DFARS 252.204-7012Safeguarding Covered Defense Information and Cyber Incident Reporting
Overview
The most important cybersecurity clause in defense contracting. DFARS 252.204-7012 requires contractors to implement all 110 NIST SP 800-171 security controls to protect Covered Defense Information (CDI) and report cyber incidents to the DoD Cyber Crime Center (DC3) within 72 hours. This clause is the foundation for CMMC and applies to virtually all DoD contracts involving CUI.
When Does This Apply?
All DoD contracts where the contractor will process, store, or transmit Covered Defense Information (CDI) or operationally critical support information.
Key Requirements
- 1Implement all 110 NIST SP 800-171 Rev 2 security controls
- 2Report cyber incidents to DC3 within 72 hours of discovery
- 3Preserve and protect forensic evidence for at least 90 days
- 4Provide medium assurance certificates for incident reporting
- 5Include CDI marking and handling procedures
Flowdown to Subcontractors
Yes — DFARS 252.204-7012 flows down to subcontractors. All subcontractors in the supply chain must comply with this clause when applicable.
Frequently Asked Questions
What is DFARS 252.204-7012?
DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) The most important cybersecurity clause in defense contracting. DFARS 252.204-7012 requires contractors to implement all 110 NIST SP 800-171 security controls to protect Covered Defense Information (C
Does DFARS 252.204-7012 flow down to subcontractors?
Yes, DFARS 252.204-7012 flows down to subcontractors. All applicable subcontractors must comply with this clause.
When does DFARS 252.204-7012 apply?
All DoD contracts where the contractor will process, store, or transmit Covered Defense Information (CDI) or operationally critical support information.
Stay compliant with DFARS 252.204-7012
Cabrillo Club automates compliance tracking and alerts you when DFARS clauses are amended.
Join Free