DFARS 252.204-7012 Explained: What the Clause Actually Requires

What is DFARS 252.204-7012? The clause, explained

Answer capsule:DFARS 252.204-7012 is the U.S. Department of Defense contract clause titled “Safeguarding Covered Defense Information and Cyber Incident Reporting.” It requires contractors to provide adequate security for Covered Defense Information on their information systems — chiefly by implementing NIST SP 800-171 — and to report cyber incidents to DoD within 72 hours of discovery. Full NIST SP 800-171 implementation was required by December 31, 2017, and the clause applies through the contract.

Let’s strip the jargon. DFARS stands for the Defense Federal Acquisition Regulation Supplement— the Department of Defense’s add-on to the government-wide Federal Acquisition Regulation (FAR). When you see “DFARS 252.204-7012,” you’re looking at a specific contract clause, codified at 48 CFR 252.204-7012. The version on Acquisition.gov as of our last check carries a clause date of May 2024.

The clause does two jobs, and almost everything else is detail hanging off those two pegs:

1. Safeguard the information. If your contract involves Covered Defense Information, you have to protect it on your systems using a defined security standard — NIST SP 800-171.
2. Report when something goes wrong. If you have a cyber incident affecting that information or a covered system, you report it to DoD fast — within 72 hours.

Around those two jobs, the clause adds rules for cloud providers, evidence preservation, malware handling, government forensic access, and flow-down to your subcontractors. We map every one of them below.

One thing to nail down immediately, because it’s the single most common confusion we see in contractor forums: 7012 is not CMMC. DFARS 252.204-7012 is the underlying obligation to implement the controls and report incidents. The Cybersecurity Maturity Model Certification (CMMC) — a separate program codified at 32 CFR Part 170, implemented in contracts through DFARS 252.204-7021 — is the mechanism that verifiesyou actually did the work. You can owe 7012 obligations without a CMMC requirement in your contract. When CMMC does apply, it sits on top of the same NIST 800-171 controls. We’ll separate them cleanly in a dedicated section.

Here’s the part nobody puts in the brochure

We’ll be straight with you, because it’s the most important thing on this page and pretending otherwise would not serve you: for most of its life, DFARS 252.204-7012 compliance has been self-attested. You signed contracts representing that you’d implemented NIST SP 800-171, and nobody from the government walked your network to confirm it. Predictably, a lot of companies treated it as a paperwork box and never finished the technical work.

That worked — right up until it didn’t. The clause was always legally binding. And over the last few years, the Department of Justice has been collecting multi-million-dollar False Claims Act settlements from contractors over the gap between what they certified and what they actually deployed. We document four real, named settlements later on this page, each tied directly to 7012 and NIST 800-171, and in none of them did a hacker have to break in first.

Here’s the hopeful flip side, and the reason this page exists: that gap is completely fixable, and the contractors who close it now are in a far stronger position than the ones who wait. CMMC’s verification layer is arriving precisely to surface the paper-versus-reality gap — which means the smart move is to find your gaps on your own terms, before someone else does it for you. That’s a project, not a panic. We’ll show you how to scope it.

Who has to comply with DFARS 252.204-7012?

Answer capsule: DFARS 252.204-7012 applies when the clause is in a DoD solicitation, contract, or flow-down and performance involves Covered Defense Information or operationally critical support. It reaches prime contractors and subcontractors alike, and primes must flow it down to subcontractors whose work involves CDI. It is prescribed broadly for DoD acquisitions, including commercial-item buys, with the main carve-out being acquisitions solely for commercially available off-the-shelf (COTS) items.

The clause binds you through your contract. It’s prescribed for DoD solicitations and contracts — including FAR Part 12 commercial-product and commercial-service acquisitions — except those solely for COTS items. If 7012 is in your contract or your prime flowed it down, and your performance involves CDI, you’re in scope. That’s true whether you’re a 5,000-person prime or a three-person machine shop.

Prime contractors carry the heaviest load. A prime has to identify its own CDI/CUI exposure, secure its own covered systems, flow the clause down to the right subcontractors, and collect incident report numbers from subs when an incident occurs.

Subcontractorsare where the surprises happen. You can be fully in scope for 7012 even though you have no direct contract with DoD — because the clause flows down through the prime. The trigger isn’t “do I contract with the government.” It’s “does my performance involve CDI or operationally critical support.” If a prime sends you engineering drawings marked CUI, you’re likely in scope. Our advice to subs: don’t sign a vague flow-down without asking the prime exactly what data, which systems, and which clauses are actually in play. See our CMMC flow-down guide for primes and subcontractors.

