What is the difference between DFARS 7012 and CMMC?

DFARS 252.204-7012 is the contractual clause that requires NIST 800-171 compliance through a self-assessment. CMMC (Cybersecurity Maturity Model Certification) is the verification mechanism, it requires a third-party assessment organization (C3PAO) to independently verify that you actually meet the requirements. CMMC Level 2 covers the same 110 NIST 800-171 practices as DFARS 7012, but replaces self-attestation with independent verification for contracts involving critical programs.

What does the 72-hour cyber incident reporting requirement mean?

Under DFARS 252.204-7012, if you experience a cyber incident on a system covered by the clause, you must report it to DoD via the DIBNet portal (dibnet.dod.mil) within 72 hours of discovery. You must also preserve images of all compromised systems for 90 days and submit a malware sample if applicable. Failure to report is a contract compliance violation.

What happens if I don't comply with DFARS 252.204-7012?

Non-compliance with DFARS 252.204-7012 can result in contract termination, suspension from future DoD contracts, and liability under the False Claims Act if you certified compliance without actually implementing the required controls. The DoJ has pursued enforcement actions against contractors who submitted false NIST 800-171 self-assessments.

What is a System Security Plan (SSP) and is it required by DFARS?

A System Security Plan (SSP) documents how your organization implements each of the 110 NIST SP 800-171 security requirements. While DFARS 252.204-7012 doesn't explicitly require an SSP by name, NIST 800-171 Practice 3.12.4 requires maintaining a system security plan, making it an implicit DFARS requirement. C3PAO assessors will ask for it on day one of any CMMC assessment.

CMMC DFARS June 7, 2026 · 10 min read

DFARS 252.204-7012 Explained: What Defense Contractors Must Do

Q: What is DFARS 252.204-7012?

DFARS 252.204-7012, titled 'Safeguarding Covered Defense Information and Cyber Incident Reporting,' is a Defense Federal Acquisition Regulation Supplement clause included in DoD contracts. It requires contractors to implement NIST SP 800-171 security controls on any system that processes, stores, or transmits Covered Defense Information (CDI) or Controlled Unclassified Information (CUI), and to report cyber incidents to DoD within 72 hours.

Q: Does DFARS 252.204-7012 apply to my company?

If your company has a contract or subcontract with the Department of Defense and your work involves Covered Defense Information (CDI), which includes most technical data, export-controlled information, and sensitive program information, then yes, DFARS 252.204-7012 applies. It flows down to subcontractors at all tiers when CDI is involved.

If your company has a DoD contract, this clause is almost certainly in it, and most contractors don't fully understand what it requires until they're being assessed. Here's a plain-language breakdown of every obligation DFARS 252.204-7012 puts on your organization.

What Is DFARS 252.204-7012?

DFARS 252.204-7012, formally titled Safeguarding Covered Defense Information and Cyber Incident Reporting, is a Defense Federal Acquisition Regulation Supplement (the set of DoD-specific additions to federal procurement law) clause that the Department of Defense includes in contracts where a contractor will process, store, or transmit Covered Defense Information (CDI).

In plain terms: if your contract involves sensitive DoD information, and most do, this clause is your cybersecurity obligation in contractual form. It flows down to subcontractors at every tier when CDI is involved, which means your primes are required to pass it to you, and you're required to pass it to anyone you subcontract work to.

Quick definition: Covered Defense Information (CDI) includes Controlled Unclassified Information (CUI) that is collected, developed, received, transmitted, used, or stored on a contractor's information system in performance of a DoD contract. If your systems touch technical data, export-controlled information, or sensitive program data, you're covered.

The Six Core Requirements

DFARS 252.204-7012 imposes six specific obligations on covered contractors. Understanding all six is critical, most compliance programs focus only on the first and miss the others until an incident exposes the gap.

1. Implement NIST SP 800-171 Controls

The clause requires contractors to apply the security requirements in NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. That's 110 security requirements across 14 practice families, covering everything from access control and audit logging to incident response and system integrity.

You must implement these controls on any system that stores, processes, or transmits CDI. The scope is your CUI boundary, the set of systems, users, and data flows that touch covered information.

