CMMC GLOSSARY // DFARS 252.204-7012

What is DFARS 252.204-7012?

DFARS 7012 is the long-standing clause requiring contractors to safeguard covered defense information per NIST 800-171 and report cyber incidents within 72 hours.

DFARS 252.204-7012 has been in DoD contracts since 2017. It requires implementing NIST SP 800-171, reporting cyber incidents to DoD within 72 hours, and flowing the requirement down to subcontractors handling covered defense information.

It also requires that cloud services storing CUI meet FedRAMP Moderate (or equivalency) — the clause that pulls a contractor's MSP or cloud provider into scope.

CMMC's contractual clause, DFARS 252.204-7021, works alongside 7012 and 7019/7020 to make the certification a condition of award.

FROM TERMS TO READINESS

See where you actually stand on the 110 controls.

PolicyCortex maps your live cloud against every NIST 800-171 control and generates C3PAO-ready evidence. Start with the free assessment.

SYS: ONLINE
FOCUSCMMC L2 / L3
BUILD0aed52
CMMC DEADLINET-d
©2026 POLICYCORTEX, INC.