Skip to main content
govconCyber
Analysis

State Cybersecurity Laws Government Contractors Often Overlook

Federal rules aren't the whole story. State breach-notification and privacy laws can apply based on whose data you hold.

Brandon Hancock, J.D., CMMC-RPPublished April 29, 2026Updated June 8, 20266 min read

Most government contractors pour their compliance energy into federal requirements — FAR, DFARS, NIST, CMMC — and stop there. That's a mistake. State cybersecurity and data-protection laws can apply to you based on whose personal data you hold, no matter which agency you contract with or where your company sits.

Why State Law Reaches Federal Contractors

State data laws generally key off residency of the affected individuals, not the nature of your contract. A defense contractor headquartered in Virginia that holds the personal data of California and New York residents can owe duties under California and New York law. Federal contracting doesn't preempt these obligations — it sits alongside them.

Two Categories to Track

1. Breach-notification laws. Every state has one. They require notifying affected individuals — and often a state agency or attorney general — after a breach of personal information. The catch is that they differ on the details: what counts as personal information, how fast you must notify, and what the notice must say. A single incident affecting residents of a dozen states can trigger a dozen overlapping, slightly different obligations.

2. Comprehensive privacy laws. A growing roster of states — California (CCPA/CPRA), Virginia, Colorado, Connecticut, Utah, and a lengthening list — have enacted comprehensive consumer-privacy statutes. Several impose "reasonable security" duties and require data-protection assessments, which function as de facto security requirements.

Where Federal and State Overlap (and Don't)

The good news: if you already implement NIST SP 800-171 or a comparable control set for your federal work, you've likely satisfied much of what state "reasonable security" expectations contemplate. The trap: breach-notification timelines are entirely independent. Meeting DFARS's 72-hour DoD reporting window does nothing to satisfy a state's separate consumer-notification deadline. You need both clocks running.

A Simple Way to Get Ahead of It

1. Inventory your personal data — what categories you hold and which states' residents they cover. 2. Build a breach-notification matrix for those states: trigger, deadline, recipient, content. 3. Check for comprehensive-law duties — reasonable security, assessments, consumer rights. 4. Review annually. New states pass laws every legislative session.

Key Takeaways

  • State laws apply based on whose data you hold, independent of federal rules.
  • All 50 states have breach-notification laws with inconsistent deadlines — map them in advance.
  • Strong NIST-based controls help with "reasonable security," but notification timelines stand alone.

Get oriented on the State Requirements page, then confirm your full obligation set with Find My Requirements.

Tags
Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the editor of GovConCyber. He translates federal cybersecurity rules into plain language for the contractor community, with a focus on CMMC, DFARS, and False Claims Act enforcement trends.

About GovConCyber →Subscribe to the newsletter →
Was this post helpful?

Keep reading

Analysis"CMMC for AI": What the NDAA's New AI Security Framework Means for Defense ContractorsThe FY2026 defense law directs DoD to build a security framework for the AI it buys and wire it into DFARS and CMMC. A status report to Congress is due June 16, 2026.June 7, 2026 · 6 min readAnalysisThe Federal Push on Healthcare Cybersecurity: What Health-Sector Contractors Should KnowAfter the Change Healthcare attack, the federal government leaned hard into health-sector cyber. Here's what the effort means for contractors handling health data.June 10, 2024 · 6 min readAnalysisTwo Weeks Offline: Incident-Response Lessons from the Kansas Court CyberattackA 'security incident' kept most Kansas courts offline for two weeks. The disruption is a case study in why resilience — not just prevention — wins.October 25, 2023 · 5 min read