The “we don’t handle any CUI” edge case.This one comes up constantly, and it deserves a careful answer. What if 7012 is in your contract but you’re convinced there’s no CDI/CUI anywhere in your performance? Two things are true at once. First, an acquisition solelyfor COTS items is generally outside these requirements — but your actual contract language controls, not a general rule. Second, the absence of a CUI marking does not, by itself, prove there’s no CDI risk — yet you also shouldn’t invent CUI that isn’t there. The practical, defensible move is in the middle: document your data-flow reasoning in writing, then ask the prime or contracting officer to confirm whether contract performance involves CDI/CUI. That paper trail protects you either way. Quietly ignoring the clause does not.

What does DFARS 252.204-7012 actually require?

Answer capsule:The core requirements of DFARS 252.204-7012 are: provide “adequate security,” implement NIST SP 800-171 on covered contractor information systems, ensure any external cloud handling CDI meets FedRAMP Moderate-equivalent security, report cyber incidents within 72 hours, submit isolated malware to the DoD Cyber Crime Center, preserve incident evidence for at least 90 days, support DoD forensic and damage-assessment requests, and flow the clause down to covered subcontractors.

Most explainers give you three or four of these and stop. The clause has more moving parts than that, and the parts people skip are the ones that show up in enforcement actions. So we did something most pages don’t: we read the clause top to bottom and mapped every operative paragraph (a) through (m) to a plain-English obligation, who it binds, and the specific mistake that trips contractors up. This table is the reason to bookmark this page.

DFARS 252.204-7012 clause anatomy (paragraph by paragraph)

Source for the full table: the live text of DFARS 252.204-7012, Acquisition.gov (clause version MAY 2024). We read all operative paragraphs to build this.

That’s the whole clause in one screen — something we could not find assembled anywhere else when we built this page. A few of those rows deserve their own deep dive, so the next sections take the parts that cause the most confusion and the most expensive mistakes.

What is the 72-hour cyber incident reporting requirement?

Answer capsule:Under DFARS 252.204-7012, “rapidly report” means within 72 hours of discovering a cyber incident that affects a covered contractor information system, the CDI on it, or your ability to provide operationally critical support. You report at dibnet.dod.mil, you must already hold a DoD-approved medium assurance (ECA) certificate to file, you preserve affected media for at least 90 days, and any isolated malware goes to the DoD Cyber Crime Center — not to your contracting officer.

The 72-hour rule is the part of 7012 most likely to catch a contractor flat-footed, because the clock starts on discovery— not after you’ve finished your forensics, called your lawyer, and decided how bad it is. If you wait until you fully understand the incident, you’ve probably already blown the window.

Here’s the full reporting chain, in the order it actually happens, with the clause paragraph behind each step:

1. Discover a cyber incident — a compromise or an actual/potential adverse effect on a covered system or its CDI. (7012(a) definition)
2. Review for compromise — identify affected computers, servers, specific data, and user accounts. (7012(c)(1)(i))
3. Report within 72 hours at dibnet.dod.mil. (7012(c)(1)(ii))
4. File using your ECA medium assurance certificate — which you need to obtain before an incident, at public.cyber.mil/eca. (7012(c)(3))
5. Preserve evidence for at least 90 days — images of affected systems plus monitoring/packet-capture data, held from the date of your report. (7012(e))
6. Submit isolated malware to DC3 — not to the contracting officer. (7012(d))
7. Provide forensic access and support a damage assessment if DoD asks. (7012(f), (g))

What counts as a “cyber incident”?The clause defines it broadly: actions taken through computer networks that result in a compromise, or an actual or potentially adverse effect, on an information system or the information on it. The word “potentially” matters — you don’t have to wait for confirmed data loss.

Now, a piece of reassurance that almost no competitor mentions — and that we verified in the primary source. A reported incident does not automatically brand you as non-compliant. Under the February 2026 Revolutionary FAR Overhaul deviation (more on that below), when a cyber incident is reported, the contracting officer is directed to consult the relevant DoD component Chief Information Officer or cybersecurity office before assessing whether the contractor failed its safeguarding obligations. In plain terms: the government is supposed to evaluate the incident in context, not treat the act of reporting as an admission of failure. So report it. Reporting is the requirement; hiding it is the risk.

Does DFARS 252.204-7012 require NIST SP 800-171 Rev. 2 or Rev. 3?

Answer capsule: For CMMC purposes, the controlling version is NIST SP 800-171 Revision 2 — the 110 requirements across 14 control families that map to CMMC Level 2 under 32 CFR Part 170. NIST formally withdrew Revision 2 on May 14, 2024 and published Revision 3 the same day, but CMMC remains pinned to Revision 2 as of June 2026, and DoD has used class deviations to keep the operative requirement aligned. Always confirm the version your specific solicitation names.

