DFARS 252.204-7012

DFARS 252.204-7012 is the Defense Federal Acquisition Regulation Supplement clause titled 'Safeguarding Covered Defense Information and Cyber Incident Reporting.' This contract clause is the legal mechanism that requires defense contractors to implement NIST SP 800-171 security requirements and report cyber incidents to the DoD within 72 hours.

This clause has been included in DoD contracts since 2017 and is the contractual basis for the cybersecurity requirements that CMMC formalizes. It applies when contractors process, store, or transmit Covered Defense Information (CDI) — which is essentially CUI in the defense context.

Why It Matters

DFARS 7012 is the contractual requirement that makes CUI protection legally binding for defense contractors. If this clause is in your contract, you're already required to implement NIST SP 800-171 — CMMC adds verification. Non-compliance carries False Claims Act risk.