What is DFARS 252.204-7012? A Guide for Defense Contractors

If you've been awarded a Department of Defense (DoD) contract recently, there's a good chance you've seen this clause buried in the legal boilerplate: DFARS 252.204-7012. Most contractors sign the paperwork without fully understanding what they're agreeing to. That can be a problem, because this clause creates real legal obligations that can end contracts, expose you to federal prosecution, and require you to respond to a potential cyber incident on a tight 72-hour clock.

Here we’ll explain what DFARS 252.204-7012 actually requires, in plain English, so you know what you agreed to.

What is DFARS 252.204-7012?

DFARS 252.204-7012 is a Defense Federal Acquisition Regulation Supplement (DFARS) clause titled "Safeguarding Covered Defense Information and Cyber Incident Reporting". When it appears in your contract, it means the DoD requires you to meet specific cybersecurity standards and report cyber incidents that affect covered systems.

It has been a required clause in DoD contracts involving Covered Defense Information (CDI) since 2016. If your contract involves any sensitive technical data, export-controlled information, or Controlled Unclassified Information (CUI) related to defense programs, this clause almost certainly applies to you. When in doubt, read over your contract or reach out to your contracting officer.

The Short Version

DFARS 252.204-7012 says: implement NIST 800-171 on any system that touches covered defense information, use a cloud service provider that meets FedRAMP Moderate or equivalent, and if you get hacked, alert the DoD within 72 hours. Those are the three things that will determine whether or not you're in compliance.

What does the clause actually require?

The clause has four main obligations. Here's each one, broken down.

1. Implement NIST SP 800-171

This is the core technical requirement. Any system that processes, stores, or transmits CDI, which includes most CUI, must implement the 110 security requirements in NIST Special Publication 800-171.

That means your laptops, servers, email systems, file shares, and any other system that touches sensitive defense information needs to meet those controls. This applies not just to your company's theoretical corporate network, but how everything is actually set up and working. An important aspect of compliance is accurately scoping and honestly reflecting how things are set up and who has access to what.

This clause doesn't give you a grace period. In practice, many contractors have actually been non-compliant since 2016. Since enforcement began in November 2025, with a four-phase rollout over the next three years, that compliance gap is now legally and financially dangerous.

Want to make sure you’re on the right path to compliance? Chat with our team!

2. Use a Cloud Service Provider That Meets FedRAMP Moderate or Equivalent

If you're storing or processing CDI in the cloud (and nowadays almost everyone is, even if they don't realize it), then your cloud provider needs to meet specific security standards. The clause requires FedRAMP Moderate authorization or security protections equivalent to FedRAMP Moderate.

What this means practically: standard Microsoft 365 Business doesn't meet this requirement for CDI, but Microsoft 365 Government Community Cloud (GCC) meets FedRAMP Moderate and Google Workspace is FedRAMP High authorized. Microsoft 365 GCC High meets it for ITAR-controlled information. If your company is using consumer or commercial cloud services to handle defense information, then you're out of compliance with this clause.

This is one of the most commonly-overlooked requirements we see. A contractor can have great endpoint security and logging in place, but still storing CUI in a standard SharePoint or Dropbox account that doesn't meet the FedRAMP requirement. That's a compliance failure regardless of how perfectly they’re doing everything else.

3. Report Cyber Incidents Within 72 Hours

This reporting requirement is the obligation that catches many contractors off guard. If you discover a cyber incident that affects a covered system, meaning any system that handles CDI, you must report it to the DoD through the DIBNet portal within 72 hours of discovery.

The 72-hour clock starts when you discover the incident, not when it happened. This is important: a breach that occurred three weeks ago but was discovered today starts the clock today. You have 72 hours from that moment of discovery.

The report must include what happened, what systems were affected, what data may have been compromised, and what you're doing about it. You don't need to have all the answers yet, but you do need to have filed the report.

What RADICL Sees in the Field

The contractors who struggle most with the 72-hour requirement are the ones who don't have an Incident Response Plan (IRP) in place before an incident occurs. When something happens, they're making decisions under pressure about what counts as a reportable incident, who needs to be notified, and how to file the report, all while simultaneously trying to contain the breach. Take it from us: that's not a situation you want to be in. The time to build and document your IR capabilities is before you actually need them.

4. Preserve Images and Report Malicious Software

If a cyber incident occurs, the clause requires you to preserve images of compromised systems and submit malicious software to the DoD Cyber Crime Center, if requested. This is a forensic preservation obligation; you may not be able to simply wipe and rebuild a compromised machine without first preserving the evidence.

This requirement is why having a clear incident response procedure matters. An IT person who wipes a compromised laptop before anyone realizes the DFARS clause required preservation has potentially destroyed evidence that DoD investigators needed, thus endangering any subsequent investigation.

Who does DFARS 252.204-7012 apply to?

The clause applies to any DoD contractor or subcontractor whose contract includes the clause and whose systems process, store, or transmit Covered Defense Information (CDI). That's quite a broad definition, and that’s by design.

Critically, the clause flows down. If a prime contractor is subject to DFARS 252.204-7012, they're required to include it in any subcontracts that involve CDI. This means you can be bound by the clause as a sub even if you didn't negotiate directly with the DoD. Check your subcontract agreement — if it includes DFARS clause language, your obligations are the same as the prime's.