This is a genuine trap, and we want to be precise because the wrong answer here can send a contractor down a months-long, budget-burning rebuild against the wrong standard.

Two facts are both true, and the tension between them is the whole story:

• CMMC Level 2 is pinned to NIST SP 800-171 Revision 2— 110 security requirements, organized into 14 families. That’s set by the CMMC Program Rule at 32 CFR Part 170. This is the version your CMMC Level 2 work is assessed against.
• The codified text of DFARS 252.204-7012 references the version of NIST SP 800-171 “in effect at the time the solicitation is issued.” Because NIST released Revision 3 in 2024, a literal reading of the codified clause could point to Revision 3 — which CMMC does not assess.

DoD has managed that mismatch through class deviation text directing use of Revision 2, so the two regimes stay aligned. Here’s the wrinkle that makes this so confusing, and it’s worth knowing because it’s exactly why bad advice circulates: NIST itself has retired the version CMMC still requires. The publication status, straight from NIST’s Computer Security Resource Center:

Sources: NIST SP 800-171 Rev. 2, CSRC; NIST SP 800-171 Rev. 3, CSRC; NIST SP 800-172, CSRC.

The practical guidance for you: as of our last verification on June 17, 2026, treat NIST SP 800-171 Revision 2 as the controlling reference for CMMC Level 2. Do not rebuild your compliance program around Revision 3 unless your specific contract, a DoD rule, or a class deviation expressly requires it. And because this is being handled through deviations rather than settled rulemaking, re-check the version named in any new solicitation before you scope the work. If a page tells you flatly that 7012 “requires Rev. 3” with no caveats, that page is out of step with how CMMC actually works today.

Does DFARS 252.204-7012 mean I need CMMC?

Answer capsule: No — DFARS 252.204-7012 is not the CMMC clause. It creates the underlying duties to implement NIST SP 800-171 and report incidents. CMMC status requirements arrive separately through the CMMC Program Rule (32 CFR Part 170, effective December 16, 2024) and the contract clause DFARS 252.204-7021, which began phasing into contracts on November 10, 2025. You can have 7012 obligations today with no CMMC requirement yet in your contract.

Think of it as requirement versus verification. 7012 says “implement the controls and report incidents.” CMMC says “prove you did.” For years, 7012 ran on the honor system (self-attestation). CMMC adds teeth: self-assessment, third-party assessment, or government assessment depending on your level, with your status posted in the Supplier Performance Risk System (SPRS) and checked before award.

Here’s the clean separation:

Which CMMC level applies? The short version: work involving only Federal Contract Information (FCI) generally points to Level 1 (15 basic safeguarding requirements, annual self-assessment). Work involving CUI/CDI generally points to Level 2 (the 110 NIST SP 800-171 Rev. 2 requirements, via self-assessment or a third-party C3PAO assessment depending on the contract). The most sensitive programs point to Level 3 (selected NIST SP 800-172 requirements on top of Level 2, assessed by the government’s Defense Industrial Base Cybersecurity Assessment Center, or DIBCAC). The CMMC rollout runs in four phases: Phase 1 runs November 10, 2025 through November 9, 2026 (primarily Level 1 and Level 2 self-assessments); Phase 2 begins November 10, 2026; Phase 3, November 10, 2027; Phase 4, November 10, 2028. See our CMMC deadlines and phase-in guide for the full timeline.

If you want the full Level 2 picture — cost, timeline, and self-assessment versus C3PAO — that’s its own decision, and we cover it on our CMMC Level 2 checklist and our CMMC levels guide. This page keeps its lane: the 7012 clause itself.

What changed in 2026? DFARS 7019, 7020, and the new 252.240-7997

Answer capsule:As of February 1, 2026, under DoD Class Deviation 2026-O0025 (the “Revolutionary FAR Overhaul”), new DoD solicitations use DFARS 252.240-7997 for NIST SP 800-171 DoD assessment requirements in place of the older 252.204-7019/-7020 package, and the standalone “Basic” self-assessment is consolidated under the CMMC framework. Existing contracts and the codified DFARS still reference 7019/7020, and SPRS remains the active system of record. Critically, DFARS 252.204-7012, 252.204-7008, 252.204-7021, and 252.204-7025 are unchanged.

If you’ve read older guides — or even competitor pages dated last year — you’ve seen DFARS 7012 described alongside a tidy “70 series”: 7012, 7019, 7020, 7021. That picture shifted in early 2026, and citing clauses that may no longer appear in your new solicitations is an easy way to look out of date in front of a prime. We pulled the primary deviation memo so you don’t have to.

