DFARS 252.204-7012 Explained

Written By Joseph Lissenden

If you're a small manufacturer or supplier touching DoW work, DFARS 252.204-7012 is probably already in your contracts (or your prime's subs). It's the core DoD clause titled "Safeguarding Covered Defense Information and Cyber Incident Reporting." In plain terms: protect sensitive unclassified data (Covered Defense Information or CDI, often the same as CUI) on your systems, and report cyber incidents fast, or risk contract breaches, withheld payments, or worse.

Why It Matters Right Now

Implemented in 2016 and 2017, this clause requires "adequate security" via all 110 controls in NIST SP 800-171 Rev 2 for any non-federal system handling CDI (Covered Defense Information). With CMMC 2.0 Phase 1 live since November 10, 2025, new contracts add CMMC clauses (like 252.204-7021), but 7012 isn't going away. It enforces the actual protections and incident response. CMMC verifies you did them.

Core Requirements – Broken Down Simply

  • Safeguard Covered Defense Information: Implement NIST SP 800-171 controls (access control, audit logging, incident response plans, etc.) on systems processing, storing, or transmitting CDI. Use FedRAMP Moderate-equivalent for cloud providers. Document in a System Security Plan; allow variances only if DoW CIO approves.

  • Report Cyber Incidents: If an incident affects CDI or your ability to deliver "operationally critical support," review for compromise and report to DoD within 72 hours via https://dibnet.dod.mil (need a DoW medium assurance certificate).

  • Handle Malware and Evidence: Submit isolated malicious software to DC3. Preserve system images and logs for 90 days post-report so DoW can request forensic access or damage assessment.

  • Flow Down to Subs: Include 7012 in relevant subcontracts without changes (except parties). Subs report incidents to you; you pass report numbers up.

Quick Comparison: DFARS 7012 vs CMMC Level 2 (2026)

  • Controls: Both require full 110 NIST SP 800-171.

  • Verification: 7012 relies on self-implementation (with self-assessments via related clauses like 7020); CMMC Level 2 adds formal self-attestation now, third-party C3PAO cert starting Nov 2026 for many.

  • Incident Reporting: 7012 mandates 72-hour reporting plus media preservation; CMMC doesn't replace this, it's still required.

  • Consequences: Non-compliance with 7012 can lead to breach findings independent of CMMC status.

Action Steps for Small Suppliers

  1. Check your contracts: Does 7012 appear? Ask your prime if you handle CDI/CUI.

  2. Run a gap check against NIST 800-171 (free self-tools or consultants).

  3. Build incident response: Know how to report to DIBNet and preserve evidence.

  4. Align with CMMC: If Level 2 applies, your 7012 work is the foundation. Get your SSP and POA&M solid now.

DFARS 252.204-7012 is the "do the work" clause; CMMC is increasingly the "prove you did it" layer. Ignore either, and DoW bids dry up.

Joseph Lissenden
Previous

What Is the CMMC Portal and Where Do I Find It?

Next

What Is a CMMC Auditor?