What is the DFARS 252.204-7012 72-hour incident reporting requirement?

DFARS 252.204-7012 requires defense contractors to report cyber incidents affecting covered defense information (CDI) to the DoD within 72 hours of discovery. Reports must be submitted through the DIBNet portal and include a detailed description of the incident, compromised data, and technical indicators. Contractors must also preserve forensic images and malicious software for at least 90 days.

Do subcontractors need to comply with DFARS 252.204-7012?

Yes. DFARS 252.204-7012 explicitly requires prime contractors to flow down the clause to subcontractors at all tiers when subcontract performance involves covered defense information or the use of operationally critical support. Subcontractors must implement NIST SP 800-171 controls, report cyber incidents to the prime (and ultimately to DoD), and flow the same requirements to their own subcontractors.

How does DFARS 7012 relate to CMMC certification requirements?

DFARS 252.204-7012 has been a contract clause since 2017 requiring NIST SP 800-171 implementation. CMMC (Cybersecurity Maturity Model Certification) builds on this by adding third-party verification of those same controls. CMMC Level 2 maps directly to the 110 controls in NIST SP 800-171. Contractors who are already fully compliant with DFARS 7012 requirements are well-positioned for CMMC Level 2 certification.

DFARS/NIST • 14 min read • Published 2026-02-11 • Updated 2026-04-16

DFARS 252.204-7012 Compliance Action Plan for Growing DIB Teams

Q: What is the difference between CDI and CUI under DFARS 7012?

Covered defense information (CDI) is the broader term used in DFARS 252.204-7012 and includes controlled unclassified information (CUI) as well as other unclassified information that requires safeguarding or dissemination controls per the contract. CUI is a specific category within CDI governed by the CUI Registry and marked according to 32 CFR Part 2002. All CUI is CDI, but not all CDI is necessarily marked as CUI.

A practitioner-grade compliance action plan for DFARS 252.204-7012 — covering CDI/CUI boundary definition, NIST SP 800-171 safeguarding, the 72-hour DoD incident reporting clock, cloud service obligations, and subcontractor flow-down for defense contractors preparing for CMMC Level 2.

What DFARS 252.204-7012 actually requires

DFARS 252.204-7012 — "Safeguarding Covered Defense Information and Cyber Incident Reporting" — is the contract clause that has governed cybersecurity expectations across the defense industrial base (DIB) since 2017. Any DoD contract that touches covered defense information (CDI) or operationally critical support triggers the clause. The obligations fall into four pillars:

Adequate security — implement all 110 security requirements in NIST SP 800-171 Rev 2 across the contractor's covered information system.
Cyber incident reporting — report reportable cyber incidents to the DoD through DIBNet within 72 hours of discovery.
Malicious software preservation — preserve and protect images of affected systems and relevant monitoring data for at least 90 days after reporting.
Subcontractor flow-down — pass the clause (and its obligations) to subcontractors at all tiers when CDI is involved.

DFARS 7012 is the backbone on which CMMC Level 2 sits. CMMC adds third-party verification of the same 110 NIST SP 800-171 controls. A contractor that can truthfully demonstrate DFARS 7012 compliance today is in a strong position to pass a C3PAO assessment — but most contractors discover gaps when the two frameworks are compared side-by-side. See our CMMC Level 2 readiness roadmap for the bridge between the two.

Step 1: Define the CDI and CUI boundary

Unknown data boundaries are the single largest driver of DFARS non-compliance findings. Before any control can be implemented, leadership needs to know what data is regulated and where it lives.

CDI vs CUI — know the difference

Covered defense information (CDI) is the broader contractual term used in DFARS 252.204-7012. It includes controlled unclassified information (CUI) — which is governed by the National Archives CUI Registry and 32 CFR Part 2002 — plus any unclassified information that requires safeguarding or dissemination controls per the contract. All CUI is CDI, but not all CDI is explicitly marked as CUI. Contracting officers may identify CDI through contract attachments, Statement of Work language, or technical data packages.

Map data flows end-to-end

For every contract subject to DFARS 7012, document where CDI enters your environment (email, file transfer, SharePoint, EDI), where it is processed (engineering workstations, ERP, CAD systems), where it is stored (file servers, cloud tenants, backup tapes), and where it exits (to primes, subs, DoD portals). A simple data flow diagram reviewed with the contracts team flushes out shadow repositories faster than any technical scan.

Scope the covered information system

Define the boundary of your covered information system — the systems, people, and processes in scope for NIST SP 800-171. Use enclave strategies (e.g., Microsoft 365 GCC High, AWS GovCloud, segmented on-prem networks) to minimize scope. A tight enclave dramatically reduces control burden.

Step 2: Implement the 110 NIST SP 800-171 controls

The "adequate security" obligation under DFARS 7012 is satisfied by implementing all 110 controls across 14 families: Access Control, Awareness & Training, Audit & Accountability, Configuration Management, Identification & Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System & Communications Protection, and System & Information Integrity.

Score with the DoD Assessment Methodology

DFARS 252.204-7019 and -7020 require contractors to submit a Basic Assessment score (starting at 110 and subtracting weighted points for missing controls) to the Supplier Performance Risk System (SPRS). Scores are validated by the DoD and visible to contracting officers. A low or stale SPRS score will disqualify bids before a technical evaluation begins. Update SPRS after every meaningful control change.

Address high-weighted controls first

Five-point deductions hit the SPRS score hardest. Common five-point gaps: FIPS-validated encryption (3.13.11), multifactor authentication for privileged accounts (3.5.3), audit log review (3.3.3), security assessment procedures (3.12.1), and configuration baselines (3.4.1). Close these before three- and one-point items. For targeted implementation help, engage our Technical Remediation Support network.

