DFARS 252.204-7012

CG

Chad Griffith, Founder & CEO

FileFlo — AI compliance document intelligence for DOT, OSHA, and EPA regulated businesses. LinkedIn · About

Last reviewed · By Chad Griffith

DFARS 252.204-7012 ('Safeguarding Covered Defense Information and Cyber Incident Reporting') is the contract clause in the Department of Defense Federal Acquisition Regulation Supplement that requires defense contractors handling Covered Defense Information (largely overlapping with CUI) to: implement NIST SP 800-171 controls, report cyber incidents within 72 hours, submit malicious software discovered during incident response, preserve incident-related system images for at least 90 days, and provide DoD with damage assessment information following incidents. The clause has been in effect since 2017 and predates CMMC.

Frequently Asked Questions

What is the cyber incident reporting deadline under DFARS 252.204-7012?

72 hours from discovery. Reports must be submitted to DoD via the DIBNET portal at https://dibnet.dod.mil/. The clock starts when the contractor discovers the incident, not when it occurred. Late reporting is a separate violation. The 72-hour requirement is among the most-cited DFARS gaps during contract performance reviews.

How does DFARS 252.204-7012 relate to CMMC?

DFARS 252.204-7012 is the contractual requirement that a contractor implement NIST 800-171. CMMC is the assessment framework that verifies the contractor actually implements those requirements. DFARS predates CMMC; CMMC adds verification. Contractors handling CUI must comply with both: DFARS 252.204-7012 for the underlying requirements and DFARS 252.204-7021 for the CMMC certification requirement.

What is Covered Defense Information?

Covered Defense Information is the term DFARS 252.204-7012 uses for the data category requiring protection. It substantially overlaps with the broader CUI definition but is specific to DoD contracts. CDI includes both Controlled Technical Information and information identified in a contract that requires safeguarding under DFARS.

What cloud services can be used for CUI under DFARS?

Cloud services used to process or store CUI must meet FedRAMP Moderate baseline or equivalent. Common compliant services: Microsoft Azure Government, AWS GovCloud (US), Google Cloud Government, Oracle Government Cloud. Commercial cloud services without FedRAMP authorization cannot host CUI under DFARS, regardless of NIST 800-171 implementation by the contractor.

Authoritative sources

Related terms

FileFlo classifies and tracks compliance documents against rule packs that map directly to the regulators referenced above. Run a free CFR-cited audit →