DFARS 252.204-7012 Compliance Guide
Last reviewed · By Chad Griffith
DFARS 252.204-7012 ('Safeguarding Covered Defense Information and Cyber Incident Reporting') is the contract clause that requires defense contractors handling Covered Defense Information (largely overlapping with CUI) to implement NIST SP 800-171 controls, report cyber incidents within 72 hours, submit malicious software discovered during incident response, and provide DoD with damage assessment information following incidents. The clause has been in effect since 2017 and predates CMMC. CMMC formalizes verification of DFARS 252.204-7012 compliance through assessment.
What DFARS 252.204-7012 Requires
The clause has six core requirements: (1) provide adequate security for covered contractor information systems by implementing NIST SP 800-171 (or DoD-approved alternative); (2) report cyber incidents to the DoD within 72 hours of discovery; (3) submit malicious software discovered and isolated in connection with a cyber incident; (4) preserve and protect images of all known affected systems for at least 90 days; (5) provide damage assessment information requested by DoD; (6) include the clause in subcontracts where covered defense information is handled.
72-Hour Cyber Incident Reporting
Reportable cyber incidents include: actions causing actual or potentially adverse effects on covered contractor information systems, covered defense information residing therein, or actions causing delay in or disruption to operations of the contractor's information system. Reports must be submitted via the DoD's DIBNET portal within 72 hours of discovery. The 72-hour clock starts from contractor discovery, not incident occurrence. Late reporting is a separate violation that can affect contract eligibility.
Relationship to CMMC
DFARS 252.204-7012 requires NIST 800-171 implementation but did not require independent verification before CMMC. CMMC formalizes verification through C3PAO or DIBCAC assessment. A contractor handling CUI must comply with both clauses: 252.204-7012 (the underlying requirement) and 252.204-7021 (the CMMC clause introduced after CMMC 2.0). The DFARS requirements remain even for contractors with current CMMC certification.
Cloud Service Provider Requirements
If a contractor uses a cloud service provider for CUI processing, the cloud service must meet FedRAMP Moderate baseline or equivalent. The contractor remains responsible for implementing NIST 800-171 controls in the cloud environment per the shared responsibility model. Contractors must obtain and retain evidence of cloud provider compliance, including FedRAMP authorization or equivalent documentation.
Frequently Asked Questions
What is the difference between DFARS 252.204-7012 and CMMC?
DFARS 252.204-7012 is the contractual requirement that a contractor implement NIST 800-171 and report cyber incidents. CMMC is the assessment framework that verifies the contractor actually implements those requirements. DFARS predates CMMC; CMMC adds verification. Contractors handling CUI must comply with both: 252.204-7012 for the underlying requirements and 252.204-7021 for the CMMC certification requirement.
What is the cyber incident reporting deadline?
72 hours from discovery. The clock starts when the contractor identifies the incident, not when it occurred. Reports go to DoD via the DIBNET portal at https://dibnet.dod.mil/. Late reporting is a separate violation. The 72-hour requirement is one of the most-cited DFARS gaps during contract performance reviews.
What is FedRAMP and why does it matter?
FedRAMP (Federal Risk and Authorization Management Program) is the government program providing standardized assessment, authorization, and continuous monitoring for cloud products and services. Contractors using cloud services for CUI processing must use FedRAMP Moderate baseline or equivalent. Authorization documentation must be maintained as part of CMMC compliance evidence.
How long must incident-related system images be retained?
DFARS 252.204-7012(d)(1) requires contractors to preserve and protect images of all known affected information systems for at least 90 days from the date of cyber incident discovery, allowing DoD to request and review these images during damage assessment. Some incidents may require longer retention if associated with active investigation.
Authoritative sources