Here’s what happened. The Revolutionary FAR Overhaul is a government-wide effort to reorganize acquisition rules. For DoD, Class Deviation 2026-O0025, effective February 1, 2026, stood up a new FAR Part 40 (Information Security and Supply Chain Security) and a new DFARS Part 240, and consolidated cybersecurity clauses that used to live in Part 204. The headline changes:

• FAR 52.204-21 (Basic Safeguarding) was renumbered to FAR 52.240-93— same title, same text, same requirements. (CMMC Level 1 still references 52.204-21, so you’ll juggle both numbers during the transition.)
• DFARS 252.204-7019— the offeror provision that required posting a “Basic” NIST SP 800-171 self-assessment score in SPRS — is not included in new solicitations issued under the deviation. That self-assessment concept is consolidated into the CMMC framework.
• DFARS 252.204-7020’s government assessment mechanics carry forward as the new DFARS 252.240-7997, “NIST SP 800-171 DoD Assessment Requirements.” The new clause defines Medium and High assessments — both government-performed using NIST SP 800-171A.

And here’s what did not change, which matters most for this page:

• DFARS 252.204-7012 is unchanged. Your safeguarding and 72-hour incident-reporting obligations are exactly as described above.
• DFARS 252.204-7008, 252.204-7021, and 252.204-7025 are unchanged.
• The CMMC Program Rule at 32 CFR Part 170 is unchanged.

Clause confusion map (current as of June 2026)

A few honest caveats, because this is moving regulation. These are class deviations, which serve as interim text until formal rulemaking catches up. That means the codified Code of Federal Regulations still contains 7019 and 7020, existing contracts may still reference the old numbers, and SPRS remains the active system of record for NIST and CMMC assessment data. During the transition you will see both numbering systems in the wild. So the single most useful habit: read the actual clauses in your specific contract or solicitation, and don’t assume an obligation vanished because a blog said a clause was “eliminated.” Update your proposal templates and compliance mappings to recognize both old and new numbers.

What counts as Covered Defense Information under DFARS 252.204-7012?

Answer capsule: Covered Defense Information (CDI) is unclassified controlled technical information or other CUI that is either marked/provided to you by DoD, or collected, developed, received, transmitted, used, or stored by you in support of contract performance. It is broader than government-furnished marked files — contractor-created technical data tied to the contract can be CDI too.

This definition is where good-faith contractors accidentally under-scope. CDI is notlimited to files the government hands you with a bright “CUI” stamp. Under the clause, it includes controlled technical information or other CUI that you create during performance.

Common examples of CDI to look for in your environment:

• Engineering drawings and technical specifications
• Research and engineering data
• Standards and process sheets
• Technical reports, manuals, and technical orders
• Data sets, studies, and analyses
• Software source code or executable code
• Technical information with military or space application (the kind that would carry distribution statements B through F)

The unmarked-data problem, handled honestly.A missing marking does not automatically mean there’s no CDI. But — and this is the balanced part — you also should not manufacture CUI where the contract doesn’t call for it. The right move is the one we recommended earlier: document the question, map your data flow, and get written confirmation from your prime or contracting officer about whether your performance involves CDI/CUI. That single email can save you a wrong-direction compliance project. See our CUI data-flow diagram guide for a visual approach to mapping your scope.

What is the difference between CDI and CUI under DFARS 252.204-7012?

Answer capsule: CUI (Controlled Unclassified Information) is the government-wide category of sensitive-but-unclassified information that laws and policies require you to safeguard. CDI (Covered Defense Information) is the specific term DFARS 252.204-7012 uses for the covered information in scope under a DoD contract. They overlap heavily — most CDI is also CUI — but CDI is defined by your contract and includes information you create during performance, not only government-furnished files.

In day-to-day terms: think of CUI as the universe of controlled information across the whole federal government, and CDI as the slice of that universe that your specific DoD contract puts in scope under 7012. The practical takeaway isn’t to memorize the Venn diagram — it’s to map the actualdata in your contract: what’s marked, what the prime calls CUI/CDI, and what technical data you generate while performing the work. If it’s controlled technical information tied to your contract, treat it as CDI and protect it accordingly until someone with authority tells you otherwise in writing. For the deeper categorization workflow, see our NIST 800-171 requirements checklist and our FCI vs. CUI guide.

Do I have to use a FedRAMP cloud under DFARS 252.204-7012?

Answer capsule:If an external cloud, email, or file-sharing service stores, processes, or transmits Covered Defense Information, DFARS 252.204-7012 requires you to require and ensure that provider meets security equivalent to the FedRAMP Moderate baseline and supports the clause’s incident-reporting, malware, media-preservation, forensic-access, and damage-assessment obligations. A FedRAMP-Authorized provider is strong evidence for the security baseline, but you still need contract terms confirming it supports those incident obligations.

