The defense contractor’s general counsel forwards two documents on a Tuesday morning. The first is the new DoD contract referencing Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021, the Cybersecurity Maturity Model Certification (CMMC) clause. The second is a memo from the cybersecurity team asking whether DFARS 252.204-7012 still applies now that CMMC is in place. The answer is yes, and the contractor that does not understand why is building a compliance program with a hole in the middle.
DFARS 252.204-7012 has been in force since November 2013. It survived the original CMMC framework. It survived CMMC 2.0. As of May 2026, it remains in force unchanged through the discussion of February 2026 DFARS class deviations affecting -7019 and -7020. The SPRS score that contractors submit under DFARS 252.204-7019 is the self-attestation counterpart to the 7012 operational obligation. It is the operational cybersecurity clause for every defense contract that handles Covered Defense Information. CMMC under DFARS 252.204-7021 is the assessment clause that verifies the controls 7012 has been requiring all along. The two clauses are complementary, not redundant.
The contractors that fail enforcement actions under the False Claims Act treat the two clauses as interchangeable. The contractors whose DFARS 252.204-7012 compliance is defensible treat them as a system: 7012 specifies what to do, 7021 verifies that you did it.
DFARS 252.204-7012 (“Safeguarding Covered Defense Information and Cyber Incident Reporting”) requires defense contractors handling Covered Defense Information to implement adequate security per NIST SP 800-171 (Revision 2 is the operative baseline by current DoD policy and DFARS PGI; the clause text itself does not name a revision). Contractors must report cyber incidents to the Department of Defense within 72 hours via dibnet.dod.mil, preserve affected media for 90 days, submit malicious software to the DoD Cyber Crime Center, ensure cloud computing services meet FedRAMP Moderate equivalency, and flow the clause to subcontractors providing operationally critical support or handling Covered Defense Information. CMMC under DFARS 252.204-7021 verifies these controls; it does not replace them.
The Clause Architecture as of May 2026
DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” remains in force as written. The full clause text is published at acquisition.gov. The cybersecurity obligation is anchored to NIST Special Publication 800-171 Revision 2. The 72-hour cyber incident reporting requirement to DoD via dibnet.dod.mil is intact. The cloud computing services equivalency to FedRAMP Moderate baseline is intact. The subcontractor flow-down requirement in paragraph (m) is intact.
Industry reporting suggests a February 1, 2026 DFARS class deviation may have suppressed -7019 (the Supplier Performance Risk System pre-award notice clause) for new prime contracts, with assessment obligations routing through CMMC under DFARS 252.204-7021. As of May 2026, both DFARS 252.204-7019 and DFARS 252.204-7020 remain listed as active in the codified DFARS at acquisition.gov Part 252; the operative status for new awards is subject to potential class-deviation suppression pending primary-source verification of the OSD memo at acq.osd.mil or the Federal Register. Industry reporting of a renumber to “DFARS 252.240-7997” is not supported by primary source as of May 2026. No -7997 clause exists in DFARS Part 252, and DFARS subpart 252.240 does not exist (252.24x runs 241-243). The cybersecurity clause, 7012, was unchanged by the deviation regardless.
The CMMC 2.0 Final Rule under 32 CFR Part 170 became effective December 16, 2024. The companion DFARS 252.204-7021 acquisition clause, codified at 48 CFR, was finalized in 2025 with the integrating final rule taking effect November 10, 2025. Phased implementation continues through 2026. New contracts containing DFARS 252.204-7021 require CMMC certification at the level specified in the solicitation as a condition of award.
DFARS 7012 Is Operational; DFARS 7021 Is Assessment
The structural distinction matters. DFARS 252.204-7012 specifies the cybersecurity obligations: implement adequate security, report incidents, preserve media, ensure cloud equivalency, flow to subcontractors. DFARS 252.204-7021 specifies the assessment regime: hold a CMMC certification at the required level before award, performed by a Certified Third-Party Assessment Organization (C3PAO) or self-assessment depending on contract requirements. The contractor’s adequate security under 7012 is what the C3PAO assesses under 7021. They are not redundant; 7012 carries the operational requirements that exist regardless of CMMC level, including the 72-hour incident reporting clock that no CMMC certification removes.
Adequate Security: NIST 800-171 Revision 2, Not Revision 3
DFARS 252.204-7012 paragraph (b)(2)(ii)(A) reads: “The Contractor shall implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017.” The clause text itself does not specify a revision number. DoD policy and the DFARS Procedures, Guidance, and Information (PGI) establish NIST SP 800-171 Revision 2 as the operative baseline today, and contractors must implement all 110 security requirements across the 14 control families: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity. None of the 110 controls is optional in current DoD enforcement.
NIST published Revision 3 in May 2024. The Department of Defense has explicitly not adopted Revision 3 for DFARS 7012 enforcement. SPRS scoring, CMMC Level 2 assessments, and 7012 compliance all run against Revision 2. The reasons are operational: the DoD Assessment Methodology v1.2.1, the SPRS scoring algorithm, and the C3PAO assessment process were all calibrated to Revision 2 control statements. Migration to Revision 3 would require recalibration across the entire defense industrial base.
Contractors should expect Revision 2 to remain the operational standard through 2026 and into 2027 at minimum. Discussion of the differences between Revision 2 and Revision 3 and the projected adoption timeline is covered in detail separately. For DFARS 7012 compliance today, the answer is Revision 2.
