When does DFARS 252.204-7012 apply?

Will the contract involve Covered Defense Information (CDI) or Controlled Unclassified Information (CUI)? If yes, the clause flows. CDI is defined broadly: any unclassified controlled technical information, export-controlled information, or other information requiring safeguarding marked or identified in the contract. Most DoD work above the simplified acquisition threshold triggers this. Is the buying agency DoD (DoD components, defense agencies, military departments)? The clause is a DFARS clause, so it flows on DoD contracts. Civilian agencies use FAR 52.204-21 (Basic Safeguarding) plus their own CUI-safeguarding clauses. Some civilian agencies are now adopting NIST 800-171 by reference under FAR 52.204-25 / 52.204-27 implementations. Does the contract include the clause text by reference or in full? Both forms are binding. Under FAR 52.252-2 incorporation by reference, a single line citing 252.204-7012 carries the full clause text. Read the full text on acquisition.gov, not the contract excerpt.

What are the most common contractor pitfalls under DFARS 252.204-7012?

Treating the System Security Plan as documentation theater: The SSP must reflect the actual technical posture. DoD CIO assessments and DCAA contract audits cross-check the SSP against system inventories and access-control logs. A boilerplate SSP that does not match what is implemented is worse than no SSP at all. Missing the 72-hour incident report window: The 72-hour clock starts when the contractor discovers the incident, not when the investigation concludes. Under-reporting or late reporting is a frequent finding cited by DoD CIO and shows up as adverse past-performance signals. Letting subcontractors self-attest without flowdown discipline: The clause flows down. If a subcontractor handling CDI is not 800-171 compliant, the prime carries the breach risk. Track subcontractor SPRS scores at award and at modification. Forgetting cloud-service-provider FedRAMP equivalence: When CDI flows to a CSP, the CSP must meet FedRAMP Moderate baseline (or DoD equivalent). Off-the-shelf consumer cloud accounts almost never satisfy this. SaaS vendor selection becomes a contract-compliance decision.

What audit-flag patterns are associated with DFARS 252.204-7012?

Auditors and contracting officers commonly flag: SSP and POA&Ms older than 12 months without revision; SPRS score (per 252.204-7020) submitted before any actual NIST 800-171 assessment was performed; Cyber incident discovered through external notification rather than internal monitoring; Subcontractor handling CDI without flowdown clause incorporated in subcontract; Cloud services touching CDI without documented FedRAMP-equivalent assessment.

DFARS

DFARS 252.204-7012 — Safeguarding Covered Defense Information and Cyber Incident Reporting

Requires DoD contractors to implement NIST SP 800-171 security controls on systems that process or store Covered Defense Information (CDI), and to report cyber incidents to DoD within 72 hours.

Citation: 48 C.F.R. § 252.204-7012 (DFARS) · Live text on acquisition.gov

What this clause does

DFARS 252.204-7012 is the foundational DoD cybersecurity flowdown. Contracts that involve Covered Defense Information must require contractor information systems to provide adequate security as defined by NIST SP 800-171 ("Protecting Controlled Unclassified Information in Nonfederal Systems"). The clause flows down to all subcontractors that handle CDI, with no dollar threshold and no commercial-item exemption for CUI.

The clause carries three core obligations. First, implement the 110 NIST SP 800-171 controls, or have an approved System Security Plan with Plans of Action and Milestones (POA&Ms) tracking gaps. Second, report cyber incidents that affect CDI to DoD within 72 hours via the DIBNet portal. Third, preserve and protect images of affected systems for at least 90 days to support DoD forensic review.

This clause is the long pole on most DoD contract setups for small contractors. NIST 800-171 implementation typically takes 6-12 months and costs five to six figures even for a small firm. The companion clauses 252.204-7019 and 252.204-7020 layer on the SPRS self-assessment scoring requirement on top.

Does this clause apply to my contract?

Three tests resolve applicability. Read each in order; the first "no" usually means the clause does not flow.

1.Will the contract involve Covered Defense Information (CDI) or Controlled Unclassified Information (CUI)?
If yes, the clause flows. CDI is defined broadly: any unclassified controlled technical information, export-controlled information, or other information requiring safeguarding marked or identified in the contract. Most DoD work above the simplified acquisition threshold triggers this.
2.Is the buying agency DoD (DoD components, defense agencies, military departments)?
The clause is a DFARS clause, so it flows on DoD contracts. Civilian agencies use FAR 52.204-21 (Basic Safeguarding) plus their own CUI-safeguarding clauses. Some civilian agencies are now adopting NIST 800-171 by reference under FAR 52.204-25 / 52.204-27 implementations.
3.Does the contract include the clause text by reference or in full?
Both forms are binding. Under FAR 52.252-2 incorporation by reference, a single line citing 252.204-7012 carries the full clause text. Read the full text on acquisition.gov, not the contract excerpt.

Common contractor pitfalls

Patterns that produce questioned costs, back-wage liability, or False Claims Act exposure under this clause.

