Cybersecurity incident disclosure
Defense and government contractors face overlapping cybersecurity incident disclosure obligations from the Department of Defense, the Cybersecurity and Infrastructure Security Agency, and the National Institute of Standards and Technology, with the DoD's updated DFARS 252.204-7012 clause and the proposed Cyber Incident Reporting for Critical Infrastructure Act framework creating real tension over timelines, scope, and who gets notified first. Contractors holding Controlled Unclassified Information are currently mapping their vendor and subcontractor chains against these standards before new CMMC assessment cycles begin. The window between detection and required reporting is tightening.
Watch
- DFARS 252.204-7012 72-hour reporting clock: does your subcontractor chain comply?
- CIRCIA proposed rulemaking: how the final rule may override existing DoD timelines
- CMMC Level 2 third-party assessments beginning to scrutinize incident response documentation
- DoD memo on software bill of materials requirements tied to disclosure obligations
Recent material activity in Defense & Government Contracting
Active monitoring in place across Defense & Government Contracting. Material developments related to cybersecurity incident disclosure will appear here as they are published.