CybersecurityFlows Down to Subs

DFARS 252.204-7012Safeguarding Covered Defense Information and Cyber Incident Reporting

Overview

The most important cybersecurity clause in defense contracting. DFARS 252.204-7012 requires contractors to implement all 110 NIST SP 800-171 security controls to protect Covered Defense Information (CDI) and report cyber incidents to the DoD Cyber Crime Center (DC3) within 72 hours. This clause is the foundation for CMMC and applies to virtually all DoD contracts involving CUI.

When Does This Apply?

All DoD contracts where the contractor will process, store, or transmit Covered Defense Information (CDI) or operationally critical support information.

Key Requirements

1Implement all 110 NIST SP 800-171 Rev 2 security controls
2Report cyber incidents to DC3 within 72 hours of discovery
3Preserve and protect forensic evidence for at least 90 days
4Provide medium assurance certificates for incident reporting
5Include CDI marking and handling procedures

Flowdown to Subcontractors

Yes — DFARS 252.204-7012 flows down to subcontractors. All subcontractors in the supply chain must comply with this clause when applicable.

Related NIST 800-171 Controls

3.1.1 3.1.3 3.6.1 3.6.2 3.13.8 3.13.11

Frequently Asked Questions

What is DFARS 252.204-7012?

DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) The most important cybersecurity clause in defense contracting. DFARS 252.204-7012 requires contractors to implement all 110 NIST SP 800-171 security controls to protect Covered Defense Information (C

Does DFARS 252.204-7012 flow down to subcontractors?

Yes, DFARS 252.204-7012 flows down to subcontractors. All applicable subcontractors must comply with this clause.

When does DFARS 252.204-7012 apply?

All DoD contracts where the contractor will process, store, or transmit Covered Defense Information (CDI) or operationally critical support information.

Free Compliance Tools

🛡

CUI Auditor

Audit your tech stack for CUI handling gaps across 80+ enterprise tools.

🗺

CUI Flow Mapper

Map how CUI flows through your organization and identify spillage risks.

✅

FedRAMP Finder

Search 80+ FedRAMP-authorized products by category and authorization level.

Is your tech stack DFARS 252.204-7012 compliant?

Run our free CUI Auditor to check if your tools meet this clause's requirements.

Audit Your Tech Stack Free

Track DFARS 252.204-7012 compliance changes with AI-powered intelligence

Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.

Start Free — 90 Days

Discussion

Share your experience implementing this in your organization.

Join the Club to unlock joining discussions

Free membership — access intelligence, save your work, and more.

Create free account

← All DFARS Clauses

DFARS 252.204-7012Safeguarding Covered Defense Information and Cyber Incident Reporting

Overview

When Does This Apply?

All DoD contracts where the contractor will process, store, or transmit Covered Defense Information (CDI) or operationally critical support information.

Key Requirements

1Implement all 110 NIST SP 800-171 Rev 2 security controls
2Report cyber incidents to DC3 within 72 hours of discovery
3Preserve and protect forensic evidence for at least 90 days
4Provide medium assurance certificates for incident reporting
5Include CDI marking and handling procedures

Flowdown to Subcontractors

Yes — DFARS 252.204-7012 flows down to subcontractors. All subcontractors in the supply chain must comply with this clause when applicable.

Frequently Asked Questions

What is DFARS 252.204-7012?

Does DFARS 252.204-7012 flow down to subcontractors?

Yes, DFARS 252.204-7012 flows down to subcontractors. All applicable subcontractors must comply with this clause.

When does DFARS 252.204-7012 apply?

All DoD contracts where the contractor will process, store, or transmit Covered Defense Information (CDI) or operationally critical support information.

Is your tech stack DFARS 252.204-7012 compliant?

Run our free CUI Auditor to check if your tools meet this clause's requirements.

Audit Your Tech Stack Free

Track DFARS 252.204-7012 compliance changes with AI-powered intelligence

Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.

Start Free — 90 Days

Discussion

Share your experience implementing this in your organization.

Join the Club to unlock joining discussions

Free membership — access intelligence, save your work, and more.

Create free account

DFARS 252.204-7012Safeguarding Covered Defense Information and Cyber Incident Reporting

Overview

When Does This Apply?

Key Requirements

Flowdown to Subcontractors

Related NIST 800-171 Controls

Frequently Asked Questions

What is DFARS 252.204-7012?

Does DFARS 252.204-7012 flow down to subcontractors?

When does DFARS 252.204-7012 apply?

Related Guides

Free Compliance Tools

Discussion

DFARS 252.204-7012Safeguarding Covered Defense Information and Cyber Incident Reporting

Overview

When Does This Apply?

Key Requirements

Flowdown to Subcontractors

Related NIST 800-171 Controls

Frequently Asked Questions

What is DFARS 252.204-7012?

Does DFARS 252.204-7012 flow down to subcontractors?

When does DFARS 252.204-7012 apply?

Related Guides

Free Compliance Tools

Discussion