If you've been awarded a Department of Defense (DoD) contract recently, there's a good chance you've seen this clause buried in the legal boilerplate: DFARS 252.204-7012. Most contractors sign the paperwork without fully understanding what they're agreeing to. That can be a problem, because this clause creates real legal obligations that can end contracts, expose you to federal prosecution, and require you to respond to a potential cyber incident on a tight 72-hour clock.
Here we’ll explain what DFARS 252.204-7012 actually requires, in plain English, so you know what you agreed to.
DFARS 252.204-7012 is a Defense Federal Acquisition Regulation Supplement (DFARS) clause titled "Safeguarding Covered Defense Information and Cyber Incident Reporting". When it appears in your contract, it means the DoD requires you to meet specific cybersecurity standards and report cyber incidents that affect covered systems.
It has been a required clause in DoD contracts involving Covered Defense Information (CDI) since 2016. If your contract involves any sensitive technical data, export-controlled information, or Controlled Unclassified Information (CUI) related to defense programs, this clause almost certainly applies to you. When in doubt, read over your contract or reach out to your contracting officer.
DFARS 252.204-7012 says: implement NIST 800-171 on any system that touches covered defense information, use a cloud service provider that meets FedRAMP Moderate or equivalent, and if you get hacked, alert the DoD within 72 hours. Those are the three things that will determine whether or not you're in compliance.
The clause has four main obligations. Here's each one, broken down.
This is the core technical requirement. Any system that processes, stores, or transmits CDI, which includes most CUI, must implement the 110 security requirements in NIST Special Publication 800-171.
That means your laptops, servers, email systems, file shares, and any other system that touches sensitive defense information needs to meet those controls. This applies not just to your company's theoretical corporate network, but how everything is actually set up and working. An important aspect of compliance is accurately scoping and honestly reflecting how things are set up and who has access to what.
This clause doesn't give you a grace period. In practice, many contractors have actually been non-compliant since 2016. Since enforcement began in November 2025, with a four-phase rollout over the next three years, that compliance gap is now legally and financially dangerous.
Want to make sure you’re on the right path to compliance? Chat with our team!
If you're storing or processing CDI in the cloud (and nowadays almost everyone is, even if they don't realize it), then your cloud provider needs to meet specific security standards. The clause requires FedRAMP Moderate authorization or security protections equivalent to FedRAMP Moderate.
What this means practically: standard Microsoft 365 Business doesn't meet this requirement for CDI, but Microsoft 365 Government Community Cloud (GCC) meets FedRAMP Moderate and Google Workspace is FedRAMP High authorized. Microsoft 365 GCC High meets it for ITAR-controlled information. If your company is using consumer or commercial cloud services to handle defense information, then you're out of compliance with this clause.
This is one of the most commonly-overlooked requirements we see. A contractor can have great endpoint security and logging in place, but still storing CUI in a standard SharePoint or Dropbox account that doesn't meet the FedRAMP requirement. That's a compliance failure regardless of how perfectly they’re doing everything else.
This reporting requirement is the obligation that catches many contractors off guard. If you discover a cyber incident that affects a covered system, meaning any system that handles CDI, you must report it to the DoD through the DIBNet portal within 72 hours of discovery.
The 72-hour clock starts when you discover the incident, not when it happened. This is important: a breach that occurred three weeks ago but was discovered today starts the clock today. You have 72 hours from that moment of discovery.
The report must include what happened, what systems were affected, what data may have been compromised, and what you're doing about it. You don't need to have all the answers yet, but you do need to have filed the report.
The contractors who struggle most with the 72-hour requirement are the ones who don't have an Incident Response Plan (IRP) in place before an incident occurs. When something happens, they're making decisions under pressure about what counts as a reportable incident, who needs to be notified, and how to file the report, all while simultaneously trying to contain the breach. Take it from us: that's not a situation you want to be in. The time to build and document your IR capabilities is before you actually need them.
If a cyber incident occurs, the clause requires you to preserve images of compromised systems and submit malicious software to the DoD Cyber Crime Center, if requested. This is a forensic preservation obligation; you may not be able to simply wipe and rebuild a compromised machine without first preserving the evidence.
This requirement is why having a clear incident response procedure matters. An IT person who wipes a compromised laptop before anyone realizes the DFARS clause required preservation has potentially destroyed evidence that DoD investigators needed, thus endangering any subsequent investigation.
The clause applies to any DoD contractor or subcontractor whose contract includes the clause and whose systems process, store, or transmit Covered Defense Information (CDI). That's quite a broad definition, and that’s by design.