Read this section before you renew a single cloud contract, because this is where small and mid-size contractors make the most expensive avoidable mistake.

What the clause says: an external cloud service provider handling CDI must meet security requirements equivalent to the FedRAMP Moderate baseline and comply with 7012 paragraphs (c) through (g).

What that means operationally— and this is the nuance the clause text alone won’t give you:

• If you use a FedRAMP-Authorizedcloud service provider (Moderate baseline or higher), that authorization is strong evidence for the security baseline, and you’re generally not responsible for separately proving FedRAMP equivalency. But authorization alone doesn’t close the loop — you still need contract or customer-responsibility terms showing the service supports the clause’s incident-reporting and forensic obligations in paragraphs (c)–(g).
• If you use a provider that is not FedRAMP-Authorized, the burden lands on you to determine and document that it meets FedRAMP Moderate equivalency— and DoD set a demanding standard for what “equivalency” requires.

That distinction is exactly where contractors get caught. “Secure,” “popular,” and “marketed to defense contractors” are not the same as “FedRAMP Moderate authorized or documented-equivalent for CDI, with the incident-support terms in writing.” Run every service that touches CDI through this short evidence request:

One thing we won’t do is overstate the answer. GCC High, AWS GovCloud, or a dedicated CUI enclave may be exactly right for some contractors — but it is not true that every contractor with a 7012 clause automatically needs one specific platform. The correct answer depends on whether CDI actually enters the system, which services touch it, and how your scope (and any CMMC assessment) is defined. If you’re weighing whether you need an enclave or can secure your existing environment, that’s a scoping question worth getting right before you spend — see our guides on GCC High for CMMC, Azure Government for CMMC, and CMMC external service provider requirements.

Does DFARS 252.204-7012 flow down to subcontractors?

Answer capsule: Yes. Paragraph (m) requires the prime to include DFARS 252.204-7012 — unaltered except to identify the parties — in subcontracts involving Covered Defense Information or operationally critical support, including subcontracts for commercial products or services. Subcontractors must, in turn, report cyber incidents to DoD and pass the DoD-assigned incident report number up to the next-higher-tier contractor.

Flow-down is where supply-chain reality meets contract language. The clause is explicit: you flow it down when subcontract performance involves operationally critical support or CDI, and you include it without alteration except to name the parties.

The MSP question we get constantly:“Should our managed service provider’s agreement actually name the DFARS 7012 clause?” Here’s the honest answer. If your MSP has administrative access to systems that process, store, or transmit CDI, that provider is part of your security boundary — full stop. You need contractual clarity about its obligations, its access, and its role in incident handling. Do not wave it off as “they’re just our IT guys.” An MSP with domain-admin rights to a CUI environment is one of the most consequential players in your compliance posture, and a handshake isn’t a control. For how this plays out across the supply chain, see our CMMC flow-down guide for primes and subcontractors.

What happens if you’re not compliant with DFARS 252.204-7012?

Answer capsule:Non-compliance with DFARS 252.204-7012 can cost you contracts through cure notices, ineligibility, or termination — and it can expose you to False Claims Act liability if you certified compliance you didn’t have. Under the U.S. Department of Justice’s Civil Cyber-Fraud Initiative (launched October 2021), contractors have paid multi-million-dollar settlements over 7012 and NIST SP 800-171 failures, and in the cases below, no actual data breach was alleged — the focus was the gap between what was represented and what was implemented.

This is the section that should change how you prioritize the work. Most pages hand-wave the consequences. We’re going to show you the receipts, because real, named, primary-sourced enforcement actions are more useful — and more honest — than vague warnings.

The DOJ launched its Civil Cyber-Fraud Initiative in October 2021 to use the False Claims Act against contractors that knowingly misrepresent their cybersecurity compliance. A clear pattern has emerged in the defense space since then. We mapped four representative settlements to the exact 7012 obligation at issue. (These resolutions reflect allegations or, where noted, admitted facts; settlement is not a determination of liability except where a company admitted specific facts.)

Sources: U.S. Department of Justice settlement announcements, justice.gov. Outcomes are case-specific and not representative of any typical result.

Read the pattern, because it’s the whole lesson. The government’s focus in these cases wasn’t a breach — it was the gap between what the contractor represented and what it had actually done: an inflated SPRS score, a missing SSP, an email system that didn’t meet the cloud rule, controls treated as implemented that weren’t. And the whistleblowers were frequently insiders — the people who knew the truth about the network. This is precisely the paper-versus-reality gap that CMMC’s verification layer is built to expose.