Step 3: Build a 72-hour incident reporting capability

The 72-hour clock is not forgiving. It starts when the contractor discovers a cyber incident affecting CDI or the ability to deliver operationally critical support — not when the investigation concludes.

Pre-provision DIBNet access

Reports are filed at DIBNet using a DoD-approved medium assurance certificate. Provisioning that certificate takes time and requires cooperation between IT, security, and legal. Do this before you need it. Store the credentials in a break-glass location known to the CISO, CFO, General Counsel, and a deputy for each.

Define a reportable incident in plain English

Your incident response plan should tell a tier-1 analyst when to escalate to a potential DFARS-reportable event. Examples that warrant escalation: confirmed credential compromise on a system that handles CDI, malware on an engineering workstation with CUI access, data exfiltration signals from the covered enclave, or ransomware on systems supporting operationally critical support.

Preserve evidence for 90 days

Capture and preserve images of affected systems, network packet captures, and relevant log data for at least 90 days post-report. This is a non-negotiable contract requirement. Most contractors fail this obligation because they lack pre-approved runbooks and forensic storage. A quarterly tabletop that exercises evidence capture is the cheapest insurance policy available.

Coordinate legal, contracts, and security

The 72-hour clock collides with legal privilege, breach notification law, and customer communications. Document a decision-rights matrix that names who approves DIBNet reporting, who briefs the prime contractor, who briefs cyber insurance carriers, and who signs off on internal communications.

Step 4: Address cloud service provider obligations

If CDI is stored, processed, or transmitted through a cloud service, DFARS 252.204-7012(b)(2)(ii)(D) requires that the cloud service be equivalent to FedRAMP Moderate, and the provider must support the 72-hour reporting obligation. For most small and mid-size defense contractors, this translates to Microsoft 365 GCC High, Google Workspace (with appropriate FedRAMP offerings), or AWS/Azure GovCloud with contractual obligations that match the DFARS clause. Commercial M365 without GCC High is insufficient when CDI is involved.

Review Cloud Service Provider (CSP) contracts for the FedRAMP Moderate equivalency attestation, the data localization commitment, and the incident response cooperation clauses. Track these in a vendor risk register reviewed annually.

Step 5: Flow the clause to every subcontractor

Primes are contractually accountable for subcontractor compliance. A supplier cyber incident becomes the prime's DIBNet filing. Build a structured subcontractor flow-down program rather than relying on boilerplate clause inclusion.

Flow DFARS 252.204-7012, -7019, -7020, and -7021 in every CDI-bearing subcontract. Confirm clause inclusion at contract execution — not at audit.
Collect a supplier NIST SP 800-171 score and SPRS attestation as part of onboarding.
Define incident notification SLAs shorter than 72 hours (e.g., 24 hours to prime) so primes retain time to file with DoD.
Monitor critical suppliers annually with right-of-audit clauses and evidence refresh cycles.

For a full playbook, see our prime-to-sub flow-down checklist and engage our Supplier & Subcontractor Enablement service when your sub-tier needs hands-on help.

Step 6: Institutionalize the compliance program

DFARS 7012 compliance is not a project — it is a continuous obligation across the life of every contract. Mature programs run a monthly control health review, a quarterly evidence refresh, an annual internal audit aligned to NIST SP 800-171A (see our internal audit playbook), and a semi-annual tabletop exercise that exercises DIBNet reporting. Build this operating rhythm into your Compliance Program Management office so the program survives staff turnover and contract growth.

Common DFARS 252.204-7012 pitfalls

Stale SPRS scores: A score submitted two years ago and never updated invites scrutiny from contracting officers. Refresh after every control change.
Commercial M365 holding CUI: If CUI lands in a standard commercial tenant, the FedRAMP Moderate equivalency requirement is not met. Migrate to GCC High before the next contract award.
No DIBNet credential in place: Waiting to provision the DoD medium assurance certificate until an incident occurs guarantees missing the 72-hour window.
Undocumented subcontractor flow-down: Primes assume clause inclusion carries the obligation; auditors require evidence of supplier control implementation.
Policy without practice: An Incident Response Policy that has never been exercised is a finding waiting to happen. Run quarterly tabletops.

Frequently asked questions about DFARS 252.204-7012

Do subcontractors need to comply with DFARS 7012?

Yes — when subcontract performance involves CDI or operationally critical support. Primes must flow the clause at all tiers, and subcontractors must implement NIST SP 800-171 and report incidents through the prime (and ultimately to DoD).

Is DFARS 7012 the same as CMMC Level 2?

No, but they're tightly related. DFARS 7012 has been the contract clause since 2017 requiring self-attested NIST SP 800-171 implementation. CMMC Level 2 adds third-party assessor verification of the same controls. Solid DFARS 7012 practice is the foundation for CMMC Level 2 certification.

What counts as a reportable cyber incident under DFARS 7012?

Any event that adversely affects CDI, affects the ability to provide operationally critical support, or compromises a covered contractor information system. When in doubt, err on the side of reporting — under-reporting carries greater contractual risk than over-reporting.

What happens if we miss the 72-hour reporting window?

Missed reporting can trigger contract enforcement actions, False Claims Act exposure, and disqualification from future awards. It is also a frequent contract modification trigger and can materially damage prime-contractor relationships.

How Andvio helps DIB teams reach DFARS 7012 compliance

Andvio matches defense contractors with verified CMMC and cybersecurity partners aligned to contract scope, data sensitivity, and timeline. Our network includes RPOs, MSPs specialized in DIB, FedRAMP-familiar cloud architects, and incident response retainers — the exact mix of partners needed to close DFARS 7012 gaps without over-engineering. Get matched in 48 hours and move from compliance risk to audit-ready confidence.

Get matched in 48 hours Back to blog hub