DFARS 7012

The Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 clause is the oldest of four clauses in the DFARS 70 series (7012, 7019, 7020, 7021, and 7025). DFARS 7012 applies to all Department of War (DoW) acquisitions, except for Commercial Off the Shelf (COTS) items. It requires contractors to implement technical and procedural controls as specified by the National Institute of Standards and Technology (NIST) in NIST SP 800-171 Rev. 2 to protect sensitive information and to rapidly report cyber incidents. 

The biggest difference between DFARS 7012 and CMMC is the requirement to “self-attest” versus a formal third-party assessment prior to contract award required under DFARS 7021. The CMMC phase one rollout began November 10, 2025, meaning contracts can start requiring certification before award when applicable. 

If you are a contractor working on behalf of the DoW as either a prime or a subcontractor, then DFARS 7012 is a current insertion within your contract or subcontract agreement.  

DFARS 7012 went into effect in 2017 to address data breaches and increasing cybersecurity threats within the Defense Industrial Base (DIB). Today, it’s active alongside  DFARS 7019, 7020, and CMMC-enforcement clause 7021. Read more about the overlap between DFARS 7012 and CMMC below. 

What Information Systems and Data are in Scope of DFARS 7012? 

These regulations only apply to Controlled Unclassified Information (CUI). Systems supporting data classified at the SECRET, TOP SECRET, or TOP SECRET SCI are not covered under DFARS 7012, as classified systems follow separate requirements. 

So, what type of information is covered under DFARS 7012? 

DFARS 7012 applies only to “Covered Defense Information” (CDI), an umbrella term for CUI from the DoW, that must be protected when furnished by the DoW or generated in direct performance of the contract 
 
Contractors may handle multiple types of CUI, but only information contractually identified as CDI is in scope for DFARS 7012. 

What Does DFARS 7012 Require? 

If a DIB organization handles CDI as defined by the contract, the first step is to identify how it is handled and where it resides in their information systems. 

CDI can exist in many places across an organization’s systems. It can be found in emails, collaboration systems, file shares, proposal systems, and many other locations, depending on the contract. 

Here’s DFARS 7012, broken down from paragraphs ‘a’ through ‘m’: 

As a baseline, every company must have a System Security Plan (SSP) outlining how the organization addresses the requirements above. They must also document all in-scope systems and controls. 

Provide Adequate Security and Safeguard CDI 

DFARS 7012 covers two types of systems.  The focus of most DoD contractors will be on Type 2 systems, as that category relates mostly to their internal IT support and collaboration systems.  

Type 1 System: DFARS 252.204-7012 (b)(1) defines covered contractor information systems that are part of an IT service or system operated on behalf of the government, the following stipulations apply:  

Type 2 System: DFARS 252.204-7012 (b)(2) defines covered contractor information systems that are not part of in IT service or system operated on behalf of the Government and are not subject to the security requirements specified in (b)(1); however, the following security requirements apply: 

A contractor must operate Type 1 System in accordance with the DISA SRG v1r3 and the NIST 800-53r4 control set.  Type 2 systems require meeting the 110 controls within NIST 800-171.  However, if the contractor uses an external Cloud Solution Provider (CSP), that CSP environment must be, at a minimum, FedRAMP Moderate compliant.  

Bottom line, the DFARS requirements levy a much higher set of requirements on Type 1 systems vs Type 2 systems.  This is good news for contractors, but it is still a significant undertaking for almost all organizations. 

A note on external Cloud Service Providers (CSPs) and FedRAMP Moderate “Equivelancy”: If a CSP claims equivalency, the contractor must verify the evidence themselves. A FedRAMP Moderate Authorized CSP will require considerably less effort by the contractor. You can check if your CSP is authorized on the FedRAMP marketplace.  

If you have a FedRAMP moderate “equivalent” CSP, you might consider switching to a FedRAMP-Tailored Solution. We recommend either Microsoft GCC or GCC High. 

Report Cyber Incidents 

Contractors must report cyber incidents involving CDI within 72 hours. For their report, they must preserve and submit logs, images, and malicious code for a minimum of 90 days. This includes providing access to cloud environments hosting CDI.  
 
Note: This section is where issues may arise. These reporting requirements mean that both the contractor and any cloud computing service it uses must maintain a running 90-day log. They must also provide system images for any systems that store, process, or transfer CDI or CUI. Those needs are why many organizations choose Microsoft 365 GCC High or GCC. 

As mentioned above, if a reported cyber incident occurs, the subcontractor or contractor must also submit the malicious software here: https://dibnet.dod.mil/portal/intranet/ 

Contract Flowdown 

The third primary component of the DFARS 7012 clause requires all prime contractors and subcontractors to include the DFARS 7012 clause, in its entirety. Subcontractor flowdown includes all CDI-handling subs, regardless of their scope. 

 This component ensures that all potential providers or organizations that could have access to CUI/CDI data are covered by the DFARS 7012 clause. Microsoft meets these flowdown requirements with its Government Cloud offerings, which you can see here. 

What Are the Costs of DFARS 7012 to DoW Contractors? 

Now that you have a basic understanding of what is covered in the DFARS 7012 clause, you may want to know what the cost of these new requirements will be to your organization. For almost all organizations, this is going to be a six-figure problem.  

The size and complexity of the policy, technical, and support environments needed to become compliant are expensive to implement.  Larger organizations with thousands or tens of thousands of employees could easily reach seven figures or higher to ensure compliance. Thankfully, many of these costs are included in the cost of CMMC implementation. 

DFARS and CMMC Overlap 

DFARS 7012 and CMMC overlap in several fundamental ways. At the outset, CMMC requirements are established in DFARS via DFARS 7021; every DIB supplier will have both requirements moving forward.  

Also, the same flowdown requirements are present in CMMC, and all subcontractors must follow similar requirements as the prime. Lastly, the most common thing shared among both regulations, is the shared implementation of NIST 800-171. CMMC Level 2 includes all of NIST 800-171’s 110 controls. 

Next Steps 

1. As a contractor, your company must assess whether they have DFARS 7012 in their contracts today and how and where they handle CUI. 

2. Assess your company’s implementation of NIST SP 800-171 in its information systems. Update the SSP if any gaps are identified and remedied. 

3. Assess and validate that all subcontractors have an SSP and have successfully implemented NIST SP 800-171. Contractors are also responsible for ensuring that their subcontractors maintain the same 90-day running logs needed for submitting a cyber incident report to the DoW. Depending on the complexity of the organization’s relationship with its vendors and partners, as well as the organization’s available resources, this assessment may be conducted by a third-party. 

4. If your company uses cloud systems, the organization should determine if its platforms will meet compliance. Microsoft recommends organizations use Microsoft 365 GCC High if they need to meet DFARS 7012 and CMMC 2.0 Level 2. 

5. Next, according to DFARS 7020, organizations with DFARS 7012 requirements in their contracts and those handling CUI will need to complete a Basic Assessment (self-assessment) and submit the results to the Supplier Performance Risk System (SPRS).DFARS 7020 allows the DoW to request evidence and details supporting an SPRS score, including artifacts. You should also make sure to understand each element in the DFARS 70 Series: 7012, 7019, 7020, 7021.