Skip to main content
govconCyber — Federal Cybersecurity Law Reference

Research

Cyber Incident Reporting Beyond DFARS: A Contractor's Map

DoD's 72-hour rule is the most familiar reporting duty, but a single incident can trigger several overlapping reports to different recipients on different clocks.

On this page
  1. The DFARS Baseline
  2. Agency and FAR Developments
  3. State Breach-Notification Laws
  4. CIRCIA (Pending)
  5. Sector and Securities Overlays
  6. Build One Playbook
  7. Source Notes

Takeaway: "Do we have to report this?" rarely has one answer. Depending on what data was touched and who you are, one incident can create obligations to DoD, an agency customer, state regulators, and — once its rule is final — CISA, each on its own timeline.

The DFARS Baseline

For DoD contractors, DFARS 252.204-7012 requires reporting a cyber incident affecting covered defense information or the contractor's ability to perform, to DoD via DIBNet, within 72 hours. It also requires preserving affected images and submitting malicious software. This is the duty most contractors know — and often the only one they have planned for.

Agency and FAR Developments

Civilian agencies impose their own cyber requirements, and the FAR Council has advanced rulemaking to standardize incident and threat reporting across federal contracts. Contractors serving multiple agencies should expect reporting terms to vary by contract and to keep expanding.

State Breach-Notification Laws

If an incident exposes personal information, all 50 states' breach-notification laws may apply, each with its own definition of covered data, timing, and notice content. These obligations run independently of any federal contract clause — a contractor can owe state notice even when no DoD report is required.

CIRCIA (Pending)

The Cyber Incident Reporting for Critical Infrastructure Act will, once CISA's final rule takes effect, require covered entities to report significant cyber incidents within 72 hours and ransomware payments within 24 hours. As of mid-2026 the final rule remains pending — expected around May 2026 but subject to delay — so this is a "watch and prepare" item, not yet an active duty.

Sector and Securities Overlays

Healthcare data can trigger HIPAA; financial data can trigger GLBA; and publicly traded companies face SEC cybersecurity disclosure obligations. A contractor that is also a regulated entity inherits those clocks on top of its contract duties.

Build One Playbook

Because these duties overlap and conflict on timing, the practical answer is a single incident-response plan that, at the moment of detection, asks: What data was involved? Which contracts, agencies, and regulators does that implicate? What is the shortest clock running? Decide reporting paths before an incident, not during one — the 24- and 72-hour windows do not leave time to research the question.

Source Notes

Primary sources: DFARS 252.204-7012; CISA CIRCIA rulemaking materials; state breach-notification statutes; and sector regimes (HIPAA, GLBA) and SEC cyber disclosure rules where applicable. Status summarized as of the review date and subject to change. Educational analysis, not legal advice.

Was this page helpful?