DoD does not apply federal cybersecurity statutes directly to its contractors. Instead, it pushes equivalent obligations through the Defense Federal Acquisition Regulation Supplement. Four specific DFARS clauses are the mechanism by which FISMA-equivalent duties reach the more than 100,000 firms in the defense industrial base.
If you hold DoD contracts, these four clauses govern your incident reporting window, your assessment requirements, your award eligibility, and your obligation to push requirements down to your subcontractors. Understanding what each clause actually requires — not a summary of it — is a prerequisite for sound compliance planning.
For the broader policy context — why DoD built this mechanism, where it still underperforms, and what reforms are on the table — see Federal Cybersecurity Law and the Defense Industrial Base.
Why DFARS Instead of Direct Regulation
FISMA covers federal agencies. It does not directly regulate private contractors. DoD’s solution is the acquisition clause — a contractual mechanism that converts statutory expectations into binding contract terms. When a solicitation includes a DFARS clause, compliance with that clause becomes a condition of contract performance, not a voluntary standard.
This matters for two reasons. First, it means contractors have legal exposure through contract law as well as regulatory law — and through the False Claims Act when self-assessments are inaccurate. Second, it means the obligations flow through prime contracts to subcontractors. If a clause requires flow-down, you are responsible for enforcing it down your supply chain.
The four clauses below form a cascade. Each one adds a layer. Together, they constitute the DIB cybersecurity compliance framework.
DFARS 252.204-7012 — Safeguarding Covered Defense Information and Cyber Incident Reporting
This is the foundational clause. It has been in DoD contracts since 2017 and remains the broadest in scope.
Who it covers: Any contractor that processes, stores, or transmits Covered Defense Information (CDI), or that provides operationally critical support. CDI is information that requires protection under law, regulation, or government-wide policy, or that is described as such in the contract.
What it requires:
Adequate security. The contractor must implement the 110 security requirements in NIST SP 800-171 to provide adequate security for all covered contractor information systems. If the contractor identifies additional controls not in SP 800-171, those requirements must be assessed and addressed. Gaps must be documented in a System Security Plan.
72-hour incident reporting. When a cyber incident occurs, the contractor must report it to DoD through dibnet.dod.mil within 72 hours of discovery. The report must include the company name, contract numbers, facility CAGE code, date the incident was discovered, location of compromise, and a description of the technique or method used in the incident. The 72-hour window is firm. It does not begin when you have completed your investigation — it begins when you discover the incident.
90-day image preservation. For at least 90 days after reporting, the contractor must preserve and protect images of all known affected information systems and provide access to DoD for forensic analysis upon request.
Cloud services. If the contractor uses cloud services to process, store, or transmit CDI, those services must meet the FedRAMP Moderate baseline or equivalent security requirements.
Flow-down obligation. The clause must be flowed down to subcontractors when the subcontract involves operationally critical support or requires the subcontractor to handle CDI.
The practical issue with 7012: The obligation to implement SP 800-171 has existed since 2017. Many contractors have not. A contractor’s System Security Plan and SPRS score are discoverable in litigation. The DoJ’s Civil Cyber-Fraud Initiative has pursued contractors under the False Claims Act for submitting bids and certifying compliance while knowingly failing to implement required controls. Accurate self-assessment is not just a compliance requirement — it is a legal risk management issue.
DFARS 252.204-7019 — Notice of NIST SP 800-171 DoD Assessment Requirements
This clause is short and sometimes overlooked. Its function is pre-award: it notifies offerors that before they can receive a DoD contract award, they must have a current Basic Assessment score posted in the Supplier Performance Risk System.
What it requires: The offeror must have a current Basic, Medium, or High assessment posted in SPRS before contract award. A Basic Assessment is the contractor’s own scoring of its SP 800-171 implementation using DoD’s assessment methodology. The score ranges from -203 (no controls implemented) to 110 (all controls implemented). The DoD methodology assigns point values to each control, with higher-weight controls penalizing the score more heavily if not implemented.
The practical issue with 7019: Many contracting officers check SPRS during source selection. A missing or outdated SPRS score can disqualify an offeror without further discussion. If you have not posted a score, or if your score was posted years ago and your implementation has changed, your award eligibility is at risk before you submit a proposal.
The SPRS score is also visible to DoD program offices and can affect how they view your risk profile. A score below 70 is generally a flag for additional scrutiny.
DFARS 252.204-7020 — NIST SP 800-171 DoD Assessment Requirements
Where 7019 is a notice, 7020 is the operational clause. It establishes DoD’s authority to assess contractor compliance directly and governs subcontractor flow-down.
