What is the difference between FAR 52.204-21 and DFARS 252.204-7012?

FAR 52.204-21 requires 15 basic safeguarding controls for Federal Contract Information (FCI) and applies to all federal contracts. DFARS 252.204-7012 requires all 110 NIST SP 800-171 controls for Covered Defense Information (CDI) and applies only to DoD contracts. DFARS 7012 also adds 72-hour cyber incident reporting, FedRAMP cloud requirements, and subcontractor flowdown that FAR 52.204-21 does not require.

Do I need to comply with both FAR 52.204-21 and DFARS 252.204-7012?

If your contract is with a DoD component and involves CUI/CDI, DFARS 252.204-7012 supersedes FAR 52.204-21 since its 110 controls encompass all 15 basic safeguarding controls. If your contract is with a civilian agency, only FAR 52.204-21 applies. If your DoD contract involves only FCI (not CDI), FAR 52.204-21 applies for the basic safeguarding, and CMMC Level 1 self-assessment is required.

What is Covered Defense Information (CDI)?

Covered Defense Information (CDI) includes Controlled Unclassified Information (CUI) that is provided to or generated by the contractor in performance of a DoD contract. It includes technical data with distribution limitations, operations security information, export-controlled information, and any information marked as CUI. If a contract involves CDI, DFARS 252.204-7012 applies and all 110 NIST SP 800-171 controls must be implemented.

FAR 52.204-21 vs DFARS 7012: Which Cybersecurity Standard Applies? (2026)

What Is FCI vs. CUI?

The entire distinction between FAR 52.204-21 and DFARS 252.204-7012 comes down to the type of information your contract involves. Understanding these two categories is the prerequisite to everything else on this page.

Federal Contract Information (FCI)

Defined in FAR 4.1901: information not intended for public release, provided by or generated for the government under a contract to develop or deliver a product or service. It does not include information provided to the public (such as on public websites) or simple transactional information (like payment data).

Examples: Contract performance reports, internal project plans created for the government, contractor proprietary data submitted under contract, government-furnished specifications not marked CUI.

Controlled Unclassified Information (CUI)

Defined in 32 CFR Part 2002 and the CUI Registry: government-created or -owned information that law, regulation, or government-wide policy requires safeguarding. Encompasses 125+ categories across 20 groupings including export-controlled data, technical data, privacy information, law enforcement sensitive data, and critical infrastructure information.

Examples: Technical drawings with distribution restrictions, ITAR-controlled design data, personally identifiable information (PII) of service members, Critical Infrastructure security assessments, export-controlled source code.

Key distinction: All CUI is also FCI, but not all FCI is CUI. If your contract only involves FCI (no CUI designations), FAR 52.204-21 applies. The moment CUI enters the picture, DFARS 252.204-7012 applies and brings all 110 NIST SP 800-171 controls with it.

FAR 52.204-21: Basic Safeguarding (15 Controls for FCI)

FAR clause 52.204-21, "Basic Safeguarding of Covered Contractor Information Systems," applies to all federal contracts (not just DoD) where contractor information systems process, store, or transmit Federal Contract Information. Prescribed by FAR 4.1903, it establishes a minimum security baseline derived from NIST SP 800-171 but limited to 15 requirements across 6 security families.

The 15 Basic Safeguarding Controls (FAR 52.204-21(b)(1))

Access Control (AC)

Limit information system access to authorized users, processes, or devices
Limit information system access to types of transactions and functions that authorized users are permitted to execute

Identification and Authentication (IA)

Identify information system users, processes, or devices
Authenticate (or verify) identities as prerequisite to allowing access

Media Protection (MP)

Sanitize or destroy information system media containing FCI before disposal or reuse
Limit physical access to organizational information systems, equipment, and operating environments to authorized individuals

Physical Protection (PE)

Escort visitors and monitor visitor activity
Maintain audit logs of physical access
Control and manage physical access devices

System and Communications Protection (SC)

Monitor, control, and protect communications at external boundaries and key internal boundaries
Implement subnetworks for publicly accessible system components separated from internal networks

System and Information Integrity (SI)

Identify, report, and correct information and information system flaws in a timely manner
Provide protection from malicious code at appropriate locations within organizational information systems
Update malicious code protection mechanisms when new releases are available
Perform periodic scans of the information system and real-time scans of files from external sources

No certification, no third-party assessment, and no reporting requirements. These are self-attested baseline controls. Most organizations with basic IT security practices already meet most of these requirements.