That’s the uncomfortable part. Here’s the constructive part: every issue in that table is preventable with honest scoping and real evidence. You don’t need to be perfect tomorrow. You need your SPRS score, your SSP, and your actual controls to tell the same true story. That’s a manageable project — and it’s the one worth starting now.

What should you do first when DFARS 252.204-7012 shows up?

Answer capsule:When DFARS 252.204-7012 appears in a solicitation, contract, or flow-down, don’t start by buying software or calling a C3PAO. Start by collecting the exact clause set, mapping where CDI/CUI flows, inventorying the systems and cloud services that touch it, identifying subcontractors in scope, and determining whether the contract also carries CMMC or NIST assessment clauses. Scoping first prevents the most expensive mistakes.

Panic-buying a tool or an assessment is the classic wrong first move. Here’s the sequence that actually de-risks the work.

1. Save the exact clause set. Pull 252.204-7012, any CMMC clauses (252.204-7021/-7025), any assessment clause (252.240-7997 or legacy 7019/7020), the flow-down language, and the data-marking instructions in the SOW/PWS.
2. Determine whether CDI/CUI exists. Are you receiving DoD technical data? Creating it? Are drawings, specs, or software involved? Are there distribution statements? Does the prime call the data CUI/CDI?
3. Map your systems. Email, file storage, CAD/engineering tools, ERP/MRP, ticketing, backups, endpoint management, EDR/SIEM, cloud collaboration, subcontractor portals, and MSP/admin access — anywhere the data could live or move. Our CUI data-flow diagram guide walks through how to do this.
4. Check cloud and SaaS exposure. For each service that touches CDI, confirm FedRAMP authorization or documented equivalency, get the customer responsibility matrix, and confirm it supports the clause’s incident obligations.
5. Build your evidence.SSP, POA&M, control-implementation evidence, asset inventory, access-control proof, incident-response procedures, training records, and vendor/subcontractor agreements.
6. Prepare incident reporting. Set up your dibnet workflow, obtain your ECA medium assurance certificate now, define a 72-hour escalation path, and document the malware-handling and evidence-preservation steps.
7. Then — and only then — decide what kind of help you need. Readiness if your scope and evidence are unclear; managed IT/security if your systems and operations are weak; an enclave or GRC tooling if you need containment or evidence workflow; a C3PAO only when a Level 2 certification assessment is actually required and your readiness is mature.

When should you hire readiness, managed IT, an enclave, a lawyer, or a C3PAO?

Answer capsule:Match the provider to the problem you actually have. If you don’t know your CDI/CUI scope, start with readiness/scoping help. If your systems can’t support the controls, consider a CMMC-focused managed service provider or a CUI enclave. Use GRC software as a supporting evidence layer, not as the whole solution. Engage a C3PAO only when a CMMC Level 2 certification assessment is required and your evidence is mature — and keep readiness and the certifying assessment with separate, independent firms.

The defense compliance market is crowded, and the wrong first hire wastes months and money. Here’s how the categories actually line up against situations.

One independence rule you cannot blur, because it’s an accreditation requirement, not a preference. Under the Cyber AB’s rules, the firm that helps you get ready (consulting, remediation, implementation) and the C3PAO that performs your certifying Level 2 assessment must be separate, independent parties. A C3PAO cannot provide consulting or implementation help to an organization it assesses, and the Cyber AB’s Code of Professional Conduct applies a three-year separationbetween consulting for a company and conducting that same company’s Level 2 certification assessment. If a vendor offers to “fix you and assess you” in one engagement, that’s a red flag worth walking away from. (For pre-assessment help, that’s exactly what Registered Provider Organizations exist for — see our RPO vs. C3PAO guide.)

This is also why, on this page, we route you to categoriesrather than pushing a single named provider. Our matching service can connect you to specific providers whose role and status we’ve checked — but the right category depends entirely on where you are, and we’d rather get that right than make a sale.

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

Does DFARS 252.204-7012 require an SPRS score?

Answer capsule: Not by itself. DFARS 252.204-7012 creates the safeguarding and incident-reporting obligation; posting a score in the Supplier Performance Risk System (SPRS) is tied to the NIST assessment and CMMC status mechanisms — legacy DFARS 252.204-7019/-7020, the 2026 deviation clause 252.240-7997 where it applies, and CMMC status and annual affirmations under 32 CFR Part 170 and DFARS 252.204-7021/-7025.

