Continue your mission
DFARS clause 252.204-7012 requires defense contractors to implement NIST SP 800-171 controls and report cyber incidents within 72 hours.
The Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, 'Safeguarding Covered Defense Information and Cyber Incident Reporting,' establishes cybersecurity requirements for defense contractors handling Controlled Unclassified Information (CUI). Effective since December 2017, DFARS 7012 requires contractors to implement the 110 security controls specified in NIST SP 800-171 and to report cyber incidents to the DoD within 72 hours. The clause flows down to all subcontractors in the supply chain that handle CUI, creating a comprehensive security requirement across the defense industrial base. DFARS 7012 is the contractual mechanism that CMMC will eventually enforce through certification.
Contractors must implement the security requirements in NIST SP 800-171 for all covered contractor information systems that process, store, or transmit CUI. Implementation requires a System Security Plan (SSP) documenting how each of the 110 controls is met and a Plan of Action and Milestones (POA&M) for any controls not yet fully implemented. When a cyber incident occurs, contractors must conduct a rapid review, preserve forensic evidence for at least 90 days, report the incident through the DIBNet portal within 72 hours, and provide the DoD access to equipment and information as needed for damage assessment. Contractors must also use cloud service providers that meet FedRAMP Moderate or equivalent when processing CUI. The DoD Contractor Assurance Working Group developed the NIST SP 800-171 DoD Assessment Methodology with scoring from -203 to 110, which contractors self-report into the Supplier Performance Risk System (SPRS).
DFARS non-compliance can result in contract termination, False Claims Act liability with treble damages, and suspension or debarment from government contracting. The DoD has initiated enforcement actions and the Department of Justice has pursued cases under the Civil Cyber-Fraud Initiative against contractors misrepresenting their compliance. DFARS 7012 applies to the vast majority of defense contracts involving CUI and creates obligations across the entire subcontractor chain. Understanding and implementing these requirements is essential for any organization in the defense supply chain.
CDA Theater missions that address topics covered in this article.
Technical requirements for complying with California's privacy laws, including data mapping, consumer rights, and security obligations.
The CCPA is California's landmark privacy law granting consumers rights over their personal data and imposing obligations on businesses that collect it.
Written by CDA Editorial
Found an issue? Help improve this article.