Changeflow GovPing Defense & National Security DoD Cyber Incident Reporting and Cloud Computin...
Priority review Notice Amended Consultation

DoD Cyber Incident Reporting and Cloud Computing Information Collection

Favicon for www.regulations.gov Regs.gov: Defense Acquisition Regulations System
Detected March 20th, 2026
Email

Summary

The Department of Defense (DoD) has issued a notice requesting public comments on the proposed extension of an existing information collection requirement related to safeguarding covered defense information, cyber incident reporting, and cloud computing. This collection is currently approved through October 31, 2025, and the DoD seeks to extend it for three years.

View original document View source feed page

What changed

The Department of Defense (DoD) is seeking public comment on extending an approved information collection requirement under OMB Control Number 0704-0478. This collection pertains to the reporting of cyber incidents, safeguarding covered defense information, and the use of cloud computing services by contractors. The current approval expires on October 31, 2025, and the DoD proposes a three-year extension. The notice specifically requests feedback on the necessity and utility of the information, the accuracy of burden estimates, and methods to enhance data quality and minimize respondent burden.

Affected parties, primarily businesses and not-for-profit institutions that are DoD contractors, should review the requirements outlined in DFARS 252.204-7012, DFARS 252.204-7008, and DFARS 252.239-7009. Comments must be submitted by August 5, 2025, via the Federal eRulemaking Portal (regulations.gov) or email (osd.dfars@mail.mil), referencing the OMB Control Number. While this is a request for comments on an existing collection, failure to comply with reporting requirements under the cited DFARS clauses can lead to contractual issues.

What to do next

  1. Submit comments on the proposed extension of OMB Control Number 0704-0478 by August 5, 2025.
  2. Review DFARS 252.204-7012, 252.204-7008, and 252.239-7009 for current cyber incident reporting and cloud computing requirements.

Source document (simplified)

Content

ACTION:

Notice and request for comments regarding a proposed extension of an approved information collection requirement.

SUMMARY:

In compliance with the Paperwork Reduction Act of 1995, DoD announces the proposed extension of a public information collection
requirement and seeks public comment on the provisions thereof. DoD invites comments on: whether the proposed collection of information is necessary for the proper performance of the functions of DoD, including
whether the information will have practical utility; the accuracy of DoD's estimate of the burden of the proposed information
collection; ways to enhance the quality, utility, and clarity of the information to be collected; and ways to minimize the
burden of the information collection on respondents, including the use of automated collection techniques or other forms of
information technology. The Office of Management and Budget (OMB) has approved this information collection for use through
October 31, 2025. DoD proposes that OMB approve an extension of the information collection requirement, to expire three years
after the approval date.

DATES:

DoD will consider all comments received by August 5, 2025.

ADDRESSES:

You may submit comments, identified by OMB Control Number 0704-0478, using either of the following methods:

Federal eRulemaking Portal: https://www.regulations.gov. Follow the instructions for submitting comments.

Email: osd.dfars@mail.mil. Include OMB Control Number 0704-0478 in the subject line of the message.

Comments received generally will be posted without change to https://www.regulations.gov, including any personal information provided.

FOR FURTHER INFORMATION CONTACT:

Ms. Heather Kitchens, at 571-296-7152.

SUPPLEMENTARY INFORMATION:

Title and OMB Number: Safeguarding Covered Defense Information, Cyber 

  Incident Reporting, and Cloud Computing; OMB Control Number 0704-0478.

Affected Public: Businesses or other for-profit and not-for-profit institutions.

Respondent's Obligation: Required to obtain or retain benefits.

Frequency: On occasion.

Number of Respondents: 1,971.

Responses per Respondent: 8.2, approximately.

Annual Responses: 16,233.

Average Burden per Response: 0.42 hour.

Annual Burden Hours: 6,770.