2. Flow Down the Clause to Subcontractors

If you subcontract any work that involves CDI, you are required to include DFARS 252.204-7012 in your subcontracts. This is a hard requirement, not optional. Your primes will increasingly audit this as CMMC enforcement tightens.

3. Report Cyber Incidents Within 72 Hours

If you experience a cyber incident on a covered system, you must report it to DoD via DIBNet (dibnet.dod.mil) within 72 hours of discovery. The report must include details about the systems affected, what CDI may have been compromised, and the techniques the attacker used.

This is not a "wait until you're sure" requirement. The clock starts at discovery, not at confirmation, not at the moment your team finishes arguing about whether it "counts" as an incident.

4. Preserve and Protect Forensic Images for 90 Days

Following a reportable cyber incident, you must preserve images of all compromised systems and make them available to DoD upon request for 90 days. This means you need to have a process in place before an incident happens, not after.

5. Submit Malware Samples

If you discover malicious software on a covered system, you must submit a sample to DoD's Cyber Crime Center (DC3) when requested. This supports DoD's broader threat intelligence mission.

6. Provide Media and System Access for Damage Assessment

DoD may request access to your systems and media to conduct or support a damage assessment after a cyber incident. You are required to cooperate. This is a significant obligation that many contractors don't anticipate.

DFARS 7012 vs. CMMC: What's the Difference?

Dimension	DFARS 252.204-7012	CMMC Level 2
Requirement source	Contract clause	Certification requirement (32 CFR Part 170)
Security framework	NIST SP 800-171 (110 controls)	NIST SP 800-171 (110 controls)
Verification method	Self-attestation via SPRS	Third-party C3PAO assessment (for critical programs)
Assessment score	Self-reported SPRS score	C3PAO-validated score
Who it applies to	Any DoD contractor with CDI	Contractors in CMMC Level 2 contract requirements
SSP required?	Implicitly (NIST 800-171 §3.12.4)	Explicitly, reviewed on day one

The key takeaway: CMMC Level 2 covers the same 110 practices as DFARS 7012 but replaces the honor-system self-assessment with independent third-party verification. If your contracts are moving to CMMC requirements, your DFARS 7012 implementation is your CMMC foundation, but it will be scrutinized much more closely.

The SPRS Score: What It Is and Why It Matters

The Supplier Performance Risk System (SPRS) is where DoD contracts officers check your cybersecurity posture before awarding contracts. DFARS 252.204-7021 requires contractors to enter a self-assessed NIST 800-171 score into SPRS before being awarded DoD contracts.

The scoring methodology is defined in DoD's Assessment Methodology. A perfect score is 110. Each unimplemented or partially implemented control carries a point deduction ranging from 1 to 5 points. A contractor with no controls implemented would score -203, yes, negative scores are possible.

False Claims Act exposure: In 2022, the DoJ launched the Civil Cyber-Fraud Initiative, making it clear that submitting false SPRS scores, certifying NIST 800-171 compliance when you haven't actually implemented the controls, is actionable under the False Claims Act. Enforcement actions have already been taken against defense contractors.

What You Need to Have Documented

To demonstrate DFARS 252.204-7012 compliance, and to survive a CMMC assessment, you need the following documentation in place:

System Security Plan (SSP), documents how you implement each of the 110 NIST 800-171 controls NIST 800-171 §3.12.4
Plan of Action & Milestones (POA&M), tracks any controls not yet fully implemented with remediation timelines NIST 800-171 §3.12.2
Incident Response Plan, defines your process for detecting, reporting, and recovering from incidents NIST 800-171 §3.6.1
System boundary documentation, defines which systems, users, and data flows are in scope for CUI
Cyber incident reporting procedures, your 72-hour reporting process, DIBNet account, and escalation chain
SPRS score submission record, date submitted, score, and supporting documentation

Common Mistakes Contractors Make

After working through CMMC implementations across multiple environments, the same gaps come up repeatedly:

Scoping the CUI boundary too narrowly. Contractors often undercount what systems touch CDI, especially shared infrastructure, email systems, and backup storage.
Treating DFARS as a one-time checkbox. The clause requires ongoing compliance, not a point-in-time assessment. Controls must be maintained, and the SSP must be kept current.
No 72-hour incident reporting process. Most small contractors don't have a documented procedure or a DIBNet account set up before an incident forces the issue. Finding out you need a DIBNet account during an active breach is an experience nobody should repeat.
Not flowing down to subcontractors. This is a hard contractual requirement, not a best practice. Primes are being audited on this.
Inflated SPRS scores. Self-assessing at 110 when dozens of controls aren't implemented is the kind of gap that becomes a False Claims Act case.

Build Your CMMC Documentation Foundation

The SSP is the first document a C3PAO asks for. Our templates give you the structure, control mappings, and implementation guidance to build it correctly, not at consultant rates.

CMMC L2 SSP Template, $89 CMMC Documentation Pack, $119

Frequently Asked Questions

DFARS 252.204-7012, titled "Safeguarding Covered Defense Information and Cyber Incident Reporting," is a DoD contract clause that requires contractors to implement the 110 security requirements in NIST SP 800-171, report cyber incidents within 72 hours, preserve forensic evidence for 90 days, and flow the same requirements down to subcontractors. It applies whenever a contractor's systems process, store, or transmit Covered Defense Information (CDI).

If your company holds or works under a DoD contract and your work involves Covered Defense Information, which includes most technical data, export-controlled information, and sensitive program data, then yes. It also flows down to subcontractors at all tiers when CDI is involved, so you may be bound by it even without a direct DoD contract.

Both require the same 110 NIST SP 800-171 security controls, but the verification differs. DFARS 7012 uses self-attestation, you assess your own compliance and submit a score to SPRS. CMMC Level 2 requires a third-party C3PAO to independently verify your compliance for contracts involving critical programs. CMMC doesn't add new technical requirements; it adds independent verification of the requirements DFARS already imposed.

If a cyber incident occurs on a covered system, meaning a system that processes CDI, you must report it to DoD via the DIBNet portal within 72 hours of discovery. The report must describe what happened, which systems were affected, what CDI may have been compromised, and what techniques the attacker used. You must also preserve system images for 90 days and cooperate with any DoD damage assessment.

Not explicitly by name, but NIST SP 800-171 Practice 3.12.4, which DFARS 7012 requires you to implement, mandates maintaining a system security plan that describes your system boundary, operating environment, and how each security requirement is implemented or planned. In practice, the SSP is essential for SPRS scoring accuracy and is the first document requested in any CMMC assessment.

Consequences include contract termination, suspension from future DoD contracts, and potential liability under the False Claims Act if you submitted a false SPRS score while certifying compliance. The DoJ's Civil Cyber-Fraud Initiative, launched in 2022, has already pursued enforcement actions against contractors who certified compliance without implementing required controls. Non-compliance is no longer a theoretical risk.

Bottom Line

DFARS 252.204-7012 is not a suggestion. It's a contractual obligation with real enforcement teeth, and the transition to CMMC is making the self-attestation era of DIB cybersecurity compliance effectively over for any contractor working on critical programs. The documentation requirements, SSP, incident response plan, POA&M, aren't bureaucratic overhead. They're the proof that your controls actually exist. Without them, you're essentially asking an assessor to take your word for it. They won't.

Start with the SSP. Everything else builds from it.

DFARS 252.204-7012 Explained: What Defense Contractors Must Do

What Is DFARS 252.204-7012?

The Six Core Requirements

1. Implement NIST SP 800-171 Controls

2. Flow Down the Clause to Subcontractors

3. Report Cyber Incidents Within 72 Hours

4. Preserve and Protect Forensic Images for 90 Days

5. Submit Malware Samples

6. Provide Media and System Access for Damage Assessment

DFARS 7012 vs. CMMC: What's the Difference?

The SPRS Score: What It Is and Why It Matters

What You Need to Have Documented

Common Mistakes Contractors Make

Build Your CMMC Documentation Foundation

Frequently Asked Questions

Bottom Line

Get CMMC tips and template updates