This trips people up because 7012, NIST scoring, and SPRS all travel together — but they’re distinct. 7012 tells you to implement the controls and report incidents. The requirement to post a score in SPRS comes from the assessment clauses, not from 7012 itself. Historically that was the “Basic” self-assessment under DFARS 252.204-7019; under the 2026 deviation, NIST assessment requirements run through DFARS 252.240-7997 where it applies; and CMMC status and your annual affirmationof continuous compliance live in SPRS under 32 CFR Part 170 and DFARS 252.204-7021. SPRS remains the system of record either way. The practical implication: even though 7012 doesn’t say “post a score,” if your contract carries the assessment or CMMC clauses, your SPRS posting is what a contracting officer checks before award — so keep it current and make sure it matches reality. For the mechanics, see our SPRS score guide.

The most common DFARS 252.204-7012 mistakes

Answer capsule:The most common DFARS 252.204-7012 mistakes are treating the clause as if it were CMMC, assuming there’s no CUI because nothing is marked, using cloud services without verifying FedRAMP support for CDI, skipping incident-reporting preparation until an incident hits, forgetting subcontractor flow-down, and relying on outdated 7019/7020 explanations without checking current contract language.

We’ve referenced these throughout — here they are in one place, each with the correction.

• “DFARS 7012 equals CMMC.” No. 7012 is the safeguarding and reporting clause; CMMC (via 252.204-7021 and 32 CFR Part 170) is the verification layer that may or may not be in your contract yet.
• “No marking means no CDI/CUI.” Markings matter, but contractor-created technical data can still be CDI. Document the question and confirm with the prime or contracting officer.
• “Our cloud vendor is secure, so we’re covered.” The test isn’t general security — it’s whether the service meets FedRAMP Moderate (authorized or documented-equivalent) for CDI and supports the clause’s incident obligations in writing.
• “We’ll figure out incident reporting during the incident.” The 72-hour clock starts on discovery. Get your dibnet workflow and ECA certificate in place now.
• “Our subcontractors are responsible for themselves.” Flow-down and upward incident-number reporting make supply-chain handling part of your compliance picture.
• “We can use last year’s clause map.” The February 2026 deviation changed assessment clause numbers (hello, 252.240-7997; goodbye, standalone 7019) while leaving 7012 itself intact. Read your actual contract.
• “The C3PAO can fix us and then assess us.” They can’t — the certifying assessor must be independent of your readiness and remediation work.

How we verified this DFARS 252.204-7012 guide

Answer capsule: This guide was built from primary-source clause text and current CMMC/DFARS implementation materials, then translated into an operational decision framework. We verified the active DFARS 252.204-7012 clause text, the CMMC Level mapping under 32 CFR Part 170, the CMMC phase-in dates, the February 2026 Revolutionary FAR Overhaul class deviation, the NIST publication statuses, the Cyber AB independence rules, and the cited DOJ Civil Cyber-Fraud Initiative settlements.

We think you deserve to know exactly what stands behind the claims on this page — especially on a topic where your contract eligibility is at stake. Here’s what we actually checked, and when.

What we verified (last verified June 17, 2026):

• The full text of DFARS 252.204-7012 — definitions, the NIST SP 800-171 requirement, the FedRAMP-Moderate cloud rule, the 72-hour reporting requirement, the ECA medium assurance certificate, the 90-day media-preservation window, malware submission to DC3, and the subcontractor flow-down — read directly from the live clause (version MAY 2024) at Acquisition.gov.
• The CMMC Program Rule at 32 CFR Part 170, including the Level 2 mapping to NIST SP 800-171 Revision 2 and the four-phase rollout dates, effective December 16, 2024.
• The CMMC DFARS rule (252.204-7021 / -7025), published September 10, 2025 and effective November 10, 2025.
• DoD Class Deviation 2026-O0025 (the Revolutionary FAR Overhaul), effective February 1, 2026 — confirming the new DFARS 252.240-7997, the renumbering of FAR 52.204-21 to 52.240-93, and that 7012, 7008, 7021, and 7025 are unchanged — read from the Defense Acquisition Regulations System memo.
• The NIST publication statuses for SP 800-171 Rev. 2, Rev. 3, and SP 800-172, read from the NIST Computer Security Resource Center.
• The Cyber AB Code of Professional Conduct and R2002 accreditation requirements for C3PAO independence.
• The DOJ Civil Cyber-Fraud Initiative settlementscited above, against the Department of Justice’s own announcements.

This page is general regulatory and contract-operations information — not legal advice, compliance advice, or a guarantee of contract eligibility, CMMC status, or assessment outcome. Your contract, your data, your systems, and your flow-down language control. When in doubt, confirm the clauses in your specific contract and consult qualified counsel.

Frequently asked questions about DFARS 252.204-7012

Is DFARS 252.204-7012 the same as CMMC?

