The Department of Defense published a final DFARS rule in January 2026 — effective March 1, 2026 — significantly tightening contractor cyber incident reporting requirements under DFARS 252.204-7012. The rule reduces the reporting window from 72 hours to 8 hours for incidents on covered systems used in major defense acquisition programs, and expands covered system definitions to expressly include cloud environments operating under FedRAMP High authorizations where DoD CUI is processed, per the Federal Register.
Who is affected
- Any contractor with a DFARS 252.204-7012 clause in their contract (most DoD contracts involving CUI have this clause)
- Cloud service providers hosting DoD CUI under FedRAMP High ATOs are now explicitly covered — the prior rule's applicability to cloud was ambiguous
- The 8-hour window applies to incidents on "critical program information systems" — a defined term that covers systems supporting ACAT I and ACAT II programs
- Non-critical covered systems retain a 72-hour reporting window
What "8 hours" means operationally
The 8-hour clock starts when a contractor "discovers" an incident — which DFARS defines as when a contractor becomes aware of a reasonably suspected compromise. This creates real operational challenges:
- Alert triage must be faster — a suspected incident can't wait for a full investigation before reporting
- Reports can and should be preliminary — DoD expects updates as investigation continues
- Reports go to DIBNet Portal — ensure your security team has current portal credentials
Action items
- Update your Incident Response Plan to reflect the 8-hour window for CPI systems — specifically the escalation and notification procedures
- Conduct a tabletop exercise simulating an 8-hour reporting scenario — most IR teams have never drilled to this timeline
- If you use a cloud provider for CUI, verify their incident notification SLA to you is faster than 4 hours — you need time to assess and report
- Confirm your DIBNet portal access and test the reporting workflow before an incident occurs