Federal & State Lawfederalstatelaw.com
Home/Federal/Federal Register/2026-00544
Notice2026-00544

Information Collection Requirements; Defense Federal Acquisition Regulation Supplement (DFARS); Cyber Incident Reporting and Cloud Computing

Primary source

Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.

Published
January 14, 2026

Issuing agencies

Defense DepartmentDefense Acquisition Regulations System

Abstract

The Defense Acquisition Regulations System has submitted to OMB for clearance the following proposal for collection of information under the provisions of the Paperwork Reduction Act. This document updates the instructions for submission of comments.

Full Text

<html>
<head>
<title>Federal Register, Volume 91 Issue 9 (Wednesday, January 14, 2026)</title>
</head>
<body><pre>
[Federal Register Volume 91, Number 9 (Wednesday, January 14, 2026)]
[Notices]
[Pages 1511-1512]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2026-00544]


-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Defense Acquisition Regulations System

[Docket Number DARS-2025-0006; OMB Control Number 0704-0478]


Information Collection Requirements; Defense Federal Acquisition 
Regulation Supplement (DFARS); Cyber Incident Reporting and Cloud 
Computing

AGENCY: Defense Acquisition Regulations System; Department of Defense 
(DoD).

ACTION: Supplemental notice.

-----------------------------------------------------------------------

[[Page 1512]]

SUMMARY: The Defense Acquisition Regulations System has submitted to 
OMB for clearance the following proposal for collection of information 
under the provisions of the Paperwork Reduction Act. This document 
updates the instructions for submission of comments.

DATES: DoD will consider all comments received by January 14, 2026.

ADDRESSES: Written comments and recommendations for the proposed 
information collection should be sent within 30 days of publication of 
this notice to <a href="https://www.reginfo.gov/public/do/PRAMain">https://www.reginfo.gov/public/do/PRAMain</a>. Find this 
particular information collection by selecting ``Currently under 30-day 
Review--Open for Public Comments'' or by using the search function.
    You may also submit comments, identified by docket number and 
title, by the following method: Federal eRulemaking Portal: <a href="https://www.regulations.gov">https://www.regulations.gov</a>. Follow the instructions for submitting comments.

FOR FURTHER INFORMATION CONTACT: Mr. Reginald T. Lucas, 571-372-7574, 
or <a href="/cdn-cgi/l/email-protection#2e59465d00434d034f424b56004b5d4a00434c56004a4a034a414a03474048415c434f5a474140034d4142424b4d5a4741405d6e434f474200434742"><span class="__cf_email__" data-cfemail="a9dec1da87c4ca84c8c5ccd187ccdacd87c4cbd187cdcd84cdc6cd84c0c7cfc6dbc4c8ddc0c6c784cac6c5c5cccaddc0c6c7dae9c4c8c0c587c4c0c5">[email&#160;protected]</span></a>.

SUPPLEMENTARY INFORMATION: 
    In the Federal Register of January 5, 2026, in FR Doc. 2025-24248, 
on page 255, this supplemental notice adds an ADDRESSES caption to 
include public comment instructions.
    Title and OMB Number: Safeguarding Covered Defense Information, 
Cyber Incident Reporting, and Cloud Computing; OMB Control Number 0704-
0478.
    Affected Public: Businesses or other for-profit and not-for-profit 
institutions.
    Respondent's Obligation: Required to obtain or retain benefits.
    Reporting Frequency: On occasion.
    Number of Respondents: 1,971.
    Responses per Respondent: 8.2, approximately.
    Annual Responses: 16,223.
    Average Burden per Response: 0.42 hours.
    Annual Burden Hours: 6,770.
    Needs and Uses: Offerors and contractors must report cyber 
incidents on unclassified networks or information systems, within cloud 
computing services, and when they affect contractors designated as 
providing operationally critical support, as required by statute.
    a. The clause at DFARS 252.204-7012, Safeguarding Covered Defense 
Information and Cyber Incident Reporting, covers cyber incident 
reporting requirements for incidents that affect a covered contractor 
information system or the covered defense information residing therein, 
or that affects the contractor's ability to perform the requirements of 
the contract that are designated as operationally critical support and 
identified in the contract.
    b. The provision at DFARS 252.204-7008, Compliance with 
Safeguarding Covered Defense Information Controls, requires an offeror 
that proposes to vary from any of the security controls of National 
Institute of Standards and Technology (NIST) Special Publication (SP) 
800-171 in effect at the time the solicitation is issued to submit to 
the contracting officer a written explanation of how the specified 
security control is not applicable or an alternative control or 
protective measure is used to achieve equivalent protection.
    c. The provision at DFARS 252.239-7009, Representation of Use of 
Cloud Computing, requires offerors to report that they ``anticipate'' 
or ``do not anticipate'' utilizing cloud computing service in 
performance of a contract resulting from a solicitation containing the 
provision. The representation will notify contracting officers of the 
applicability of the cloud computing requirements of the DFARS 252.239-
7010 clause of the contract.
    d. The clause at DFARS 252.239-7010, Cloud Computing Services, 
requires reporting of cyber incidents that occur when DoD is purchasing 
cloud computing services.
    These DFARS provisions and clauses facilitate mandatory cyber 
incident reporting requirements in accordance with statutory 
regulations. When reports are submitted, DoD will analyze the reported 
information for cyber threats and vulnerabilities in order to develop 
response measures as well as improve U.S. Government understanding of 
advanced cyber threat activity. In addition, the security requirements 
in NIST SP 800-171 are specifically tailored for use in protecting 
sensitive information residing in contractor information systems and 
generally reduce the burden placed on contractors by eliminating 
Federal-centric processes and requirements. The information provided 
will inform DoD in assessing the overall risk to DoD covered defense 
information on unclassified contractor systems and networks.
    DoD Clearance Officer: Mr. Reginald T. Lucas. Requests for copies 
of the information collection proposal should be sent to Mr. Lucas at 
<a href="/cdn-cgi/l/email-protection#4e39263d60232d632f222b36602b3d2a60232c36602a2a632a212a63272028213c232f3a272120632d2122222b2d3a2721203d0e232f272260232722"><span class="__cf_email__" data-cfemail="b2c5dac19cdfd19fd3ded7ca9cd7c1d69cdfd0ca9cd6d69fd6ddd69fdbdcd4ddc0dfd3c6dbdddc9fd1dddeded7d1c6dbdddcc1f2dfd3dbde9cdfdbde">[email&#160;protected]</span></a>.

Kimberly R. Ziegler,
Editor/Publisher, Defense Acquisition Regulations System.
[FR Doc. 2026-00544 Filed 1-13-26; 8:45 am]
BILLING CODE 6001-FR-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>
View on FederalRegister.gov →Plain-text source
Indexed from Federal Register on January 14, 2026.

This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.