DFARS 252.204-7012: What You Need To Know

If you are a DoD contractor, you must prove that you have the proper level of security protocols in place to protect sensitive government information.

DFARS 7012 requires DoD contractors to implement security procedures as outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171.

DFARS 252_204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting

The basic tenets of the DFARS 252.204-7012 clause are as follows:

1. To safeguard covered defense information, contractors/subcontractors must implement NIST SP 800-171, Protecting CUI in Nonfederal Information Systems and Organizations.
2. To report cyber incidents affecting covered defense information of the contractor’s ability to perform requirements designated as operationally critical support, the contractor must conduct a review for evidence of compromise and report any cyber incidents to the DoD immediately.
3. If discovered and isolated in connection with a reported cyber incident, the contractor/subcontractor must submit the malicious software to the DoD Cyber Crime Center.
4. If the DoD decides to conduct a damage assessment, the Contracting Officer will be notified by the requiring activity to request media and damage assessment information from the contractor.

Who DFARS 252.204-7012 Applies To

DFARS 252.204-7012 applies to all DoD prime contractors and subcontractors that process, store, or transmit CUI on nonfederal systems. This includes cloud service providers and managed service providers supporting those systems.

• Scope: Any contract or subcontract where performance involves CUI or Covered Defense Information (CDI).
• Responsibility: Compliance requirements extend throughout the defense supply chain—not just to prime contractors.
• Systems in Scope: Contractor-owned or operated systems where CUI is used, stored, or transferred.

DFARS & NIST: NIST SP 800-171 Implementation Requirement

To safeguard CUI, contractors must implement all security requirements in NIST SP 800-171.

• Coverage: 110 requirements across 14 control families, including access control, incident response, and system integrity.
• Documentation: Organizations must maintain a System Security Plan (SSP) and a Plan of Action & Milestones (POA&M) to address any gaps.
• Assessment: Compliance must be demonstrable. Self-attestations are no longer sufficient.
• Updates: Contractors must stay current with NIST revisions and adjust controls as necessary.

Cyber Incident Reporting Requirements for DFARS

Contractors must report cyber incidents that impact CUI or their ability to perform operationally critical support.

• Timeline: Incidents must be reported within 72 hours via the DoD’s DIBNet portal.
• Forensics Preservation: Contractors must preserve system images and relevant data for at least 90 days.
• Malware Submission: Any isolated malicious code must be submitted to the DoD Cyber Crime Center.
• Follow-On Actions: Contractors may be required to support DoD damage assessments and provide additional evidence.

DFARS Also Applies to Subcontractors

The DFARS clause must be included in all subcontracts involving CUI.

• Contractual Clause: Subcontractors must be bound by the exact requirements.
• Verification: Prime contractors must ensure subcontractors are implementing NIST SP 800-171 and meeting reporting obligations.
• Supply Chain Risk: Effective oversight and information sharing are crucial for mitigating risk throughout the supply chain.

4 Consequences of Noncompliance with DFARS

Noncompliance with DFARS 252.204-7012 has serious consequences.

• Contract Risk: Contractors risk losing awards, facing cure notices, or even contract termination.
• Enforcement: The False Claims Act may impose liability if contractors misrepresent their compliance.
• Operational Impact: Delays, rework, or restricted access to data can disrupt performance.
• Reputation: Noncompliance damages credibility and competitiveness in the defense sector.

DFARS & CMMC: What Is Their Relationship?

DFARS 7012 is the foundation for the Cybersecurity Maturity Model Certification (CMMC).

• Foundation: NIST SP 800-171 compliance under DFARS is the starting point for CMMC.
• Validation: CMMC requires third-party or government assessments, depending on the certification level.
• Readiness: Contractors with mature SSPs, POA&Ms, and robust incident response are better prepared for CMMC certification.