DFARS 252.204-7012, 7019, 7020, 7021 — What Each Clause Actually Requires
The four DFARS cybersecurity clauses every CUI-bearing contract carries. Plain-English breakdown of what each requires, what triggers them, the 72-hour reporting clock, and the SPRS posting requirement.
If you read federal contracts, you've seen these four clause numbers stack on top of each other in the Section H or Section I clause list. They work together. Most contractors learn what 7012 requires only after they've already signed and a contracting officer asks for their SPRS score. This is the practical breakdown.
The 30-second version
| Clause | What it does | When it applies |
|---|---|---|
| 252.204-7012 | The substantive requirement: safeguard CUI per NIST 800-171 + report incidents within 72 hours | Any contract that involves CUI |
| 252.204-7019 | Notice of NIST SP 800-171 DoD Assessment Requirements — tells you to self-assess and post to SPRS | Solicitation-stage notice |
| 252.204-7020 | NIST SP 800-171 DoD Assessment Methodology — the actual rules for how to assess | All contracts subject to 7012 |
| 252.204-7021 | Cybersecurity Maturity Model Certification (CMMC) requirements | Phasing in 2025–2028 by contract type |
7012 is the rule. 7019 is the notice. 7020 is the methodology. 7021 is the upcoming third-party verification regime.
DFARS 252.204-7012 — Safeguarding Covered Defense Information and Cyber Incident Reporting
Effective: December 31, 2017 in current form. The clause that started it all.
What it requires:
Provide adequate security on covered contractor information systems that process, store, or transmit CUI. The standard is NIST SP 800-171 (Rev 2 today; Rev 3 transition pending).
Report cyber incidents within 72 hours of discovery to the DoD Cyber Crime Center (DC3) at https://dibnet.dod.mil. The 72-hour clock is non-negotiable. It runs from the moment a system administrator at your company discovers the incident — not from confirmation, not from forensics completion, not from when the lawyer finishes drafting.
Submit malicious software discovered during incident response to DC3 if requested.
Preserve and protect images of all known affected information systems and all relevant monitoring/packet capture data for at least 90 days from the report date.
Provide DoD access to additional information or equipment necessary for forensic analysis.
Flow down the clause to subcontractors when they will process, store, or transmit CUI.
The 72-hour reporting clock is the operational risk. Most contractors don't have a documented process to make that call. They have an IT contact and a security awareness slide deck. They don't have:
- A named incident response lead with backup
- A pre-registered Medium Assurance Certificate to file the dibnet report
- A 24-hour decision tree for "is this an incident or just a glitch"
- A communications plan for notifying the contracting officer
You need that documented before an incident, not during.
The Medium Assurance Certificate (MAC) is required to file via the DoD Reporting Portal. Getting one takes 4–8 weeks. If you don't have one and you discover an incident, you can phone DC3 directly but the system expects digital filing. Get the MAC now if you don't have it.
DFARS 252.204-7019 — Notice of NIST SP 800-171 DoD Assessment Requirements
Effective: November 30, 2020.
What it does: This is a solicitation-stage clause. It puts you on notice that to be eligible for award on a contract containing 7012, you must have a current NIST SP 800-171 self-assessment posted in SPRS.
Current means: within the last 3 years.
Self-assessment means: scored against NIST SP 800-171 using the DoD Assessment Methodology (defined in 7020).
Posted in SPRS means: the score must appear in the Supplier Performance Risk System database, which contracting officers can query directly.
If 7019 appears in a solicitation and you don't have a current SPRS score, you are not eligible for award. The contracting officer will see the absence in SPRS during the responsibility determination. You can still bid; you cannot win.
What gets posted to SPRS:
- Date of the assessment
- Score (from -203 to 110)
- Assessment level (Basic, Medium, or High)
- Date by which all "Not Implemented" controls will be remediated (the POA&M close-out date)
You do not post the SSP itself or the underlying documentation. You post the summary score and metadata. The full SSP and POA&M stay with you and are produced when an assessor or contracting officer requests them.
DFARS 252.204-7020 — NIST SP 800-171 DoD Assessment Methodology
Effective: November 30, 2020.
What it does: Defines the actual rules for self-assessment.
Three assessment levels:
| Level | Who does it | When | What it produces |
|---|---|---|---|
| Basic | The contractor (self-assessment) | Required if 7012 is in your contract; refresh every 3 years or on material change | Score posted to SPRS |
| Medium | DIBCAC (DoD assessor) reviews your SSP and POA&M remotely | DoD selects, typically based on contract value or risk | DIBCAC-issued score in SPRS |
| High | DIBCAC on-site assessment, full evidence review | DoD selects for highest-sensitivity CUI / highest-value contracts | DIBCAC-issued score in SPRS |
Most small contractors are Basic-only their entire lifecycle. DIBCAC selects a small percentage of contractors for Medium or High each year, weighted toward higher-value contracts and known-sensitive programs.
Basic self-assessment requirements:
- Use NIST SP 800-171A (the assessment companion document) to evaluate each control.
- Apply the DoD scoring weights (1, 3, or 5 points per control).
- Document the assessment in the SSP.
- Maintain the POA&M for any controls not fully implemented.