DFARS 252.204-7012: Full NIST 800-171 (110 Controls for CUI)

DFARS clause 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting," applies to DoD contracts and subcontracts where covered defense information (CDI) is involved. CDI includes CUI that is marked, designated, or otherwise indicated in the contract and requires safeguarding per law, regulation, or government-wide policy.

110

NIST 800-171 controls

Per DFARS 252.204-7012(b)(2)(ii)(A), contractors must implement NIST SP 800-171 "as soon as practical, but not later than December 31, 2017" (deadline has passed -- compliance is required now).

72 hrs

incident reporting

Per DFARS 252.204-7012(c), cyber incidents must be reported to DoD via the DIBNet portal within 72 hours of discovery. Includes preserving forensic images for 90 days (252.204-7012(e)).

CMMC

certification required

CMMC 2.0 Level 2 requires a third-party assessment (C3PAO) against all 110 NIST 800-171 controls. Phased rollout began in 2025. DFARS 252.204-7021 implements the CMMC program requirement.

Additional DFARS 7012 Requirements Beyond NIST 800-171

●Cloud services: Must meet FedRAMP Moderate baseline or equivalent per 252.204-7012(b)(2)(ii)(D)
●Subcontract flowdown: Must include 252.204-7012 in subcontracts for operationally critical support or where CUI is involved per 252.204-7012(m)
●Forensic preservation: Must preserve images of affected systems and relevant monitoring data for at least 90 days per 252.204-7012(e)
●SPRS score: Per DFARS 252.204-7019/7020, a current self-assessment score must be posted to SPRS before contract award

Decision Tree: Which Clause Applies to Your Contract?

Walk through these three questions in order. Your answer at each step determines which cybersecurity standard your contract requires.

Does your contract (or subcontract) involve any federal government information?

YES

Continue to Step 2

Neither clause applies. Standard commercial cybersecurity practices recommended.

Is the information Controlled Unclassified Information (CUI) per 32 CFR Part 2002?

YES

DFARS 252.204-7012 applies. You must implement all 110 NIST SP 800-171 controls.

Continue to Step 3

Does the contract involve Federal Contract Information (FCI) processed, stored, or transmitted on contractor information systems?

YES

FAR 52.204-21 applies. You must implement the 15 basic safeguarding controls.

Neither cybersecurity clause applies (rare for IT contractors).

Important nuance: Many contractors assume their civilian contracts only involve FCI, but CUI can appear in non-DoD contracts too (e.g., DHS, DOE, or NASA contracts with export-controlled data). Always check the contract's Section I clauses and any CUI markings on government-furnished information. If DFARS 252.204-7012 is listed in your contract, CUI is involved regardless of the contracting agency.

Control-by-Control Comparison Across All 14 NIST Families

Both FAR 52.204-21 and DFARS 252.204-7012 trace back to NIST SP 800-171. FAR 52.204-21 only covers 6 of the 14 families. DFARS 7012 covers all 14. Here is the full comparison.