Treating the System Security Plan as documentation theater
The SSP must reflect the actual technical posture. DoD CIO assessments and DCAA contract audits cross-check the SSP against system inventories and access-control logs. A boilerplate SSP that does not match what is implemented is worse than no SSP at all.
Missing the 72-hour incident report window
The 72-hour clock starts when the contractor discovers the incident, not when the investigation concludes. Under-reporting or late reporting is a frequent finding cited by DoD CIO and shows up as adverse past-performance signals.
Letting subcontractors self-attest without flowdown discipline
The clause flows down. If a subcontractor handling CDI is not 800-171 compliant, the prime carries the breach risk. Track subcontractor SPRS scores at award and at modification.
Forgetting cloud-service-provider FedRAMP equivalence
When CDI flows to a CSP, the CSP must meet FedRAMP Moderate baseline (or DoD equivalent). Off-the-shelf consumer cloud accounts almost never satisfy this. SaaS vendor selection becomes a contract-compliance decision.

Audit-flag patterns

Specific signals that contracting officers, DCAA, and agency IGs use to surface noncompliance.

SSP and POA&Ms older than 12 months without revision
SPRS score (per 252.204-7020) submitted before any actual NIST 800-171 assessment was performed
Cyber incident discovered through external notification rather than internal monitoring
Subcontractor handling CDI without flowdown clause incorporated in subcontract
Cloud services touching CDI without documented FedRAMP-equivalent assessment

How FieldLedger helps

FieldLedger's cybersecurity readiness add-on aligns project records, timekeeping, and document storage with NIST 800-171 evidence requirements (access control, audit logging, configuration management). The SSP and POA&M trail becomes a byproduct of running the platform, not a separate documentation effort.

DCAA compliance →Indirect Rate Engine →DCAA readiness check →

Related clauses

Clauses that flow alongside or interact with DFARS 252.204-7012.

Frequently asked

What does DFARS 252.204-7012 require?: Requires DoD contractors to implement NIST SP 800-171 security controls on systems that process or store Covered Defense Information (CDI), and to report cyber incidents to DoD within 72 hours.
When does DFARS 252.204-7012 apply?: Will the contract involve Covered Defense Information (CDI) or Controlled Unclassified Information (CUI)? If yes, the clause flows. CDI is defined broadly: any unclassified controlled technical information, export-controlled information, or other information requiring safeguarding marked or identified in the contract. Most DoD work above the simplified acquisition threshold triggers this. Is the buying agency DoD (DoD components, defense agencies, military departments)? The clause is a DFARS clause, so it flows on DoD contracts. Civilian agencies use FAR 52.204-21 (Basic Safeguarding) plus their own CUI-safeguarding clauses. Some civilian agencies are now adopting NIST 800-171 by reference under FAR 52.204-25 / 52.204-27 implementations. Does the contract include the clause text by reference or in full? Both forms are binding. Under FAR 52.252-2 incorporation by reference, a single line citing 252.204-7012 carries the full clause text. Read the full text on acquisition.gov, not the contract excerpt.
What are the most common contractor pitfalls under DFARS 252.204-7012?: Treating the System Security Plan as documentation theater: The SSP must reflect the actual technical posture. DoD CIO assessments and DCAA contract audits cross-check the SSP against system inventories and access-control logs. A boilerplate SSP that does not match what is implemented is worse than no SSP at all. Missing the 72-hour incident report window: The 72-hour clock starts when the contractor discovers the incident, not when the investigation concludes. Under-reporting or late reporting is a frequent finding cited by DoD CIO and shows up as adverse past-performance signals. Letting subcontractors self-attest without flowdown discipline: The clause flows down. If a subcontractor handling CDI is not 800-171 compliant, the prime carries the breach risk. Track subcontractor SPRS scores at award and at modification. Forgetting cloud-service-provider FedRAMP equivalence: When CDI flows to a CSP, the CSP must meet FedRAMP Moderate baseline (or DoD equivalent). Off-the-shelf consumer cloud accounts almost never satisfy this. SaaS vendor selection becomes a contract-compliance decision.
What audit-flag patterns are associated with DFARS 252.204-7012?: Auditors and contracting officers commonly flag: SSP and POA&Ms older than 12 months without revision; SPRS score (per 252.204-7020) submitted before any actual NIST 800-171 assessment was performed; Cyber incident discovered through external notification rather than internal monitoring; Subcontractor handling CDI without flowdown clause incorporated in subcontract; Cloud services touching CDI without documented FedRAMP-equivalent assessment.
How does FieldLedger help with DFARS 252.204-7012?: FieldLedger's cybersecurity readiness add-on aligns project records, timekeeping, and document storage with NIST 800-171 evidence requirements (access control, audit logging, configuration management). The SSP and POA&M trail becomes a byproduct of running the platform, not a separate documentation effort.

Sources

DFARS clause text — acquisition.gov/dfars/252.204-7012
DCAA Contract Audit Manual — dcaa.mil/Guidance/CAM
Plain-English methodology — FieldLedger methodology

Snapshot date: 2026-05-08. Clause text is binding only as of the version incorporated into your specific contract — check acquisition.gov for the live regulatory text.