Reference · Cybersecurity & CMMC
DFARS 252.204-7012
Safeguarding Covered Defense Information and Cyber Incident Reporting
DFARS 252.204-7012 is the Department of Defense contract clause that requires contractors to safeguard covered defense information by implementing NIST SP 800-171 and to report cyber incidents to DoD within 72 hours. It flows down to subcontractors that handle that information.
What it is
The clause requires adequate security on any covered contractor information system that processes, stores, or transmits covered defense information (CDI) — a subset of CUI — by implementing the security requirements of NIST SP 800-171. It also imposes rapid cyber-incident reporting and media-preservation duties.
Why it exists
DoD needed an enforceable contractual mechanism to protect sensitive-but-unclassified information living on contractor networks, and to gain visibility into incidents affecting it.
Who it applies to
DoD contractors and subcontractors whose systems handle CDI. It does not apply to acquisitions solely for commercial off-the-shelf (COTS) items.
Flow-down
The clause must be flowed down without alteration — except to identify the parties — to subcontracts for operationally critical support, or where the subcontractor's system will process, store, or transmit covered defense information.
Compliance triggers
Implement NIST SP 800-171; report cyber incidents to DoD within 72 hours via the DIBNet portal; preserve and protect affected media; support DoD damage assessment; and ensure any external cloud service provider meets the FedRAMP Moderate (or equivalent) baseline and the DFARS cloud requirements.
Regulatory dates and requirements in this area change. Confirm the current guidance against the official sources below before you rely on it.
Frequently asked
What does DFARS 252.204-7012 require?
It requires two things: implementing NIST SP 800-171 to safeguard covered defense information on contractor systems, and reporting cyber incidents to DoD within 72 hours. It also flows down to subcontractors that handle covered defense information.
This is the kind of compliance signal Longlead reads to infer which upcoming defense projects will need cleared or compliance-ready scope — delivered as a cited evidence dossier with your confidence and lead time, 12–24 months before it surfaces as a named solicitation. You make the call, from your own channels; nothing leaves the system.
Or just see what Longlead finds for your scope.
Tell us what you sell and what you don't — and see the demand Longlead is inferring for you right now.