What Is DFARS 252.204-7012?
DFARS 252.204-7012, titled "Safeguarding Covered Defense Information and Cyber Incident Reporting," is a contract clause included in most Department of Defense solicitations and contracts. Codified at 48 CFR 252.204-7012, it was first introduced in 2013 and substantially updated in 2016.
The clause has four core requirements:
- Provide adequate security for all covered contractor information systems by implementing the 110 security controls in NIST Special Publication 800-171 (per DFARS 252.204-7012(b)(2)(ii)(A)).
- Report cyber incidents to DoD within 72 hours of discovery (per DFARS 252.204-7012(c)).
- Submit malicious software discovered in connection with a cyber incident to the DoD Cyber Crime Center (DC3) (per DFARS 252.204-7012(c)(3)).
- Preserve images and forensic data for at least 90 days after reporting a cyber incident, and provide DoD access upon request (per DFARS 252.204-7012(e) and (f)).
Who Does DFARS 7012 Apply To?
DFARS 252.204-7012 applies to any contractor or subcontractor whose information systems process, store, or transmit Covered Defense Information (CDI), or that provide operationally critical support. Per DFARS 252.204-7012(a), this includes:
- 1DoD prime contractors who receive or generate CDI/CUI in the course of contract performance.
- 2Subcontractors at any tier when CDI flows down. The clause explicitly requires primes to flow DFARS 252.204-7012 to subcontractors (per DFARS 252.204-7012(m)).
- 3IT services providers (NAICS 541512) are especially likely to encounter this clause because their services inherently involve access to contractor information systems and often CDI.
Key exception: Contracts exclusively for commercially available off-the-shelf (COTS) items are generally exempt from DFARS 252.204-7012 (per DFARS 252.204-7012(a)). However, IT services under NAICS 541512 are almost never classified as COTS because they involve customized work and access to government systems.
Covered Defense Information (CDI) and CUI
Understanding what data triggers DFARS 7012 obligations is critical. The clause uses two overlapping terms.
Covered Defense Information (CDI)
Defined in DFARS 252.204-7012(a), CDI is unclassified controlled technical information or other information (as described in the CUI Registry) that requires safeguarding or dissemination controls and is either:
- • Marked or identified in the contract, or
- • Collected, developed, received, transmitted, used, or stored by the contractor in performance of the contract
Controlled Unclassified Information (CUI)
Defined by Executive Order 13556 and implemented through 32 CFR Part 2002, CUI is the broader government-wide framework. CDI is the DoD-specific subset of CUI. Categories include:
- • Controlled Technical Information (CTI)
- • Export-controlled information (ITAR/EAR)
- • Critical infrastructure information
- • Operations security information
- • Any information designated CUI per the CUI Registry
For IT contractors: If you manage, host, or process any data marked CUI, CTI, ITAR, or that falls within the categories on the CUI Registry, DFARS 7012 applies to your systems. This is true even if you are a managed services provider whose employees do not directly read the CUI -- the data transiting or residing on your infrastructure is sufficient.
The 110 NIST SP 800-171 Security Controls
DFARS 252.204-7012(b)(2)(ii)(A) requires contractors to implement the security requirements in NIST Special Publication 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations." Revision 2 contains 110 security requirements organized into 14 families:
Contractors must also maintain a System Security Plan (SSP) documenting how each control is implemented, and a Plan of Action & Milestones (POA&M) for any controls not yet fully implemented (per NIST SP 800-171, Section 3.12).
72-Hour Cyber Incident Reporting
DFARS 252.204-7012(c) requires contractors to report cyber incidents to DoD within 72 hours of discovery. This is one of the fastest mandatory reporting timelines in federal contracting.
What triggers reporting
Per DFARS 252.204-7012(a), a "cyber incident" means actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. This includes exfiltration, manipulation, unauthorized access, and denial of service affecting CDI.
How to report
Reports are submitted through the DoD's DIBNet portal. The report must include the information described in DFARS 252.204-7012(c)(1): a description of the technique or method, a sample of the malicious software (if discovered), and a summary of the affected covered defense information.
Forensic preservation
Per DFARS 252.204-7012(e), contractors must preserve and protect images of all known affected information systems and relevant monitoring/packet capture data for at least 90 days, and provide access to DoD-approved forensic investigators upon request (DFARS 252.204-7012(f)).
Critical for IT contractors: If you provide managed IT services, hosting, or cloud services to a DoD contractor, you must have an incident response plan that can meet the 72-hour timeline. This means 24/7 monitoring capability, pre-established forensic procedures, a DIBNet account, and a tested escalation process. Discovering an incident on Friday and waiting until Monday to report it is a compliance violation.
