If you hold a DoD contract that involves Controlled Unclassified Information, DFARS 252.204-7012 is the clause that creates your cybersecurity compliance obligation. It’s been in contracts since 2017. It predates CMMC. And it remains the foundational contractual requirement that CMMC is built to verify.
Most defense contractors know this clause exists. Fewer understand what it actually requires. This guide explains the clause in plain language, covers its key provisions, and maps how it connects to CMMC and the related DFARS clauses that contractors encounter.
What DFARS 252.204-7012 Requires
The clause, formally titled “Safeguarding Covered Defense Information and Cyber Incident Reporting,” establishes two core obligations for contractors who handle Covered Defense Information (CDI), which includes CUI.
Obligation 1: Implement NIST 800-171
The contractor must provide “adequate security” for covered defense information that resides on or transits through the contractor’s information systems. The clause defines adequate security as implementing the 110 security requirements in NIST SP 800-171.
Not a suggestion. It’s a contractual requirement. When DFARS 7012 appears in your contract, implementing NIST 800-171 is a condition of performance.
If the contractor seeks to vary from a NIST SP 800-171 requirement, the request must be submitted in writing to the Contracting Officer for consideration by the DoD CIO. If the DoD CIO has already adjudicated a requirement as nonapplicable or approved an equally effective alternative security measure, that approval should be provided to the Contracting Officer for recognition under the contract.
Obligation 2: Report Cyber Incidents
If the contractor discovers a cyber incident that affects covered defense information or the contractor’s ability to perform contract requirements, they must report it to the DoD within 72 hours through the DIBNet portal.
The reporting obligation includes:
- A description of the technique or method used in the incident
- A sample of any malicious software discovered
- A summary of the affected information
- Preservation of images and logs for at least 90 days to support potential DoD investigation
One of the more stringent incident reporting timelines in any regulatory framework. 72 hours from discovery, not from confirmation or investigation completion. If you discover something that might be an incident, the clock starts.
The clause also creates a flow-down obligation: contractors must include DFARS 7012 in all subcontracts where the subcontractor will handle covered defense information. This extends to every tier in the supply chain — if you receive CUI from a prime and share it with your sub, the sub inherits the same obligations.
What Covered Defense Information Means
The clause protects “covered defense information,” which it defines as unclassified controlled technical information or other information described in the CUI Registry that requires safeguarding or dissemination controls, and is either:
- Marked or identified in the contract, task order, or delivery order as requiring protection, or
- Collected, developed, received, transmitted, used, or stored by the contractor in performance of the contract
The clause applies to covered defense information and to covered contractor information systems that process, store, or transmit that information. In practice, many DoD-related CUI scenarios fall inside that frame, but the contract language and the specific information type still matter. Review your contract to confirm which information is designated as covered defense information and which systems are in scope.
How DFARS 7012 Connects to CMMC
DFARS 7012 created the obligation to implement NIST 800-171. CMMC created the verification mechanism to confirm that implementation.
Before CMMC, the compliance model under DFARS 7012 was self-attestation. Contractors implemented the controls (or claimed to), assessed themselves, and reported a score to SPRS. Nobody independently verified the score unless DIBCAC selected the contractor for a review.
CMMC changes the enforcement model, not the underlying security requirements. CMMC Level 2 uses the same 110 security requirements as NIST SP 800-171 Rev 2. There is no separate Level 2 control set. If you’ve been implementing the 110 requirements under DFARS 7012, your CMMC Level 2 preparation builds on that existing work.
What CMMC adds is the assessment, scoring, affirmation, POA&M, and certification framework around those same requirements. Implementing the 110 requirements is the technical foundation, but achieving CMMC certification requires meeting the program’s assessment and status requirements as well.
Among contractors we’ve supported through the DFARS-to-CMMC transition, the biggest surprise isn’t new controls — it’s the documentation standard. DFARS 7012 required implementation. CMMC requires proof of implementation at the assessment-objective level, with traceable evidence for each of the 320 objectives.
The addition of CMMC doesn’t replace DFARS 7012. Both coexist. Your contract still includes DFARS 7012 for the cybersecurity and incident reporting requirements. CMMC adds the independent assessment layer through a separate clause, DFARS 252.204-7021.
Already compliant with DFARS 7012 and wondering how far you are from CMMC? Check your readiness to see how your current controls map to CMMC Level 2 requirements.
The Related DFARS Clauses
DFARS 7012 doesn’t exist in isolation. Several related clauses form the complete compliance picture.