No. DFARS 252.204-7012 is the safeguarding and cyber incident reporting clause that requires you to implement NIST SP 800-171 and report incidents. CMMC is the assessment and status framework that verifies compliance, applied through DFARS 252.204-7021 and 32 CFR Part 170 when your contract requires a CMMC level.

Does DFARS 252.204-7012 require NIST SP 800-171?

Yes. For covered contractor information systems that are not operated on behalf of the government, the clause requires implementing NIST SP 800-171 — 110 security requirements across 14 control families. For CMMC alignment, the controlling version is Revision 2.

What is Covered Defense Information?

Covered Defense Information is unclassified controlled technical information or other CUI that is marked or provided by DoD, or that you collect, develop, receive, transmit, use, or store in support of contract performance. It includes contractor-created technical data, not just government-furnished marked files.

What is the DFARS 252.204-7012 72-hour reporting rule?

The clause defines “rapidly report” as within 72 hours of discovering a cyber incident. You report at dibnet.dod.mil, and you must already hold a DoD-approved medium assurance (ECA) certificate to file, so set that up before an incident occurs.

Does my cloud provider need to be FedRAMP Moderate?

If an external cloud service stores, processes, or transmits Covered Defense Information, DFARS 252.204-7012 requires you to require and ensure it meets security equivalent to the FedRAMP Moderate baseline and supports the clause’s incident, malware, media, forensic, and damage-assessment obligations. A FedRAMP authorization is strong baseline evidence, but confirm the incident-support terms in writing.

Does DFARS 252.204-7012 require an SPRS score?

Not by itself. SPRS posting is tied to the NIST assessment and CMMC status mechanisms — legacy 252.204-7019/-7020, the 2026 clause 252.240-7997 where it applies, and CMMC status and affirmations under 32 CFR Part 170 and DFARS 252.204-7021/-7025 — not to 7012 alone.

Does DFARS 252.204-7012 flow down to subcontractors?

Yes, when subcontract performance involves Covered Defense Information or operationally critical support. The clause is included without alteration except to identify the parties, and subcontractors must provide their DoD-assigned incident report numbers up the chain.

Did DFARS 252.204-7012 change in 2026?

No — 7012 itself is unchanged. The February 1, 2026 Revolutionary FAR Overhaul deviation introduced DFARS 252.240-7997, renumbered FAR 52.204-21 to 52.240-93, and stopped using the standalone “Basic” self-assessment under DFARS 252.204-7019 in new deviation-path solicitations, but it left 7012, 7008, 7021, and 7025 in place.

What if my contract has DFARS 252.204-7012 but states there is no CUI?

Don’t ignore the clause, but don’t invent CUI either. Document your data-flow reasoning, review the statement of work and any markings, and ask the prime or contracting officer to confirm whether performance involves CDI/CUI.

Can a cyber incident by itself prove we failed DFARS 252.204-7012?

No. Under the 2026 deviation, when an incident is reported, the contracting officer is directed to consult the relevant DoD component CIO or cybersecurity office before assessing whether the contractor failed its safeguarding obligations. Report the incident — reporting is the requirement.

Should we hire a C3PAO to make us compliant?

Usually not as a first step. If you need scoping, remediation, SSP/POA&M work, or managed security, start with readiness or implementation help. Engage a C3PAO when you’re assessment-ready and your contract requires a CMMC certification assessment — and keep the readiness firm and the assessor independent of each other. See our RPO vs. C3PAO guide.

Primary sources

• DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting — Acquisition.gov
• DFARS 204.7304, prescription for the clause — Acquisition.gov
• DFARS 252.204-7021, CMMC Level Requirements — Acquisition.gov
• 32 CFR Part 170, CMMC Program — eCFR
• CMMC Program Rule — Federal Register (Oct 15, 2024): federalregister.gov
• CMMC DFARS rule — Federal Register (Sep 10, 2025): federalregister.gov
• DoD Class Deviation 2026-O0025 (Revolutionary FAR Overhaul, DFARS Part 240): Defense Acquisition Regulations System
• NIST SP 800-171 Rev. 2 (withdrawn May 14, 2024): NIST CSRC
• NIST SP 800-171 Rev. 3: NIST CSRC
• NIST SP 800-172 (withdrawn May 13, 2026): NIST CSRC
• Cyber AB Code of Professional Conduct v2.0: Cyber AB
• Cyber AB R2002, C3PAO Accreditation Requirements: Cyber AB
• DoD cyber incident reporting portal: dibnet.dod.mil — DoD ECA medium assurance certificates: public.cyber.mil/eca
• U.S. DOJ, MORSE Corp settlement (example): justice.gov