Needs and Uses: Offerors and contractors must report cyber incidents on unclassified networks or information systems, within cloud computing
services, and when they affect contractors designated as providing operationally critical support, as required by statute.

a. The clause at DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, covers cyber incident
reporting requirements for incidents that affect a covered contractor information system or the covered defense information
residing therein, or that affects the contractor's ability to perform the requirements of the contract that are designated
as operationally critical support and identified in the contract.

b. The provision at DFARS 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls, requires an offeror
that proposes to vary from any of the security controls of National Institute of Standards and Technology (NIST) Special Publication
(SP) 800-171 in effect at the time the solicitation is issued to submit to the contracting officer a written explanation of
how the specified security control is not applicable or an alternative control or protective measure is used to achieve equivalent
protection.

c. The provision at DFARS 252.239-7009, Representation of Use of Cloud Computing, requires offerors to report that they “anticipate”
or do not anticipate” utilizing cloud computing service in performance of a contract resulting from a solicitation containing
the provision. The representation will notify contracting officers of the applicability of the cloud computing requirements
of the DFARS 252.239-7010 clause of the contract.

d. The clause at DFARS 252.239-7010, Cloud Computing Services, requires reporting of cyber incidents that occur when DoD is
purchasing cloud computing services.

These DFARS provisions and clauses facilitate mandatory cyber incident reporting requirements in accordance with statutory
regulations. When reports are submitted, DoD will analyze the reported information for cyber threats and vulnerabilities in
order to develop response measures as well as improve U.S. Government understanding of advanced cyber threat activity. In
addition, the security requirements in NIST SP 800-171 are specifically tailored for use in protecting sensitive information
residing in contractor information systems and generally reduce the burden placed on contractors by eliminating Federal-centric
processes and requirements. The information provided will inform the Department in assessing the overall risk to DoD covered
defense information on unclassified contractor systems and networks.

Jennifer D. Johnson, Editor/Publisher, Defense Acquisition Regulations System. [FR Doc. 2025-10277 Filed 6-5-25; 8:45 am] BILLING CODE 6001-FR-P

Download File

Download

Named provisions

Safeguarding Covered Defense Information Cyber Incident Reporting Cloud Computing

Related changes

Favicon for www.regulations.gov Defense Acquisition Regulations System Notice
Routine Mar 15, 2026 Regs.gov: Defense Acquisition Regulations System Defense & National Security
Favicon for www.cisa.gov CISA KEV: Cisco FMC Vulnerability Allows Root Java Code Execution (CVE-2026-20131)
Urgent Mar 20, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for www.ukri.org UKRI Funding for Secure Software Projects
Priority review Mar 20, 2026 UKRI Funding Opportunities (All Councils) Trade & Sanctions
Favicon for edpb.europa.eu EDPB-EDPS Joint Opinion on Cybersecurity Act 2 and NIS 2 Directive Amendments
Priority review Mar 20, 2026 EDPB Documents (GDPR) Data Privacy & Cybersecurity

Source

Favicon for www.regulations.gov
Regs.gov: Defense Acquisition Regulations System regulations.gov/search?agencyIds=DARS&sortBy=postedDate&sortDirection=desc
Defense & National Security
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
DARS
Comment period closes
August 5th, 2025 (closed 227 days ago)
Instrument
Notice
Legal weight
Non-binding
Stage
Consultation
Change scope
Substantive
Document ID
OMB Control Number 0704-0478
Docket
DARS-2025-0006-0001

Who this affects

Applies to
Employers
Industry sector
9261 Government Contracting
Activity scope
Cyber Incident Reporting Cloud Computing
Geographic scope
United States US

Taxonomy

Primary area
Cybersecurity
Operational domain
Compliance
Compliance frameworks
NIST CSF
Topics
Defense Contracting Information Security

Browse Categories

Agriculture & Food Safety 61 Banking & Finance 212 Consumer Protection 37 Courts & Legal 271 Data Privacy & Cybersecurity 60 Defense & National Security 48 Education 20 Energy 102 Environment 83 Government & Legislation 255 Healthcare 115 Housing 15 Immigration 9 Insurance 58 Labor & Employment 110 Pharma & Drug Safety 78 Securities & Markets 74 Tax 53 Telecom & Technology 34 Trade & Sanctions 122 Transportation 56

Get Defense & National Security alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when Regs.gov: Defense Acquisition Regulations System publishes new changes.

Free. Unsubscribe anytime.