PUBLIC-SIGNAL INTELLIGENCE12–24 MONTHS EARLY · EVIDENCE CITED

Reference · Cybersecurity & CMMC

DFARS 252.204-7012

Safeguarding Covered Defense Information and Cyber Incident Reporting

DFARS 252.204-7012 is the Department of Defense contract clause that requires contractors to safeguard covered defense information by implementing NIST SP 800-171 and to report cyber incidents to DoD within 72 hours. It flows down to subcontractors that handle that information.

What it is

The clause requires adequate security on any covered contractor information system that processes, stores, or transmits covered defense information (CDI) — a subset of CUI — by implementing the security requirements of NIST SP 800-171. It also imposes rapid cyber-incident reporting and media-preservation duties.

Why it exists

DoD needed an enforceable contractual mechanism to protect sensitive-but-unclassified information living on contractor networks, and to gain visibility into incidents affecting it.

Who it applies to

DoD contractors and subcontractors whose systems handle CDI. It does not apply to acquisitions solely for commercial off-the-shelf (COTS) items.

Flow-down

The clause must be flowed down without alteration — except to identify the parties — to subcontracts for operationally critical support, or where the subcontractor's system will process, store, or transmit covered defense information.

Compliance triggers

Implement NIST SP 800-171; report cyber incidents to DoD within 72 hours via the DIBNet portal; preserve and protect affected media; support DoD damage assessment; and ensure any external cloud service provider meets the FedRAMP Moderate (or equivalent) baseline and the DFARS cloud requirements.

Regulatory dates and requirements in this area change. Confirm the current guidance against the official sources below before you rely on it.

Frequently asked

What does DFARS 252.204-7012 require?

It requires two things: implementing NIST SP 800-171 to safeguard covered defense information on contractor systems, and reporting cyber incidents to DoD within 72 hours. It also flows down to subcontractors that handle covered defense information.

This is the kind of compliance signal Longlead reads to infer which upcoming defense projects will need cleared or compliance-ready scope — delivered as a cited evidence dossier with your confidence and lead time, 12–24 months before it surfaces as a named solicitation. You make the call, from your own channels; nothing leaves the system.

Or just see what Longlead finds for your scope.

Tell us what you sell and what you don't — and see the demand Longlead is inferring for you right now.