Cloud Computing Requirements
DFARS 252.204-7012(b)(2)(ii)(D) imposes specific requirements when a contractor uses cloud computing to store, process, or transmit CDI:
FedRAMP Moderate Baseline
The cloud service must meet security requirements equivalent to FedRAMP Moderate baseline (per DFARS 252.204-7012(b)(2)(ii)(D)(1)). This means the cloud provider must either hold a FedRAMP authorization at the Moderate level or demonstrate equivalent security controls.
DoD Cloud Computing Security Requirements Guide (SRG)
The cloud service must also comply with the DoD Cloud Computing SRG for the applicable Impact Level. For CUI/CDI, this is typically Impact Level 2 (IL2) for non-CUI or Impact Level 4/5 (IL4/IL5) for CUI data. Impact Level determination depends on the sensitivity of the CDI being processed.
Incident reporting from cloud
Per DFARS 252.204-7012(b)(2)(ii)(D)(3), the contractor must ensure that the cloud service provider reports cyber incidents that affect CDI to DoD through the same 72-hour reporting mechanism. The contractor, not just the CSP, remains responsible for ensuring compliance.
Practical impact: If you are an IT services contractor using AWS, Azure, or GCP for DoD work involving CDI, you must use the GovCloud or government-specific regions that meet FedRAMP Moderate and the DoD SRG. Standard commercial cloud regions are not compliant. AWS GovCloud (US), Azure Government, and Google Cloud for Government are the typical options.
Relationship to CMMC (DFARS 7019, 7020, 7021)
DFARS 252.204-7012 establishes the security requirements. Three additional DFARS clauses create the verification and certification framework known as the Cybersecurity Maturity Model Certification (CMMC):
DFARS 252.204-7019: Notice of NIST 800-171 Assessment Requirements
Requires contractors to have a current (within 3 years) NIST 800-171 DoD Assessment on record in the Supplier Performance Risk System (SPRS). The assessment produces a score from -203 to 110, with 110 representing full implementation of all controls.
DFARS 252.204-7020: NIST 800-171 DoD Assessment Requirements
Allows DoD to conduct Medium or High confidence assessments of a contractor's NIST 800-171 implementation, including on-site assessments. Contractors must provide access to facilities, systems, and personnel.
DFARS 252.204-7021: CMMC Requirements
Requires contractors to achieve and maintain a specific CMMC level as a condition of contract award. For contracts involving CUI, this is typically CMMC Level 2, which maps directly to the 110 NIST SP 800-171 controls. CMMC Level 2 requires a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO).
Timeline: CMMC is being phased into DoD contracts beginning in 2025. By the time full implementation is reached, all DoD contracts involving CUI will require CMMC Level 2 certification as a condition of award. If you already comply with DFARS 7012 and NIST 800-171, you are substantively ready for CMMC Level 2 -- the controls are the same. The difference is that CMMC requires third-party verification rather than self-attestation.
Specific Implications for IT Services Contractors (NAICS 541512)
NAICS 541512 (Computer Systems Design Services) covers IT consulting, custom programming, systems integration, and managed IT services. DFARS 7012 hits these contractors especially hard because of the nature of IT services work:
System-level access is the default
Unlike product vendors who ship a deliverable, IT services contractors typically have admin-level access to client systems. This means CDI exposure is virtually guaranteed, and the full 110-control requirement applies to your own internal systems, not just the client's.
Multi-tenant risk
If you serve multiple clients (DoD and non-DoD), you must either segment your environments so CUI is isolated, or apply NIST 800-171 controls across your entire organization. Most small IT firms find segmentation (a dedicated enclave) more cost-effective than enterprise-wide compliance.
Supply chain flowdown
Per DFARS 252.204-7012(m), if you subcontract any portion of work involving CDI, you must flow DFARS 7012 down to your subcontractors. For IT services firms that use freelancers, offshore development teams, or subcontracted specialists, this means every person and system touching CDI must meet the same 110-control standard.
SPRS score is a competitive differentiator
Per DFARS 252.204-7019, your NIST 800-171 assessment score is visible to contracting officers in SPRS. A score of 110 (full implementation) is a competitive advantage. A low score or missing score can disqualify you from award. IT firms that invest early in compliance are winning contracts from competitors who have not.
Common Compliance Mistakes
Based on DoD assessments and publicly reported enforcement actions, these are the most frequent failures:
Treating the SSP as a checkbox document
The System Security Plan must describe how each of the 110 controls is implemented in your specific environment. Generic templates with boilerplate language fail Medium and High assessments (per DFARS 252.204-7020).
Missing or stale POA&M
A Plan of Action & Milestones is acceptable for controls not yet fully implemented, but it must include specific milestones with dates. An open-ended POA&M with no remediation timeline is treated as non-implementation.
No SPRS score on file
Per DFARS 252.204-7019, you must have a current assessment posted to SPRS before contract award. Contracting officers check SPRS during source selection. No score means no award.
Using standard commercial cloud for CUI
Per DFARS 252.204-7012(b)(2)(ii)(D), cloud services must meet FedRAMP Moderate and the DoD Cloud SRG. Standard AWS, Azure, or GCP commercial regions do not qualify. You need GovCloud or government-specific offerings.
No tested incident response plan
Having a written IR plan is not enough. NIST 800-171 control 3.6.3 requires testing the incident response capability. If your first real test of the 72-hour reporting process is during an actual incident, you will fail the timeline.
Ignoring subcontractor flowdown
DFARS 252.204-7012(m) requires flowing the clause to subcontractors. Primes who fail to do this are liable for their subcontractors' non-compliance. This is especially common in IT services where freelancers and offshore teams are used.
Conflating FAR 52.204-21 with DFARS 7012
FAR 52.204-21 requires only 15 basic controls and no incident reporting. Some contractors assume compliance with the FAR clause means compliance with DFARS 7012. It does not. The gap is 95 additional controls plus incident reporting, forensic preservation, and cloud requirements.
Self-certifying without documentation
False Claims Act (31 U.S.C. 3729) liability attaches when contractors certify NIST 800-171 compliance without actually implementing the controls. DOJ has pursued FCA cases against contractors who claimed compliance without adequate implementation.
FAR 52.204-21 (15 Controls) vs. DFARS 252.204-7012 (110 Controls)
The following table breaks down the gap by control family. FAR 52.204-21 covers only 6 of the 14 NIST 800-171 families and implements only basic controls within those families. DFARS 7012 requires all 14 families and all 110 controls.
| Control Family | FAR 52.204-21 | DFARS 7012 (NIST 800-171) | What DFARS 7012 Adds |
|---|---|---|---|
| Access Control | 2 controls | 22 controls (AC-1 through AC-22) | Role-based access, remote access policy, wireless restrictions, mobile device controls, session locks, CUI encryption |
| Awareness & Training | Not addressed | 3 controls (AT-1 through AT-3) | Security awareness training, insider threat training, role-based training |
| Audit & Accountability | Not addressed | 9 controls (AU-1 through AU-9) | Audit logging, event correlation, audit review and reporting, time stamps, audit protection |
| Configuration Management | Not addressed | 9 controls (CM-1 through CM-9) | Baseline configurations, change control, least functionality, software restrictions, unauthorized software |
| Identification & Authentication | 2 controls | 11 controls (IA-1 through IA-11) | Multi-factor authentication, device authentication, identifier management, authenticator management, replay-resistant auth |
| Incident Response | Not addressed | 3 controls (IR-1 through IR-3) | Incident handling procedures, reporting, testing incident response capabilities |
| Maintenance | Not addressed | 6 controls (MA-1 through MA-6) | Controlled maintenance, maintenance tools, remote maintenance, maintenance personnel |
| Media Protection | 3 controls | 9 controls (MP-1 through MP-9) | Media marking, storage, transport, sanitization, CUI disposition, removable media policies |
| Personnel Security | Not addressed | 2 controls (PS-1 through PS-2) | Personnel screening, personnel termination and transfer procedures |
| Physical Protection | 4 controls | 6 controls (PE-1 through PE-6) | Visitor control, monitoring physical access, managing physical access devices, alternate work sites |
| Risk Assessment | Not addressed | 3 controls (RA-1 through RA-3) | Periodic risk assessments, vulnerability scanning, vulnerability remediation |
| Security Assessment | Not addressed | 4 controls (CA-1 through CA-4) | Security assessments, system connections, plan of action and milestones, continuous monitoring |
| System & Comms Protection | 2 controls | 16 controls (SC-1 through SC-16) | Boundary protection, cryptographic protection, collaborative computing, session authenticity, CUI at rest, FIPS-validated crypto |
| System & Info Integrity | 2 controls | 7 controls (SI-1 through SI-7) | Flaw remediation, malicious code protection, security alerts, system monitoring, inbound/outbound traffic analysis |
| Total | 15 | 110 | +95 controls, +8 control families, +incident reporting & forensics |
Need help navigating DFARS 252.204-7012 requirements?
ClariFAR searches the full FAR/DFARS corpus, NIST 800-171, and CMMC guidance. Ask a question in plain English and get the exact regulatory citation with an explanation.