What it requires:
Assessment authority. The contractor must permit DoD personnel to conduct a Medium or High assessment of its implementation of NIST SP 800-171 at any time during contract performance. A Medium Assessment is a DoD-conducted review of the contractor’s SSP and supporting artifacts without site visit. A High Assessment includes a site visit with DIBCAC assessors.
Subcontractor flow-down. The prime contractor must not award a subcontract to a firm unless that subcontractor has a current Basic, Medium, or High assessment posted in SPRS. The prime is responsible for enforcing this before subcontract award — it is not sufficient to ask your sub to get it done eventually.
The practical issue with 7020: The subcontractor flow-down requirement in 7020 is the most commonly neglected obligation in the clause stack. Prime contractors routinely award subcontracts without verifying SPRS scores. If DoD audits your supply chain, you are exposed for every sub that lacks a current score. Build a pre-award SPRS verification step into your subcontract process.
The DIBCAC assessment authority in 7020 also persists into CMMC 2.0: even after a C3PAO certifies a contractor at Level 2, DIBCAC retains the right to override that certification with its own assessment. A subsequent DIBCAC finding supersedes the C3PAO score in SPRS.
DFARS 252.204-7021 — Cybersecurity Maturity Model Certification Requirements
This is the clause that ties CMMC into contract award eligibility. It became final through the companion DFARS acquisition rule published in September 2025.
What it requires:
Certification as a condition of award. The contractor must have and maintain a current CMMC status at the level specified in the solicitation for the duration of the contract. CMMC status is determined by the assessment type required for that level — self-assessment, C3PAO certification, or DIBCAC certification.
Flow-down to subcontractors. The prime must flow the substance of the clause to subcontractors that handle CUI or FCI, at the applicable level for the information the sub will handle.
Duration. CMMC status must be maintained throughout contract performance, not just at award. If a certification lapses — because a triennial C3PAO assessment is not renewed or a conditional status closes out without completion — the contractor may be in breach.
The practical issue with 7021: Most solicitations will not include 7021 until Phase 2 of the CMMC rollout (Year 2, starting approximately September 2026). During Phase 1 (now through approximately September 2026), DoD may include it at its discretion. Watch your solicitations carefully. The clause will appear in full before Phase 2 begins across all applicable contracts.
The subcontractor obligation in 7021 is more complex than in 7012 or 7020 because the required CMMC level for a subcontractor depends on what information that sub handles — not the prime’s level. A prime certified at Level 2 whose sub only handles FCI flows down Level 1 requirements to that sub, not Level 2.
For a full breakdown of CMMC levels, assessment paths, costs, and the POA&M rules, see CMMC 2.0 Levels, Assessment Paths, and What Certification Costs.
What the Four Clauses Look Like Together
When all four clauses appear in a contract, here is what you are actually obligated to do:
- Implement all 110 SP 800-171 requirements (or document exceptions in a SSP and POA&M) — per 7012
- Report cyber incidents within 72 hours — per 7012
- Preserve affected system images for 90 days — per 7012
- Post an accurate SPRS score — per 7019
- Allow DoD Medium or High assessments on demand — per 7020
- Verify subcontractor SPRS scores before award — per 7020
- Achieve and maintain CMMC status at the specified level — per 7021
- Flow CMMC requirements down to subs at the applicable level — per 7021
None of these are optional once the clause is in the contract. They are performance requirements with legal consequences for non-compliance.
The False Claims Act Exposure
Self-attestation under 7019 and 7020 creates direct False Claims Act exposure when a contractor submits a bid or invoices under a contract while knowingly misrepresenting its compliance status. The DoJ’s Civil Cyber-Fraud Initiative has produced settled cases with penalties in the tens of millions of dollars. Penn State, Aerojet Rocketdyne, and Verizon Business Network Services are public examples.
The FCA exposure applies to self-assessments and to affirmations by senior officials. The senior official affirmation requirement that CMMC added to the process was a deliberate move to establish individual accountability alongside corporate liability.
Accurate scoring is not conservative compliance. It is legal risk management.
Where to Go From Here
If you are building or reviewing your DFARS compliance program:
- Map every contract to the clauses it contains. Not all DoD contracts include all four.
- Audit your SPRS score for accuracy. Score it honestly using the DoD methodology.
- Verify your subcontractor SPRS scores before the next subcontract award.
- Confirm your cyber incident response procedure can produce a complete report within 72 hours. Test it.
For the control-level detail that 7012 requires you to implement, the NIST SP 800-171 requirements index and CMMC practices index cover every requirement with practitioner notes.
For the policy and legal context behind why DoD built this clause stack — and where it is still structurally underperforming — see Federal Cybersecurity Law and the Defense Industrial Base.
Soft CTA
Need help putting this into practice?
We can help you turn the idea into an action plan, implementation checklist, or review of the controls that matter most.