What is DFARS 252.204-7012?
DFARS 7012 is the long-standing clause requiring contractors to safeguard covered defense information per NIST 800-171 and report cyber incidents within 72 hours.
DFARS 252.204-7012 has been in DoD contracts since 2017. It requires implementing NIST SP 800-171, reporting cyber incidents to DoD within 72 hours, and flowing the requirement down to subcontractors handling covered defense information.
It also requires that cloud services storing CUI meet FedRAMP Moderate (or equivalency) — the clause that pulls a contractor's MSP or cloud provider into scope.
CMMC's contractual clause, DFARS 252.204-7021, works alongside 7012 and 7019/7020 to make the certification a condition of award.
- NIST SP 800-171NIST SP 800-171 is the federal standard of 110 security controls for protecting CUI in non-federal systems — the technical basis of CMMC Level 2.
- CUICUI is government-created or -owned information that requires safeguarding under law, regulation, or government-wide policy, but is not classified.
- SPRSSPRS is the DoD system where contractors post their NIST 800-171 self-assessment score and, under CMMC, their certification status and affirmations.
See where you actually stand on the 110 controls.
PolicyCortex maps your live cloud against every NIST 800-171 control and generates C3PAO-ready evidence. Start with the free assessment.
