DFARS 7012 CRM Requirements | Compliance Guide for Contractors

DFARS 252.204-7012, 'Safeguarding Covered Defense Information and Cyber Incident Reporting,' is the contractual clause that makes CMMC real. It's been in DoD contracts since 2017, yet most contractors still don't understand how it applies to their CRM. If your CRM touches any data from a DoD contract—opportunity details, technical approaches, pricing, correspondence—it's likely processing Covered Defense Information.

This article supplements our CMMC compliance guide and directly relates to how CRM systems must comply with CUI-Safe CRM requirements.

What DFARS 7012 Actually Requires

The clause has four core requirements that directly affect your CRM and every other system processing CDI:

1. Adequate Security

Contractors must provide 'adequate security' for all covered contractor information systems. For systems processing CUI, this means implementing all 110 controls from NIST SP 800-171. Your CRM is a covered system if it stores, processes, or transmits CDI—which includes synced emails with contract details, opportunity records with technical approaches, and contact notes with program information.

2. Cyber Incident Reporting (72 Hours)

If a cyber incident affects CDI on your systems, you must report it to the DoD within 72 hours. This means your CRM needs audit logging comprehensive enough to detect incidents and determine what data was affected. If your CRM vendor can't provide incident-level audit data, you have a compliance gap.

3. Cloud Computing Requirements

If CDI is stored in the cloud—and most CRMs are cloud-based—the cloud service must meet FedRAMP Moderate baseline (or equivalent) and the contractor must ensure data is stored within the United States. Most commercial CRM platforms do not meet FedRAMP Moderate. This is where many contractors discover their CRM is out of compliance.

4. Subcontractor Flowdown

DFARS 7012 must flow down to subcontractors who will handle CDI. If your teaming partners or subs access your CRM for shared pipeline management, they must also comply. This creates supply chain compliance requirements that many teams overlook.

How DFARS 7012 Applies to Your CRM

Your CRM is not exempt from DFARS 7012 simply because it's a 'business system' rather than an 'engineering system.' CDI enters your CRM through multiple vectors:

Email sync: Emails with contract details, technical discussions, and program information are automatically ingested
Opportunity records: Contract values, NAICS codes, technical approaches, and competitive intelligence
Contact data: Government personnel details, organizational structures, program office information
Attachments: RFP documents, SOWs, past performance narratives, pricing volumes

For a detailed analysis of how CUI flows through CRM systems, see our CUI data flow analysis.

The FedRAMP Problem

DFARS 7012 requires cloud services processing CDI to meet FedRAMP Moderate baseline or equivalent. Here's where most GovCon CRMs fall short:

Salesforce Government Cloud: FedRAMP Moderate authorized, but standard Salesforce editions are not
HubSpot: No FedRAMP authorization at any level
Pipedrive, monday.com: No FedRAMP authorization
Microsoft Dynamics 365 GCC: FedRAMP High authorized in GCC High environment

See our GovCon CRM comparison for a full vendor-by-vendor analysis of compliance status.

DFARS 7012 CRM Requirements Explained

What DFARS 7012 Actually Requires

1. Adequate Security

2. Cyber Incident Reporting (72 Hours)

3. Cloud Computing Requirements

4. Subcontractor Flowdown

How DFARS 7012 Applies to Your CRM

How ready are you for CMMC?

How ready are you for CMMC?

The FedRAMP Problem

How ready are you for CMMC?

Compliance Actions for Your CRM

Related Articles

GovCon Compliance in 2026: CMMC 2.0, DFARS & NIST 800-171

CMMC 2.0 for GovCon: Compliance Risks and a Practical Roadmap

Can AI Write Proposals Under CMMC 2.0?