DFARS 252.204-7019: Notice of NIST 800-171 Assessment Requirements
This clause requires contractors to have a current NIST 800-171 DoD Assessment posted in SPRS before contract award. The assessment must cover the contractor’s information systems that process, store, or transmit CUI.
In practical terms: before you can win a contract that includes this clause, your SPRS score must exist and be current.
DFARS 252.204-7020: NIST 800-171 DoD Assessment Requirements
The clause gives the DoD the right to conduct its own assessment of your NIST 800-171 implementation, through DIBCAC. Unlike self-assessment, a DIBCAC review is the government independently verifying your compliance. DIBCAC findings take precedence over your self-reported score.
The significance: your self-assessment isn’t the final word. The DoD can audit you. And if their findings show that your self-reported SPRS score doesn’t reflect reality, the consequences can include contract termination and potential False Claims Act exposure.
DFARS 252.204-7021: CMMC Requirements
This is the clause that ties CMMC directly to contract award. It specifies the required CMMC level and assessment type for the contract. When this clause appears in a solicitation, the contractor must hold the specified CMMC status at the time of award.
The progression: 7012 establishes the cybersecurity requirement. 7019 requires a posted assessment. 7020 allows the government to verify. 7021 makes certification a condition of award.
What Contractors Get Wrong About DFARS 7012
Thinking it only applies if CUI is explicitly marked in the contract. The clause covers information that is marked as requiring protection or information that the contractor collects, develops, receives, transmits, uses, or stores in performance of the contract. CUI can be present in your environment even if the contract doesn’t have a CUI marking guide attached.
Treating the cyber incident reporting requirement as optional. The 72-hour reporting window is contractual. Failure to report is a contract performance issue. Contractors who discover potential incidents and delay reporting because they want to investigate first are already outside the timeline.
What happens when DFARS 7012 has been in your contracts so long you stop reading it? The clause requires flow-down to every subcontract where the sub will handle covered defense information. Many primes include the clause in their subcontracts. Some don’t. If you’re a sub and the clause isn’t in your subcontract but you’re handling CUI, raise it — the obligation exists whether the paperwork catches up or not. The broader risk is that DFARS 7012 has been in contracts since 2017, and that familiarity breeds complacency. The clause hasn’t changed, but the enforcement environment around it has. DIBCAC reviews are increasing. False Claims Act enforcement is active. And CMMC is adding independent verification on top of the existing requirement. Treating a live contractual obligation as background noise is how contractors end up exposed when enforcement catches up.
Assuming DFARS 7012 compliance means CMMC readiness. The underlying security requirements are the same, but CMMC demands a higher standard of evidence, documentation, and assessment rigor. Many contractors who have been “compliant” with DFARS 7012 through self-assessment discover significant gaps when they prepare for independent CMMC assessment. In our experience, contractors who report high SPRS scores under DFARS 7012 self-assessment consistently underperform when evaluated at the CMMC assessment-objective level. The controls may be in place, but the evidence, documentation specificity, and assessment rigor required by CMMC expose gaps that self-assessment never surfaced.
What to Do About It
1. Confirm DFARS 7012 is in your contracts and verify your implementation against it. If your contract performance involves covered defense information or applicable CUI handling on covered contractor information systems, DFARS 7012 is often the key clause to look for — but applicability depends on the contract structure, and exclusions exist for COTS contracts and subcontracts. Review the actual clause inclusions in your contracts and subcontracts. Once confirmed, don’t rely on a years-old self-assessment. Run a current gap assessment against all 110 security requirements at the assessment-objective level. Know your real SPRS score.
2. An outdated SPRS score creates real exposure. DFARS 7019 requires a posted assessment, and if your score hasn’t been updated since your environment changed, it doesn’t reflect reality. The gap between your reported score and your actual posture is exactly what DIBCAC reviews and False Claims Act enforcement target.
3. Review your incident response plan. The 72-hour reporting requirement demands a tested process. If your team doesn’t know how to report through DIBNet, how to preserve evidence, or what qualifies as a reportable incident, fix that before you need it. We’ve tested incident response readiness across dozens of contractor environments. The most common failure: the team knows they need to report within 72 hours but nobody can name the DIBNet portal or describe the evidence preservation steps. Having a plan on paper and being able to execute it under pressure are different things.
4. Verify flow-down to your supply chain. If you share CUI with subcontractors, confirm DFARS 7012 is in their subcontracts and that they’re meeting the requirements.
Deep Fathom helps contractors build on their existing DFARS 7012 compliance to reach CMMC certification readiness. The platform maps your current controls, identifies gaps against the assessment objectives, and produces documentation that satisfies both the contractual requirement and the certification assessment.
Check your readiness or talk to our team.
Related reading: