· Compliance  · 4 min read

DFARS 252.204-7012: What Defense Contractors Are Actually Required to Do

What DFARS 252.204-7012 actually requires of defense contractors. NIST 800-171, 72-hour incident reporting, subcontractor flow-down, and cloud authorization.

What DFARS 252.204-7012 actually requires of defense contractors. NIST 800-171, 72-hour incident reporting, subcontractor flow-down, and cloud authorization.

The regulation titled “Safeguarding Covered Defense Information and Cyber Incident Reporting” has applied to Department of Defense contracts since December 2017, yet remains frequently misunderstood. Beyond the baseline requirement to implement NIST 800-171, the clause contains specific obligations including a 72-hour reporting requirement, subcontractor flow-down duties, cloud authorization conditions, and malicious software preservation mandates. All of which have appeared in DoD enforcement actions.

The Four Core Obligation Buckets

Safeguarding Covered Defense Information

Contractors must implement NIST SP 800-171 security requirements as they existed when the solicitation was released. For most active contracts, this means NIST SP 800-171 r2. Where requirements remain unimplemented at contract award, the contractor must submit written explanation to the contracting officer and propose equally effective alternative measures.

The critical distinction: “implement” is mandatory language. The clause does not permit partial implementation or best-efforts approaches. Unimplemented requirements demand documented written submission proposing equivalent security measures. A Plans of Action and Milestones document alone cannot satisfy this obligation.

Cyber Incident Reporting (72-Hour Requirement)

Within 72 hours of discovering any cyber incident affecting a covered contractor information system, contractors must report to the Department of Defense via the DC3 reporting portal at dibnet.dod.mil. Reports must include contract numbers, affected assets, compromise type, and impact assessment.

“Cyber incident” is defined broadly. Broader than confirmed CUI breaches. The definition encompasses actions through computer networks resulting in compromise or actual or potentially adverse effects on covered contractor information systems. Ransomware on a CUI-handling system without confirmed data theft triggers reporting obligations, as does suspected unauthorized access. The 72-hour clock begins at discovery, not incident occurrence.

Pre-incident readiness requires: active DoD-approved Medium Assurance certificate; named personnel knowing the reporting URL; incident response plans documenting the 72-hour clock; and tabletop exercises rehearsing the report-and-preserve workflow.

Malicious Software Preservation

Contractors must submit identified malicious software to DC3 and preserve disk images of all affected systems plus packet captures of relevant traffic for at least 90 days from incident report submission. The DoD may request preserved data during this window.

This requires documented evidence-preservation procedures: disk imaging processes, storage locations, access controls, and 90-day retention tracking. A common gap: absence of forensic image acquisition capabilities. Teams may rebuild affected systems and inadvertently destroy clause-required evidence.

Subcontractor Flow-Down

Primes must flow the clause to subcontractors performing work involving covered defense information or operationally critical support. This obligation is neither optional nor waivable at prime discretion. Primes remain responsible for subcontractor compliance.

For mid-tier primes, this establishes active subcontractor management: verifying SPRS scores, reviewing System Security Plans, and confirming CMMC certifications at appropriate levels. Subcontractor cyber incidents trigger prime reporting obligations.

Cloud Authorization Requirements

Where contractors store or process CUI in cloud services, the provider must hold FedRAMP Moderate authorization or equivalent. Though the contractor retains ultimate responsibility, cloud authorization represents a binary verification point for contracting officers.

Microsoft 365 commercial holds FedRAMP Moderate authorization at tenant boundary; GCC and GCC High variants hold FedRAMP High. Cloud service providers without FedRAMP Moderate authorization cannot defensibly host CUI under this clause. Shadow IT driven by SaaS adoption becomes a genuine contractual compliance issue. See the GCC High decision framework for the tenant decision logic.

Defining Covered Defense Information

“Covered defense information” encompasses unclassified controlled technical information or other information in the CUI Registry requiring safeguarding or dissemination controls per law, regulations, and government-wide policies. The definition includes information either marked, otherwise identified in contracts, or collected, developed, received, transmitted, used, or stored by contractors supporting contract performance.

The “marked or otherwise identified” language creates non-trivial scoping challenges. Design data, manufacturing specifications, and technical analyses generated under contracts may constitute CUI without explicit marking. Contractors need internal practices for recognizing and marking such information. CUI scoping methodology is addressed in CMMC Scoping: Identifying CUI Boundaries in a Microsoft 365 Tenant.

DFARS 7012 and CMMC Relationship

DFARS 252.204-7012 established contractual baselines in 2017. CMMC adds verification: while DFARS 7012 requires NIST 800-171 implementation, CMMC Level 2 requires third-party C3PAO verification of that implementation. Both requirements coexist. DFARS 7012 remains applicable post-CMMC, and incident reporting and cloud authorization obligations reside in DFARS 7012, not CMMC rules.

Common Compliance Gaps

  • Absent or expired DoD Medium Assurance certificates.
  • Incident response plans without 72-hour clock documentation or DC3 reporting URLs.
  • Missing forensic image-preservation procedures.
  • SaaS tools for CUI handling lacking FedRAMP Moderate or equivalent authorization.
  • Subcontractors with unverified NIST 800-171 implementation despite flow-down obligations.
  • NIST 800-171 implementation gaps without written equivalent-measures explanations to contracting officers.

Next Steps

  • Confirm active DoD-approved Medium Assurance certificate with documented renewal schedules.
  • Review incident response plans against 72-hour requirements, dibnet.dod.mil submission processes, and 90-day forensic preservation. Conduct tabletop exercises.
  • Audit all SaaS and cloud services handling CUI for FedRAMP Moderate or equivalent authorization.
  • Inventory all subcontracts containing the 7012 clause and verify compliance posture.
  • Cross-reference Plans of Action and Milestones against written equivalent-measures explanation requirements to contracting officers.
Share:
Back to Blog

Related Posts

View All Posts »