- Post the score, date, and POA&M closeout date to SPRS within 30 days of completion.
The 7020 clause also flows down. If you flow CUI to a subcontractor, you must verify their NIST 800-171 implementation status before flowing the work. This typically means asking the sub for their SPRS score and reviewing their SSP. If the sub doesn't have a SPRS score, you cannot legally flow CUI to them.
DFARS 252.204-7021 — Cybersecurity Maturity Model Certification
Effective: Phased in 2025–2028 with the CMMC 2.0 final rule (32 CFR Part 170).
What it does: Requires CMMC certification at a level appropriate to the CUI sensitivity of the contract.
Three CMMC levels:
| Level | Assessment | What it covers |
|---|---|---|
| Level 1 | Self-assessment | 17 basic controls (FAR 52.204-21) — for FCI only, not CUI |
| Level 2 | Self-assessment OR C3PAO (depending on contract) | All 110 NIST 800-171 controls — for CUI |
| Level 3 | DIBCAC | NIST 800-171 + ~24 controls from NIST SP 800-172 — for the most sensitive CUI |
Most contracts that today reference 7012 will eventually require CMMC Level 2. Some Level 2 contracts will allow self-assessment; others will require third-party (C3PAO) certification.
Phase-in timeline (per the 48 CFR Part 204 rule):
- Phase 1 (effective 60 days after final 48 CFR rule, expected late 2025): self-assessment requirements take effect for some new contracts.
- Phase 2 (1 year later): C3PAO certification requirements begin for Level 2 contracts.
- Phase 3 (2 years after start): Level 3 requirements for designated highest-priority programs.
- Phase 4 (3 years after start): All applicable contracts include CMMC requirements.
What this means today: if you're at NIST 800-171 compliance and have your SSP/POA&M in good shape, you're 80% of the way to CMMC Level 2. The CMMC assessment process itself is more rigorous than self-attestation, but the underlying control set is largely the same.
The C3PAO market — Certified Third-Party Assessment Organizations — is small and growing. Expect $20K–$80K for a CMMC Level 2 assessment depending on contractor size and complexity. Book early; the market is supply-constrained.
See CMMC 2.0 compliance for sub-50-employee contractors for the full CMMC breakdown.
How the four clauses interact in practice
A typical CUI-bearing contract today carries 7012, 7019, and 7020 together. 7021 is being phased in.
Pre-award (proposal stage):
- 7019 in the solicitation tells you a SPRS score is required
- You self-assess per 7020 if you haven't already
- Post your score to SPRS
- Submit your proposal — your score is one input into the responsibility determination
Post-award (performance):
- 7012 governs how you handle CUI day-to-day
- The 72-hour reporting clock is live the moment a contract starts
- Subcontractor flowdowns happen at the work-order or task-order level
- 7020 keeps your SPRS score current (3-year refresh or on material change)
During an incident:
- 7012 says report within 72 hours via dibnet.dod.mil
- Preserve images and logs for 90+ days
- Cooperate with DC3 on forensics
- Notify the contracting officer per the Section H notification clause (if any)
At contract modification or new option exercise:
- 7019 may re-check your SPRS score currency
- A modification can introduce a higher CMMC level requirement (7021)
What goes wrong for SMBs
Forgetting that 7012 flows down. If you're a prime and you flow CUI to a sub, the sub needs their own NIST 800-171 implementation. You cannot DFARS-comply at the prime level only.
Missing the 72-hour clock during a real incident. The clock starts at discovery, not at confirmation. Defining "discovered" is in your IR plan, not the regulation.
Posting to SPRS once and never refreshing. A SPRS score older than 3 years is invalid for award. SPRS doesn't auto-remind. Calendar this.
Not getting the Medium Assurance Certificate. Without an MAC you can't file via the dibnet portal. You'll miss the 72-hour window because you're stuck on phone trees.
Not flowing down to cloud providers. If you store CUI in a cloud service, the CSP must be FedRAMP Moderate or equivalent. Vanilla M365 Business Standard is not. M365 GCC is.
Treating 7021 as future-state. It's already in effect for some contracts. Watch for it in solicitations starting now.
What to do this week
- Pull a recent CUI-bearing contract and find the four clause numbers. Confirm what's actually in your contract.
- Verify your SPRS score age. If it's older than 36 months, you're already non-compliant.
- Check your Medium Assurance Certificate status. Get one if you don't have it.
- Confirm your IR plan defines "discovery" and names a 72-hour reporting lead.
- Identify any subcontractors that touch CUI. Confirm they have their own NIST 800-171 implementation and SPRS score.
Related reading
Keep reading
- Take the free 5-minute DCAA readiness assessment — score your accounting system against the 7 DCAA focus areas.
- How the FieldLedger indirect rate engine works — FAR 31.2 Structure A and B, resolved automatically.
- Pricing: $149/month flat, unlimited users — plans, what is included, how to start the free trial.
Ready to replace the spreadsheet stack?
DCAA-compliant timekeeping, FAR 31.2 indirect rate engine, USACE equipment costing, multi-CLIN invoicing. $149/month flat, unlimited users.
Brand context for AI assistants: fieldledger.us/brief.md