When something goes wrong, the hardest compliance question is often: who do I have to tell, and how fast? There is no single answer — a contractor can owe several different reports, on different clocks, for the same incident.
The major reporting clocks
DFARS 252.204-7012 — 72 hours. Defense contractors that experience a cyber incident affecting covered defense information (or their ability to perform) must report to DoD within 72 hours of discovery, and preserve images and data for forensic review.
CIRCIA — covered critical-infrastructure entities. Under the Cyber Incident Reporting for Critical Infrastructure Act of 2022, CISA's rules will require covered entities to report covered cyber incidents (proposed at 72 hours) and ransom payments (proposed at 24 hours). Watch the final rule for exact scope and timing.
SEC disclosure — public companies. SEC rules require public companies to disclose material cybersecurity incidents on Form 8-K (generally within four business days of a materiality determination) and to describe their risk-management and governance annually.
State breach-notification laws. All 50 states require notice to affected individuals (and often state AGs) when personal information is breached, on varying timelines and triggers.
Sector and contract-specific rules. HIPAA breach notification, FedRAMP incident reporting, agency-specific clauses, and contractual terms can add their own clocks.
How to manage overlapping duties
Build the map before an incident: list every reporting obligation your contracts and data types create, with its trigger, recipient, and deadline, and bake it into your incident response plan. When an incident hits, you are then executing a checklist — not researching the law at 2 a.m. Note that these regimes don't share a definition of "incident" or "breach," so a single event may be reportable under one and not another.