Plain-English clause guide · primary sources
"I just got DFARS 252.204-7012 in my contract" — now what?
DFARS clause 252.204-7012 puts three duties on you: safeguard covered defense information by implementing NIST SP 800-171, report cyber incidents within 72 hours at dibnet.dod.mil, and flow the clause down to subcontractors that handle the data. It is the contractual hook that makes CMMC Level 2 your near-term reality.
What the clause actually requires
| Duty | Clause | In plain English |
|---|---|---|
| Safeguard | 252.204-7012(b) | Implement the NIST SP 800-171 security requirements on every contractor system that stores, processes, or transmits covered defense information (CDI). External cloud must meet FedRAMP Moderate (or equivalent) and the clause flows to the cloud provider. |
| Report incidents | 252.204-7012(c) | Rapidly report any cyber incident affecting CDI or your ability to perform — within 72 hours of discovery — to DoD at dibnet.dod.mil. Reporting requires a DoD-approved medium-assurance certificate, and you must preserve affected media/images for at least 90 days. |
| Flow it down | 252.204-7012(m) | Include the clause, without alteration, in subcontracts where performance involves CDI or operationally critical support. Your obligation does not stop at your own walls — primes are responsible for their supply chain. |
Source: DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting). Covered defense information (CDI) is, in practice, the same controlled unclassified information (CUI) that triggers CMMC Level 2.
How 7012 connects to CMMC
7012 has required NIST SP 800-171 since 2017 — the obligation is not new. What is new is verification. CMMC is how DoD moves from "you attested you implemented 800-171" to "a third party confirmed it." From November 10, 2026, CMMC Phase 2 makes C3PAO-assessed Level 2 the default for new contracts involving CUI, applied per-solicitation at contracting-officer discretion through full implementation in 2028.
So if your contract carries 7012, the honest planning assumption is Level 2: all 110 NIST SP 800-171 requirements, a current SPRS score, and — increasingly — a C3PAO certification as a condition of award. The companion clauses make the mechanics explicit: 7019/7020 require and govern the SPRS self-assessment, and 7021 is the CMMC clause itself.
CMMC phase dates: 32 CFR 170.3(e); DFARS rule effective Nov 10, 2025. No delay announced as of June 2026. See the Phase 2 countdown and Level 1 vs Level 2.
Your first week with the clause
Confirm whether you actually handle CDI
Covered defense information is essentially CUI — controlled technical information, export-controlled data, and other marked unclassified information. If your deliverables truly contain none of it, your obligations are far lighter (and you should document that determination). When you can't tell, ask your contracting officer or prime what the data is — don't guess.
Find your real SPRS score
The clause requires NIST SP 800-171; the companion clauses (252.204-7019/7020) require you to post a current self-assessment score to SPRS. Most contractors have never computed theirs honestly. Start there — you cannot plan a gap you have not measured.
Check your 72-hour reporting readiness
Two things block a fast report: not having a DoD-approved medium-assurance certificate provisioned at dibnet.dod.mil before you need it, and not knowing who pulls the trigger. Set both up now — 72 hours is not the moment to start the paperwork.
Flow the clause to your subs
Anywhere a subcontractor touches CDI, the clause must appear in their subcontract unaltered. Map which of your subs handle the data and confirm the flow-down is in their agreements.
Straight answers
Does DFARS 252.204-7012 in my contract mean I need CMMC now?
It means you are already obligated to implement NIST SP 800-171 — 7012 has required that since 2017. CMMC is the verification layer on top: from November 10, 2026 (Phase 2), C3PAO-assessed CMMC Level 2 becomes the default for new DoD contracts involving CUI, applied per-solicitation. So 7012 is the substance; CMMC Level 2 is how DoD will increasingly check it. If you have 7012, plan for Level 2.
What is the 72-hour reporting rule?
Under 252.204-7012(c), if you discover a cyber incident that affects covered defense information or your ability to perform the contract, you must report it to DoD at dibnet.dod.mil within 72 hours of discovery. Reporting requires a DoD-approved medium-assurance certificate, and under the clause you preserve and protect affected media and system images for at least 90 days so DoD can request them.
Do I have to flow 252.204-7012 down to my subcontractors?
Yes — under 252.204-7012(m), you include the clause without alteration in subcontracts whose performance involves covered defense information or operationally critical support. As a prime, you are responsible for ensuring subs that handle the data carry the same obligations. A subcontractor is not exempt simply for being downstream.
What if I do not actually handle CUI or covered defense information?
Then your obligations under the clause are substantially lighter — but make that determination deliberately and write it down, because the cost of being wrong is high. If you receive technical drawings, specifications, export-controlled data, or anything marked CUI/CDI, you are in scope. When it is unclear, ask the contracting officer or prime what the deliverable contains rather than assuming. This is compliance information, not legal advice.
How is 252.204-7012 different from 7019, 7020, and 7021?
7012 is the safeguarding-and-reporting clause: implement NIST SP 800-171 and report incidents. 7019 requires you to have a current (within 3 years) self-assessment and post the score to SPRS. 7020 gives DoD assessment rights and obligates primes to flow requirements to subs. 7021 is the CMMC clause that requires the applicable CMMC level as a condition of award. They work together — 7012 is the substance, the others are the verification and contracting mechanics.
This is compliance information, not legal advice. The clause text governs; for contract-interpretation or FCA questions, consult qualified counsel.
The clause names the standard. Your score says how far you are from it.
The free assessment walks the 110 NIST SP 800-171 requirements in plain English and computes your SPRS score with the exact DoD methodology — so 7012 becomes a checklist, not a cliff.
Start the free assessment