DFARS 252.204-7012 and CMMC: How They Relate

DFARS 252.204-7012 and CMMC are related but separate obligations. Understanding the difference beyond all the acronyms matters.

DFARS 252.204-7012 is the existing contractual requirement and it's been in contracts since 2016. It requires you to implement NIST 800-171 and report incidents. Compliance is self-attested, you submit an SPRS score, and you must represent that your systems meet the standard.

CMMC is the verification layer added on top. Where DFARS lets you self-attest, CMMC Level 2 requires independent assessment by a third-party assessor (C3PAO) for most contractors. CMMC doesn't replace DFARS because both clauses will appear in contracts. DFARS is the ongoing operational obligation; CMMC is the certification milestone that proves that you met it.

If you're building your NIST 800-171 program to meet DFARS, you're simultaneously building your CMMC Level 2 readiness. The underlying requirements are the same.

The Legal Exposure: Why Non-Compliance Is Dangerous

Signing a contract with DFARS 252.204-7012 and not implementing NIST 800-171 creates False Claims Act (FCA) exposure. The FCA makes it illegal to submit a false or fraudulent claim to the federal government, and courts have found that submitting invoices under a contract where you misrepresented your cybersecurity compliance qualifies.

The Department of Justice (DoJ) has been active in pursuing FCA cases against defense contractors for cybersecurity misrepresentation. Penalties can include treble damages (three times the value of the contracts at issue) plus civil penalties per false claim. For a defense contractor with millions of dollars in DoD work, that exposure can be existential. With that kind of math, it doesn’t take long for you to see how important it is to follow the requirements as they’ve been written.

In 2022, Aerojet Rocketdyne settled an FCA case related to cybersecurity non-compliance for $9 million. The DoJ's Civil Cyber-Fraud Initiative was launched in 2021 to specifically pursue these cases, and its existence is proof that the enforcement environment has changed. You definitely don’t want to be part of an FCA case.

RADICL's Approach

We specialize in helping defense contractors get into honest compliance. That means a thorough gap assessment against NIST 800-171, a cloud environment that meets FedRAMP requirements, and an incident response capability that can meet or surpass the 72-hour reporting obligation. We also provide the IR retainer that ensures you have expert support the moment you discover an incident, so you're not figuring out the DFARS reporting process under pressure while feeling like everything’s on fire around you.

Practical Checklist: Are You DFARS Compliant?

If you're not sure whether your organization meets its DFARS 252.204-7012 obligations, here's where to start:

• Review your contracts. Search for "252.204-7012" in your contract documents. If it's there, these obligations apply.
• Identify your CDI/CUI. What sensitive defense information does your company handle, where does it live, and which systems touch it?
• Audit your cloud environment. Are you using Microsoft 365 GCC or GCC High? Standard commercial M365 does not meet FedRAMP Moderate for CDI.
• Check your SPRS score. Have you submitted one? Is it accurate? An inflated score is FCA exposure.
• Review your Incident Response plan. Do you have one? Does it include the DFARS 72-hour reporting procedure? Has anyone actually practiced it?
• Check your subcontracts. If you have subs handling CDI, does their agreement include DFARS 252.204-7012 flow-down language?

Frequently Asked Questions About DFARS 252.204-7012

What is Covered Defense Information (CDI)?

CDI is unclassified controlled technical information or other information that requires safeguarding or dissemination controls, and is marked or identified in a contract. In practice, CDI overlaps heavily with Controlled Unclassified Information (CUI). If your contract involves technical specifications, design documents, test data, operational details, or export-controlled information, you're almost certainly handling CDI. 

What counts as a reportable cyber incident under DFARS?

A cyber incident is any actual or suspected unauthorized access, use, disclosure, modification, destruction, or denial of access to covered systems or CDI. The bar for "suspected incident" is intentionally low; if you think something may have happened, report it. Under-reporting is riskier than over-reporting. The 72-hour clock starts from discovery of the incident, not the time the incident actually occurred. 

What happens if we miss the 72-hour reporting window?

Late reporting is a contract compliance failure. Depending on the severity of the incident and the circumstances, that failure can result in contract termination, suspension of work, or referral to the DoJ. There's no explicit financial penalty for late reporting in the clause itself, but the risk is the downstream contract and legal consequences. If you've missed a reporting deadline, you should talk to legal counsel immediately. 

Does DFARS 252.204-7012 apply to commercial item contracts?

Commercial goods should be out of scope. The clause is typically not included in contracts for commercial items under FAR Part 12. If a commercial contract includes DFARS, we would advise you to push back on the stated requirements. 

We're a very small subcontractor. Does this really apply to us?

If your subcontract includes DFARS 252.204-7012 or equivalent language and you handle CDI, then yes. Because of the importance of keeping defense information secure, the obligation applies regardless of company size and the DoD doesn't have a small business exemption from DFARS cybersecurity requirements. The clause flows down specifically because adversaries target small subcontractors as the weak link in the supply chain. Smaller businesses are usually not equipped to withstand cyber attacks, which is one of the primary reasons RADICL was formed. 

Is your IR Plan ready for DFARS?

The 72-hour reporting requirement is the DFARS obligation most contractors are least prepared for. RADICL's IR retainer ensures you have expert incident response support available immediately when you need it, including guidance on DFARS reporting obligations, evidence preservation, and DoD notification. Talk to us before an emergency strikes.