; Defense Federal Acquisition Regulation Supplement; Performance-Based Payments-Representation (OMB Control Number 0750-0001)
The Department of Defense wants to keep collecting info from businesses about performance-based payments to make sure everything runs smoothly. This info collection, affecting about 438 companies, is up for a three-year extension with no big changes or extra costs. Comments on this plan are open until April 27, 2026, so now’s the time to speak up!
2025-17359 — Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)
The Department of Defense is updating its rules to make sure contractors follow new cybersecurity standards called the Cybersecurity Maturity Model Certification (CMMC). This change affects companies working with the DoD and helps protect important defense information. Contractors should get ready to meet these new rules soon, which could impact how they do business and spend money on cybersecurity.
2026-00589 — Information Collection Requirement; Defense Federal Acquisition Regulation Supplement; Rights in Technical Data and Computer Software
The Department of Defense wants to keep collecting info from businesses about rights to technical data and software for three more years. They’re asking for your thoughts by March 16, 2026, to make sure this process is useful and not too much work. If you work with DoD contracts involving tech data or software, this affects you and helps keep things clear and fair.
2025-24283 — Information Collection Requirement; Defense Federal Acquisition Regulation Supplement (DFARS); Quality Assurance
The Department of Defense is renewing its rules for collecting quality assurance info from businesses working on defense contracts. This affects over 60,000 companies who must keep detailed records and report safety issues quickly to help keep equipment safe. Comments on these rules are open until February 5, 2026, and the paperwork takes a lot of time—about 64 hours per response!
2025-24248 — Information Collection Requirements; Defense Federal Acquisition Regulation Supplement (DFARS); Cyber Incident Reporting and Cloud Computing
If you’re a business working with the Department of Defense, you’ll need to keep reporting cyber incidents and how you use cloud computing to stay safe. These updates make sure everyone protects important defense info and follows clear rules, with about 2,000 companies expected to report roughly 16,000 times a year. Comments on these rules are open until February 4, 2026, so get ready to stay secure and compliant!
Previous / Next Documents
Previous: 2026-00542 — Notice of Intent To Request Revision and Extension of a Currently Approved Information Collection
The USDA’s National Agricultural Statistics Service plans to update and extend its Objective Yield Surveys, which help predict crop production for things like corn, soybeans, and nuts. Farmers and others involved in agriculture will keep sharing info through these surveys, which guide important crop reports. Comments on these changes are welcome until March 16, 2026, and the update will last for three more years with no new costs announced.
Next: 2026-00546 — Office of the Director, National Institutes of Health; Notice of Meeting
The National Institutes of Health (NIH) is holding a virtual meeting on January 29, 2026, to discuss a plan to reorganize part of their office by creating two new teams focused on research innovation and economics. This affects researchers and the public, who can share their thoughts by January 26. The meeting also includes a private session to review grant applications, which could impact future funding decisions.
Take It Personal
Get Your Personalized Policy View
Start a Free Government Policy Watch to see how policy affects your household, then upgrade to PRIA Full Coverage for year-round monitoring.
Already have an account? Sign in