Free IT tools for business owners — try them now, no sign-up
GovCon IT • 7 min read

DFARS 252.204-7012 Compliance: What the Clause Actually Requires From Your IT

DFARS 252.204-7012 is the clause in most defense contracts that creates cybersecurity obligations. Here's what every requirement means in practice.

Quick Answer

DFARS 252.204-7012 ("Safeguarding Covered Defense Information and Cyber Incident Reporting") requires contractors to: implement NIST SP 800-171 security requirements on all systems processing CUI, report cyber incidents to DoD within 72 hours, preserve and submit malware and related artifacts to DoD, and flow down these requirements to subcontractors handling CUI. The clause applies to all DoD contracts except those involving only commercially available off-the-shelf (COTS) items.

What DFARS 252.204-7012 Covers

DFARS 252.204-7012 is found in most DoD contracts and creates several distinct obligations:

  1. Adequate security: Implement NIST SP 800-171 on all covered contractor information systems that process, store, or transmit Covered Defense Information (CDI)
  2. Cyber incident reporting: Report cyber incidents to DoD within 72 hours of discovery
  3. Malicious software: Submit malware discovered during incident investigation to DoD Cyber Crime Center (DC3)
  4. Media preservation and protection: Preserve images of all systems and relevant monitoring data for 90 days after submitting a cyber incident report
  5. Access for damage assessment: Provide DoD access to contractor systems and data for damage assessment following an incident
  6. Subcontractor flowdown: Flow down 7012 requirements to all subcontractors that will process, store, or transmit CDI

Covered Defense Information: The Scope Trigger

The clause applies when your systems process, store, or transmit "Covered Defense Information" — which includes:

  • Unclassified Controlled Technical Information (CTI)
  • Other CUI designated in your contract
  • Other information described in the Performance Work Statement or Statement of Work that requires protection

The practical scope question is: which of your systems touch CDI? That defines your "covered contractor information system." Work to limit this scope — the smaller it is, the more manageable compliance becomes.

NIST 800-171 "Adequate Security" Requirement

The clause requires "adequate security" defined by implementing NIST SP 800-171 on all covered systems. As of 2020, contractors must also:

  • Submit a SPRS (Supplier Performance Risk System) score reflecting your 800-171 self-assessment
  • Have a System Security Plan (SSP) documenting your implementation of each control
  • Have a Plan of Action & Milestones (POA&M) for any controls not yet fully implemented

The clause does not currently require a third-party assessment (that's CMMC's role), but self-assessments are subject to False Claims Act liability — knowingly submitting a false SPRS score is a federal offense. See our CMMC gap assessment guide for the self-assessment methodology.

The 72-Hour Cyber Incident Reporting Requirement

This is the most operationally demanding requirement. Within 72 hours of discovering a cyber incident, you must submit a report to the DoD via the DIBNet Portal (dibnet.dod.mil). The report requires:

  • Company identification information (CAGE code, contract numbers)
  • Incident description: date discovered, date occurred, type of incident, how discovered
  • Systems affected: which systems were compromised, what CDI was on those systems
  • Impact assessment: what data may have been exfiltrated or compromised
  • Actions taken: containment and remediation steps underway

The 72-hour clock starts at discovery — not at confirmation. If you have reason to believe a cyber incident has occurred, the clock is running. Waiting for forensic confirmation before reporting is a compliance risk.

A "cyber incident" under 7012 means: actions taken through the use of computer networks that result in (or may have resulted in) an actual or potentially adverse effect on a covered contractor information system or covered defense information. This is broad — ransomware, data exfiltration, unauthorized access, and even potentially successful phishing attempts against systems with CDI access all qualify.

What You Must Preserve for 90 Days

Following a cyber incident, preserve for 90 days:

  • Images (forensic copies) of all systems believed to be compromised
  • All relevant monitoring/log data
  • Any malware samples identified

This preservation requirement has significant IT implications: you need forensic imaging capability (or a forensic firm on retainer), sufficient storage for system images, and a chain of custody process for preserved data. Your IT provider should have a documented forensic preservation procedure before you need it.

Subcontractor Flowdown

You are required to flow down 7012 requirements to subcontractors that will process, store, or transmit CDI. This means:

  • Include 7012 language in all subcontracts involving CDI
  • Assess subcontractor compliance before awarding work involving CDI
  • Ensure subcontractors understand the 72-hour incident reporting requirement (they report to you; you consolidate and report to DoD)

Failure to flow down requirements doesn't eliminate your liability — if a subcontractor handling your CDI experiences an incident, you remain responsible for the reporting and preservation requirements.

Cloud Service Provider Requirements

Cloud services used for CDI must meet FedRAMP Moderate requirements or provide equivalent security. This is explicitly stated in the clause. Standard commercial cloud services (Office 365 commercial, Google Workspace standard, AWS standard) do not meet this requirement for CDI. Use:

  • Microsoft 365 GCC or GCC High
  • AWS GovCloud
  • Azure Government
  • Other FedRAMP Moderate or High authorized services

Frequently Asked Questions

Does DFARS 252.204-7012 apply to commercial companies that sell COTS products to the DoD?

No. The clause explicitly excludes contracts for the acquisition of commercially available off-the-shelf (COTS) items. However, if you also provide services, customization, or support under the same contract, those non-COTS portions may be covered. Review your specific contract with legal counsel.

What is the False Claims Act risk for DFARS compliance?

Contractors who knowingly submit false SPRS scores or misrepresent their 800-171 compliance may face False Claims Act (FCA) liability. The DoJ has pursued FCA cases specifically targeting DFARS cybersecurity compliance — including against contractors who certified compliance without implementing required controls. The FCA provides for treble damages plus penalties, and qui tam provisions allow employees to report violations.

How do I get a DIBNet Portal account to submit cyber incident reports?

Register at dibnet.dod.mil using your company's CAGE code and an authorized company representative's identity-proofed account. Registration requires an identity verification step. Complete this before you have an incident to report — you don't want to be navigating account registration during an active incident.

Is Your DFARS 7012 Compliance Actually Documented?

Get a DFARS compliance assessment from a GovCon IT specialist who can identify gaps and help you remediate before your next contract award.

Get GovCon IT Quote