DFARS 7012: What Government Contractors Need to Know

Written by: Tara Cannon

The Defense Federal Acquisition Regulation Supplement (DFARS ) 252.204-7012 (commonly known as DFARS 7012) is a clause that all Department of Defense (DoD) contractors should be familiar with. This clause outlines the requirements for safeguarding covered defense information (CDI) and reporting cyber incidents.

In essence, DFARS 252.204-7012 requires contractors to implement adequate security measures to protect CDI, including any unclassified information provided by or generated for the government subject to safeguarding or dissemination controls. This can include sensitive technical information, proprietary information and other data that, if compromised, could negatively impact national security.

To comply with DFARS 252.204-7012 requirements, contractors must adhere to the security controls outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171, which provides guidelines for protecting CDI in non-federal systems and organizations. These controls cover areas such as access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response and system and communication protection.

Additionally, contractors are required to report any cyber incidents that affect CDI to the DoD within a specific timeframe. This reporting allows the DoD to respond to and mitigate the impact of cyber incidents that could pose a threat to national security.

Get to Know DFARS, CMMC, NIST, FedRAMP and More!

In this guide, we’ll demystify the alphabet soup of cybersecurity regulations that every government contractor needs to know.

Get the Guide

DFARS 7012 applies to all contractors and subcontractors that store, process, or transmit Covered Defense Information (CDI) on behalf of the DoD. Covered Defense Information includes any unclassified information that is provided to the contractor by or on behalf of the DoD in support of the performance of a contract or is collected, developed, received, transmitted, used or stored by or on behalf of the contractor in support of the performance of a contract.

In practical terms, this means that any company handling CDI as part of its work for the DoD must comply with DFARS 7012. This includes not only traditional defense contractors but also companies in industries such as technology, healthcare and manufacturing that have contracts with the DoD and handle CDI as part of their work.

It is essential for companies to understand their obligations under DFARS 7012 and take the necessary steps to ensure that they are in full compliance with the regulations. Failure to comply with DFARS 7012 can have serious consequences, including the loss of DoD contracts and potential legal and financial penalties.

In order to meet the requirements of DFARS 7012, companies must implement a range of cybersecurity measures, including conducting risk assessments, implementing specific security controls and reporting cybersecurity incidents to the DoD. Additionally, contractors and subcontractors may be required to demonstrate their compliance with DFARS 7012 through the use of third-party assessments and certifications.

The DoD is responsible for enforcing compliance with DFARS 7012. The DoD relies on both internal and external resources to ensure compliance with the rule. Internally, the DoD has implemented measures such as issuing clear guidance through its Security Requirements Guide. However, it can enforce compliance through a number of mechanisms.

The most common enforcement mechanism is the imposition of civil and criminal penalties by the DoD. Such penalties can include suspension or debarment from government contracts, fines and even imprisonment. Additionally, contractors must self-report any potential non-compliance to the DoD and take appropriate corrective action. Contractors must also comply with any specific requirements related to the particular provision, such as training requirements or reporting requirements. 

DFARS 7012 is also enforced through proactive audits of contractors' systems and processes, ensuring compliance with the various technical safeguards required by the regulation. In addition, DoD personnel may conduct periodic on-site visits.

Below are the DFARS clauses that enable DoD to enforce the provisions of DFARS 7012:

DFARS 252.204-7019: "Notice of NIST SP 800-171 DoD Assessment Requirements."

One of the most critical aspects of doing business with the DoD is ensuring that your organization is in compliance with its security requirements. This includes adhering to the standards outlined in NIST Special Publication 800-171, which provides guidelines for protecting sensitive government information.

In order to ensure that companies are meeting these standards, the DoD inserts a clause in contracts, 252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements, that requires contractors to notify the DoD if they believe any information related to the safeguarding of covered defense information or cyber incident reporting is not adequately protected by the contractor.

The purpose of this clause is to ensure that companies are taking the necessary steps to secure sensitive information and to report any potential vulnerabilities to the DoD. This is in line with the DoD’s commitment to protecting its data and ensuring that all contractors are meeting the necessary security requirements.

DFARS 252.204-7020: "NIST SP 800-171DoD Assessment Requirements."

The 252.204-7020 clause, also known as the NIST SP 800-171 DoD Assessment Requirements, is a critical component of compliance for any organization doing business with the DoD. This clause sets forth requirements for contractors and subcontractors to implement and maintain adequate security measures to protect Controlled Unclassified Information (CUI) in non-federal systems and organizations.

NIST SP 800-171 is a set of security controls and requirements developed by the NIST to safeguard sensitive government information. The DoD has adopted these requirements and made them mandatory for any organization that handles CUI.

Under the 252.204-7020 clause, contractors and subcontractors are required to conduct a self-assessment of their compliance with NIST SP 800-171. This assessment involves evaluating their security practices and controls to ensure they meet the specific requirements outlined in the standard. The results of this assessment must be reported to the DoD in the form of a scorecard, which provides a clear indication of the organization's level of compliance with NIST SP 800-171.

In addition to the self-assessment, the 252.204-7020 clause also requires organizations to allow the DoD access to their facilities and systems to conduct on-site assessments of their compliance with NIST SP 800-171. These assessments may be conducted at any time, and organizations must provide the necessary cooperation and support to facilitate the assessment process.

DFARS 252.204-7021: "Cybersecurity Maturity Model Certification Requirements."

The 252.204-7021 Cybersecurity Maturity Model Certification (CMMC) Requirements, introduced by the DoD, represent a significant shift in the way that defense contractors and suppliers handle cybersecurity. These requirements are designed to ensure that organizations working with the DoD have robust cybersecurity measures in place to protect sensitive information and intellectual property.

The CMMC framework consists of three levels, with each level representing an increasing degree of cybersecurity sophistication. Level 1 is the basic level, focusing on safeguarding Federal Contract Information (FCI), while Level 3 represents the most advanced cybersecurity practices, necessary for protecting Controlled Unclassified Information (CUI). The CMMC requirements mandate that all defense contractors and suppliers achieve a specific level of certification based on the nature of the work they perform for the DoD.

One of the key components of the CMMC requirements is the need for most defense contractors to undergo a formal assessment by an accredited third-party assessor. This assessment evaluates the organization's cybersecurity practices and controls against the requirements outlined in the CMMC framework. This assessment ensures that organizations are not only claiming to have strong cybersecurity measures but are actually implementing and maintaining them effectively.

The introduction of the CMMC requirements represents a significant change for most defense contractors and suppliers. In the past, contractors could self-attest their cybersecurity readiness and capabilities, leading to inconsistencies and gaps in cybersecurity across the defense industrial base. The CMMC requirements aim to standardize and strengthen cybersecurity practices across the entire supply chain, ultimately ensuring that sensitive DoD information is adequately protected.

DFARS 252.204-7024: "Notice on the Use of the Supplier Performance Risk System."

The federal government is committed to ensuring that it does business with suppliers who have a record of reliable performance. To this end, the government has established the Supplier Performance Risk System (SPRS) to assess and monitor supplier performance. As part of this system, the government has issued clause DFARS 252.204-7024 Notice on the Use of the Supplier Performance Risk System to be included in all federal contracts.

The purpose of the Notice on the Use of the Supplier Performance Risk System is to provide transparency and accountability in the federal procurement process. It allows the government to make informed decisions about which suppliers to do business with based on their past performance. By entering their performance assessments into SPRS, contractors and subcontractors are providing the government with the necessary information to evaluate their reliability and track record.

Furthermore, using the SPRS helps promote a fair and competitive marketplace, as suppliers with a history of poor performance may find it more difficult to secure federal contracts. Conversely, suppliers with a strong track record of performance will be better positioned to win future government business.

It is essential for DoD contractors to understand and comply with the requirements of DFARS 7012 to ensure the protection of sensitive information and maintain a strong cybersecurity posture. Failure to comply with these requirements can result in consequences such as contract termination, financial penalties or legal action.