NIST Family	FAR 52.204-21 (FCI)	DFARS 7012 / NIST 800-171 (CUI)
3.1Access Control (AC)	Limit system access to authorized users and transactions/functions (2 controls)	22 controls: account management, access enforcement, information flow, separation of duties, least privilege, session lock, remote access, wireless, mobile, CUI on public systems, and more
3.2Awareness and Training (AT)	Not addressed	3 controls: security awareness training, insider threat awareness, role-based training
3.3Audit and Accountability (AU)	Not addressed	9 controls: create/retain audit logs, review and reporting, time stamps, protection of audit info, correlation
3.4Configuration Management (CM)	Not addressed	9 controls: baseline configurations, change tracking, security impact analysis, access restrictions for change, least functionality, blacklisting/whitelisting, unauthorized software, user-installed software
3.5Identification and Authentication (IA)	Identify information system users and authenticate as prerequisite to access (2 controls)	11 controls: multi-factor authentication, replay-resistant, identifier management, authenticator management, obscure feedback, cryptographic module authentication
3.6Incident Response (IR)	Not addressed	3 controls: incident handling capability, tracking/documenting/reporting, testing incident response
3.7Maintenance (MA)	Not addressed	6 controls: controlled maintenance, tools/media/personnel, remote maintenance, maintenance personnel oversight
3.8Media Protection (MP)	Sanitize or destroy media containing FCI before disposal or reuse (2 controls)	9 controls: media access, marking CUI media, storage, transport, sanitization, CUI during transport, accountability, removable media use
3.9Personnel Security (PS)	Not addressed	2 controls: screen individuals prior to CUI access, protect CUI during personnel actions (termination/transfer)
3.10Physical Protection (PE)	Limit physical access to information systems and equipment; escort visitors and monitor physical access (2 controls)	6 controls: limit physical access, manage physical access, escort visitors, audit logs, manage physical access devices, alternate work sites
3.11Risk Assessment (RA)	Not addressed	3 controls: periodic risk assessments, vulnerability scanning, remediation of vulnerabilities
3.12Security Assessment (CA)	Not addressed	4 controls: assess controls periodically, develop/implement remediation plans, continuous monitoring, system connections
3.13System and Communications Protection (SC)	Monitor/control/protect communications at system boundaries; implement subnetworks for publicly accessible components (5 controls)	16 controls: boundary protection, architectural designs, role separation, shared resource control, denial of service protection, session authenticity, CUI at rest encryption, CUI in transit encryption, network disconnect, cryptographic key establishment, cryptographic protection, collaborative computing, mobile code, VoIP, communications authenticity, CUI confidentiality
3.14System and Information Integrity (SI)	Identify, report, and correct flaws in a timely manner; provide protection from malicious code; update malicious code mechanisms (2 controls)	7 controls: flaw remediation, malicious code protection, security alerts/advisories, system monitoring, inbound/outbound communications traffic monitoring, unauthorized use identification, advanced persistent threat indicators

Control counts per NIST SP 800-171 Rev 2. FAR 52.204-21 maps to a subset of basic requirements only. DFARS 7012 requires both basic and derived requirements across all 14 families (110 total).

IT Services Contractor Implications

IT services contractors face unique challenges because they typically operate, manage, or have privileged access to government information systems. This section addresses how the two clauses apply specifically to managed service providers, cloud hosting providers, help desk operators, and software developers working on government contracts.

Managed Service Providers (MSPs)

MSPs handling government IT infrastructure almost always process FCI at minimum. If you manage systems for a DoD agency or a DoD prime, you likely handle CUI -- think user account data, system configurations, network diagrams, and security logs. DFARS 7012 applies to your entire managed environment, not just the specific data you touch. Your NOC, SOC, and ticketing systems are all in scope.

Cloud and Hosting Providers

DFARS 252.204-7012(b)(2)(ii)(D) requires that CUI stored in the cloud use services that meet FedRAMP Moderate baseline or equivalent. Standard commercial AWS, Azure, or GCP accounts do not qualify. You need GovCloud, IL4/IL5 environments, or a FedRAMP-authorized service. For FCI-only (FAR 52.204-21), there is no explicit FedRAMP requirement, but basic safeguarding still applies.

Software Development Contractors

Source code developed under a DoD contract is often CUI (especially if it contains technical data with distribution restrictions). Your development environment, CI/CD pipelines, code repositories, and developer workstations are all in scope for NIST 800-171 controls. This includes access control on repos (3.1), audit logging (3.3), configuration management (3.4), and encryption for code in transit and at rest (3.13).

Help Desk and End-User Support

Even help desk operators may access CUI through screen-sharing sessions, remote administration, or ticket content. If your contract supports a DoD organization, assume CUI exposure. Your ticketing system, remote access tools, and call recordings need to comply with DFARS 7012. Multi-factor authentication (NIST 800-171 3.5.3) is mandatory for any remote access.

7 Common Mistakes Contractors Make

These are the most frequent compliance failures we see. Each one can result in contract performance issues, false claims liability, or loss of future contract eligibility.

Assuming FAR 52.204-21 is enough for DoD contracts

If your DoD contract involves CUI (most do), FAR 52.204-21 is the floor, not the ceiling. DFARS 252.204-7012 requires all 110 NIST 800-171 controls on top of the basic 15. Implementing only the FAR baseline leaves 95 controls unaddressed.

Cite: DFARS 252.204-7012(b)(2)(ii)(A)

Confusing FCI with CUI

FCI is information provided by or generated for the government under contract that is not public. CUI is a narrower, more sensitive category designated per 32 CFR Part 2002. A contract can involve FCI without CUI, but any contract with CUI also involves FCI. The distinction determines which clause applies.

Cite: FAR 4.1901 (FCI definition), 32 CFR 2002.4(h) (CUI definition)

Not flowing down DFARS 7012 to subcontractors

DFARS 252.204-7012(m) explicitly requires flowdown to subcontractors at any tier whose performance involves covered defense information or operationally critical support. Primes are responsible for ensuring sub compliance.

Cite: DFARS 252.204-7012(m)

Ignoring the 72-hour incident reporting requirement

Under DFARS 7012, cyber incidents affecting covered defense information must be reported to DoD within 72 hours via the DIBNet portal. There is no equivalent reporting requirement under FAR 52.204-21. Many contractors have no incident response plan at all.

Cite: DFARS 252.204-7012(c)

Posting a SPRS score without a real self-assessment

DoD requires a NIST 800-171 self-assessment score posted to the Supplier Performance Risk System (SPRS). Some contractors post inflated scores without rigorous self-assessment. DFARS 252.204-7019 makes this a representation to the government -- false claims risk applies.

Cite: DFARS 252.204-7019, 252.204-7020

Using personal devices without a security policy

IT services contractors commonly allow BYOD without controls. Both clauses require limiting system access to authorized users (FAR 52.204-21(b)(1)(i)). Under DFARS 7012, personal devices accessing CUI must meet all 110 NIST 800-171 controls, including encryption at rest and in transit.

Cite: FAR 52.204-21(b)(1)(i), NIST 800-171 3.1.18, 3.13.8

Treating cloud services as automatically compliant

DFARS 252.204-7012(b)(2)(ii)(D) requires cloud service providers handling CUI to meet FedRAMP Moderate baseline (or equivalent). A standard AWS or Azure commercial account does not satisfy this. GovCloud or IL4/IL5 environments are typically required.

Cite: DFARS 252.204-7012(b)(2)(ii)(D)

Quick Reference: FAR 52.204-21 vs DFARS 252.204-7012

Dimension	FAR 52.204-21	DFARS 252.204-7012
Protects	Federal Contract Information (FCI)	Controlled Unclassified Information (CUI) / Covered Defense Information (CDI)
Applies To	All federal contracts with contractor info systems	DoD contracts and subcontracts involving CUI
Number of Controls	15 basic safeguarding controls	110 NIST SP 800-171 controls
NIST Families Covered	6 of 14 families	All 14 families
Certification	None (self-attestation)	CMMC Level 2 (third-party C3PAO assessment)
Incident Reporting	Not required	72 hours via DIBNet portal
Forensic Preservation	Not required	90-day image preservation
Cloud Requirement	No specific cloud standard	FedRAMP Moderate baseline or equivalent
SPRS Score	Not required	Required per DFARS 252.204-7019/7020
Subcontract Flowdown	When subcontract involves FCI on contractor systems	Mandatory per 252.204-7012(m) for CUI/operationally critical support
Typical Compliance Cost	$0 to $5K (most firms already compliant)	$20K to $100K+ (6 to 18 months for small business)
CFR Citation	48 CFR 52.204-21	48 CFR 252.204-7012

Not sure which clause applies to your contract?

Paste your contract clause list or NAICS code into ClariFAR and get an instant breakdown of which cybersecurity requirements apply to you.

Ask ClariFAR Scan Your NAICS Code