Critically, the clause flows down. If a prime contractor is subject to DFARS 252.204-7012, they're required to include it in any subcontracts that involve CDI. This means you can be bound by the clause as a sub even if you didn't negotiate directly with the DoD. Check your subcontract agreement — if it includes DFARS clause language, your obligations are the same as the prime's.
|
Contractor type |
Subject to DFARS 252.204-7012? |
What to do |
|
Direct DoD prime contractor handling CDI |
Yes — look for the clause in your contract |
Implement NIST 800-171, FedRAMP cloud, IR plan |
|
Subcontractor receiving CDI from a prime |
Yes — it flows down through subcontracts |
Same obligations as prime for CDI you handle |
|
Contractor with FCI only (no CUI/CDI) |
Likely not — a different clause applies (FAR 52.204-21) |
Verify contract language, implement basic safeguards |
|
Contractor with no government information |
No |
No DFARS or CMMC obligation |
DFARS 252.204-7012 and CMMC are related but separate obligations. Understanding the difference beyond all the acronyms matters.
DFARS 252.204-7012 is the existing contractual requirement and it's been in contracts since 2016. It requires you to implement NIST 800-171 and report incidents. Compliance is self-attested, you submit an SPRS score, and you must represent that your systems meet the standard.
CMMC is the verification layer added on top. Where DFARS lets you self-attest, CMMC Level 2 requires independent assessment by a third-party assessor (C3PAO) for most contractors. CMMC doesn't replace DFARS because both clauses will appear in contracts. DFARS is the ongoing operational obligation; CMMC is the certification milestone that proves that you met it.
If you're building your NIST 800-171 program to meet DFARS, you're simultaneously building your CMMC Level 2 readiness. The underlying requirements are the same.
Signing a contract with DFARS 252.204-7012 and not implementing NIST 800-171 creates False Claims Act (FCA) exposure. The FCA makes it illegal to submit a false or fraudulent claim to the federal government, and courts have found that submitting invoices under a contract where you misrepresented your cybersecurity compliance qualifies.
The Department of Justice (DoJ) has been active in pursuing FCA cases against defense contractors for cybersecurity misrepresentation. Penalties can include treble damages (three times the value of the contracts at issue) plus civil penalties per false claim. For a defense contractor with millions of dollars in DoD work, that exposure can be existential. With that kind of math, it doesn’t take long for you to see how important it is to follow the requirements as they’ve been written.
In 2022, Aerojet Rocketdyne settled an FCA case related to cybersecurity non-compliance for $9 million. The DoJ's Civil Cyber-Fraud Initiative was launched in 2021 to specifically pursue these cases, and its existence is proof that the enforcement environment has changed. You definitely don’t want to be part of an FCA case.
We specialize in helping defense contractors get into honest compliance. That means a thorough gap assessment against NIST 800-171, a cloud environment that meets FedRAMP requirements, and an incident response capability that can meet or surpass the 72-hour reporting obligation. We also provide the IR retainer that ensures you have expert support the moment you discover an incident, so you're not figuring out the DFARS reporting process under pressure while feeling like everything’s on fire around you.
If you're not sure whether your organization meets its DFARS 252.204-7012 obligations, here's where to start:
CDI is unclassified controlled technical information or other information that requires safeguarding or dissemination controls, and is marked or identified in a contract. In practice, CDI overlaps heavily with Controlled Unclassified Information (CUI). If your contract involves technical specifications, design documents, test data, operational details, or export-controlled information, you're almost certainly handling CDI.
A cyber incident is any actual or suspected unauthorized access, use, disclosure, modification, destruction, or denial of access to covered systems or CDI. The bar for "suspected incident" is intentionally low; if you think something may have happened, report it. Under-reporting is riskier than over-reporting. The 72-hour clock starts from discovery of the incident, not the time the incident actually occurred.
Late reporting is a contract compliance failure. Depending on the severity of the incident and the circumstances, that failure can result in contract termination, suspension of work, or referral to the DoJ. There's no explicit financial penalty for late reporting in the clause itself, but the risk is the downstream contract and legal consequences. If you've missed a reporting deadline, you should talk to legal counsel immediately.
Commercial goods should be out of scope. The clause is typically not included in contracts for commercial items under FAR Part 12. If a commercial contract includes DFARS, we would advise you to push back on the stated requirements.
If your subcontract includes DFARS 252.204-7012 or equivalent language and you handle CDI, then yes. Because of the importance of keeping defense information secure, the obligation applies regardless of company size and the DoD doesn't have a small business exemption from DFARS cybersecurity requirements. The clause flows down specifically because adversaries target small subcontractors as the weak link in the supply chain. Smaller businesses are usually not equipped to withstand cyber attacks, which is one of the primary reasons RADICL was formed.
The 72-hour reporting requirement is the DFARS obligation most contractors are least prepared for. RADICL's IR retainer ensures you have expert incident response support available immediately when you need it, including guidance on DFARS reporting obligations, evidence preservation, and DoD notification. Talk to us before an emergency strikes.