DFARS 252.204-7012 Explained: What It Means for Your Business

Hailey ClarkNews

Understanding government regulations can be complex, but it’s crucial to ensure the security of government information. One such regulation is the DFARS 252.204-7012 clause. DFARS 252.204-7012 focuses on safeguarding covered defense information in nonfederal systems and cyber incident reporting. In this blog post, we’ll simplify the concepts behind DFARS 7012 and explain what it means for your business. So, let’s dive in and gain a clear understanding of this important regulation!

What is DFARS 252.204-7012?

DFARS 252.204-7012 is a clause prescribed by the Department of Defense (DoD) that addresses the protection of covered defense information and the reporting of cyber incidents. This clause applies to contracts and subcontracts that involve the handling of controlled unclassified information related to defense projects. This clause relates to the protection of covered defense information implemented using the recommended security requirements found in NIST SP 800-171.

What is considered Covered Defense Information?

Covered Defense Information (CDI) refers to unclassified controlled technical information or

other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.htm that is provided to a contractor by or on behalf of the DoD in support of a contract, or information collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the contract. It can also include export-controlled items, and information marked in the contract that requires safeguarding.

Download our glossary of terms guide for DFARS 252.204-7012 as another useful tool to better understand the terms used in DFARS 7012.

Who does DFARS 252.204-7012 apply to?

DFARS 252.204-7012 is particularly important for defense contractors and suppliers. If you have been awarded a contract by DoD that includes DFARS 252.204-7012, it’s highly likely that the information involved in the contract meets the criteria of covered defense information.

Key Points of DFARS 252.204-7012:

  • To comply with DFARS 252.204-7012, contractors need to provide “adequate security” for all covered defense information processed in their systems. The standard for adequate security is compliance with NIST SP 800-171, which outlines recommended security requirements for protecting controlled unclassified information in nonfederal information systems and organizations. NIST SP 800-171 consists of 110 controls grouped into various families such as access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, and more. Organizations must implement a combination of policies, processes, people, and technologies to address these controls.
  • System Security Plans and Plans of Action and Milestones: As part of compliance, organizations must develop a System Security Plan (SSP) that describes the high-level architecture of their system and how it implements the required controls. The SSP should identify which controls have been implemented, which ones have not been implemented, which ones are not applicable, and which ones are satisfied using alternative means. For controls that have not been adequately implemented, organizations must create a corresponding Plan of Actions and Milestones (POA&M). The POA&M outlines how deficiencies will be remediated and provides a plan for addressing the controls that are not fully implemented.


  • Self Attestation and Submission to SPRS: Compliance with DFARS 252.204-7012 and NIST 800-171 is currently self-attested before contract award. However, the government may conduct audits to verify the implementation of required controls. The Defense Industrial Base (DIB) Cybersecurity Assessment Center (DIBCAC) is responsible for conducting these audits, with the level of invasiveness varying based on the sensitivity of the CDI or CUI at risk. It’s important to note that recent changes to the DFARS rules have introduced additional security requirements through clauses 252.204-7019 and 252.204-7020. These requirements focus on compliance with NIST SP 800-171 and the scoring methodology for assessing an organization’s level of compliance. Contractors must calculate a compliance score and upload it into the Supplier Performance Risk System (SPRS).


  • Responsibility for Enforcing DFARS 7012 to a Subcontractor: Prime contractors have the responsibility to ensure that their subcontractors comply with the safeguarding and handling requirements specified in DFARS 252.204-7012. Primes must also mitigate risks associated with subcontractor performance, as mishandling or improper safeguarding of sensitive government information by subcontractors can impact the prime contractor’s contract award.


  • Cyber Incident Reporting: In the event of a cyber incident involving covered defense information, contractors must follow certain procedures. These include conducting a review to identify compromised systems and data, reporting the incident to the DoD within 72 hours, preserving relevant information for at least 90 days, providing access to additional information for forensic analysis, and submitting a copy of any malicious software involved. It’s worth noting that a medium assurance certificate is required to report cyber incidents. Contractors must obtain this certificate from approved External Certification Authorities and have the necessary identification forms ready for the application process.


How The Greentree Group Can Help:

At The Greentree Group, we understand the importance of compliance with DFARS 252.204-7012 and other cybersecurity regulations. Our team of experts specializes in helping businesses navigate these requirements. We offer comprehensive services that can assist you in achieving and maintaining compliance with DFARS 7012. Whether you need assistance with security assessments, implementing necessary controls, or incident response planning, we’ve got you covered. Contact us today.

Remember, safeguarding covered defense information and reporting cyber incidents is crucial for the security of your business and the defense projects you are involved in. Stay compliant and protect sensitive information to contribute to a secure and resilient defense ecosystem.

Back to News

Share this Post