DFARS Compliance

DFARS 252.204-7012 Compliance Guide

Everything defense contractors need to know about DFARS cybersecurity requirements, incident reporting, and how DFARS connects to CMMC.

Check DFARS Compliance →

What is DFARS 252.204-7012?

DFARS 252.204-7012 ("Safeguarding Covered Defense Information and Cyber Incident Reporting") is the Defense Federal Acquisition Regulation Supplement clause that requires defense contractors to:

  1. Implement NIST SP 800-171 — All 110 security controls for protecting CUI
  2. Report cyber incidents — Within 72 hours to the DoD via DIBNet
  3. Preserve evidence — Maintain forensic images for 90 days after incident
  4. Flow down requirements — Include the clause in subcontracts involving CUI

DFARS and CMMC: How They Connect

DFARS 252.204-7012 has been the primary cybersecurity requirement for DoD contracts since 2017. CMMC adds a verification layer — while DFARS required self-attestation, CMMC requires third-party certification for most Level 2 contracts.

A new DFARS clause — 252.204-7021 — specifies the required CMMC level for each contract. Both clauses will coexist, meaning you need to comply with both DFARS 7012 (controls + reporting) and DFARS 7021 (certification).

Key DFARS Requirements

🔒 Adequate Security

Implement NIST 800-171 controls on all systems processing, storing, or transmitting CUI. This is the same 110 controls required for CMMC Level 2.

🚨 72-Hour Incident Reporting

Report cyber incidents affecting CUI to DoD within 72 hours via the DIBNet portal. Include malware samples, forensic images, and system logs.

📋 Subcontractor Flow-Down

Include DFARS 7012 in all subcontracts where subcontractors will handle CUI. You're responsible for your supply chain's compliance.

🗂️ Evidence Preservation

Preserve images of affected systems and all relevant monitoring data for at least 90 days following a reported incident.

How Hatty AI Helps with DFARS Compliance

Verify Your DFARS Compliance

Free assessment against DFARS/NIST 800-171 requirements.