The System Security Plan and Plan of Action
Adequate security under 7012 requires more than implementing controls. NIST SP 800-171 Revision 2 control 3.12.4 requires a System Security Plan (SSP) describing the system boundary, environment of operation, security requirement implementation status, and relationships with other systems. Control 3.12.2 requires a Plan of Action and Milestones (POA&M) for any control not fully implemented at the time of self-assessment. The SSP and POA&M are the artifacts assessors review first. Generic vendor-template language without specific implementation detail produces immediate findings under both 7012 self-assessment and CMMC assessment regimes.
Cyber Incident Reporting: The 72-Hour Clock
Paragraph (c) of DFARS 252.204-7012 requires the contractor to report cyber incidents to the Department of Defense within 72 hours of discovery. The reporting destination is dibnet.dod.mil. The contractor must hold a medium assurance certificate to access the reporting portal. Acquiring the certificate after an incident occurs is too late.
The clause defines a cyber incident verbatim in paragraph (a) as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.” The definition is broader than a confirmed breach. It includes events with potential adverse effect, which captures suspected intrusions, anomalous activity that warrants investigation, and confirmed compromises. The 72-hour clock starts at discovery, not at confirmation.
Media Preservation and Malicious Software Submission
Paragraph (e) requires the contractor to preserve and protect images of all known affected information systems and all relevant monitoring and packet capture data for at least 90 days from the date of the cyber incident report. The preservation obligation runs in parallel with any internal incident response activities. Wiping affected systems before the 90-day period closes, even after restoring from clean backups, violates the clause. Paragraph (f) requires submission of malicious software discovered during the incident to the DoD Cyber Crime Center (DC3). Contractors should pre-establish DC3 submission procedures rather than improvise during an active incident.
The audit fix. Establish the cyber incident reporting infrastructure before an incident occurs. Acquire the medium assurance certificate from an approved external certificate authority. Document the dibnet.dod.mil reporting workflow with named personnel and backup contacts. Build a 90-day media preservation procedure into the incident response plan. Pre-establish DoD Cyber Crime Center submission procedures for malicious software. Test the workflow during a tabletop exercise. The 72-hour clock is the wrong time to discover that the medium assurance certificate is in the wrong contractor’s name.
Cloud Computing Services and FedRAMP Moderate Equivalency
Paragraph (b)(2)(ii)(D) of DFARS 252.204-7012 requires that any cloud computing service used to store, process, or transmit Covered Defense Information meet security requirements equivalent to FedRAMP Moderate baseline. The requirement applies whether the cloud service is provided by the prime contractor, a subcontractor, or a third-party service the contractor uses to deliver on the contract.
FedRAMP Moderate equivalency is more demanding than it sounds. The cloud service provider must implement the controls equivalent to the FedRAMP Moderate Rev 5 baseline (approximately 323 controls drawn from NIST SP 800-53 Revision 5 with FedRAMP additions; 325 was the Rev 4 figure and persists in older guidance), and the contractor must obtain documentation supporting the equivalency. The cleanest path is to use a cloud service provider with an existing FedRAMP Moderate authorization. The harder path is using a non-FedRAMP cloud service and producing equivalency documentation, which requires independent assessment against the same control set the FedRAMP Moderate baseline measures.
The DoD has issued guidance through DFARS 252.239-7010 and PGI 204.7303 on documenting cloud equivalency. The most common DFARS 7012 finding under this paragraph is that the contractor selected a Software-as-a-Service product without verifying FedRAMP Moderate authorization status, then could not produce equivalency documentation when asked. The verification step belongs in the procurement workflow, not the audit response workflow.
Subcontractor Flow-Down Under Paragraph (m)
Paragraph (m) of DFARS 252.204-7012 requires the contractor to “include this clause…for operationally critical support, or for which subcontract performance will involve covered defense information, including subcontracts for commercial products or commercial services, without alteration.” “Operationally critical support” is defined verbatim in paragraph (a) as supplies or services designated by the Government as critical for airlift, sealift, intermodal transportation services, or logistical support essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation. This is a logistics term, not a reference to industrial control or operational technology environments. Flow-down is not optional and is not limited by tier. The obligation flows through prime to first-tier subcontractor to lower-tier subcontractor wherever Covered Defense Information moves or wherever the subcontractor provides operationally critical support.
The clause requires the contractor to determine whether the subcontractor is performing operations subject to the clause (handling Covered Defense Information or providing operationally critical support) and to obtain the subcontractor’s confirmation. Paragraph (m)(2) requires the subcontractor to rapidly report to the prime contractor any cyber incident affecting Covered Defense Information, which the prime then reports to DoD. The 72-hour clock at the prime level is independent of the timeline the subcontractor takes to notify the prime, which means the prime needs subcontractor reporting in materially less than 72 hours to meet its own obligation.
Common failures: prime contractors incorporating the clause by reference without confirming subcontractor capability; primes treating flow-down as a contracting formality rather than an operational requirement; subcontractors failing to maintain SSPs or POA&Ms; primes lacking visibility into the cyber incident reporting capability of their CUI-handling subcontractors. Each of these failures is identifiable in a contractor’s compliance documentation before an incident occurs.
The Relationship to CMMC 2.0
CMMC 2.0 under DFARS 252.204-7021 verifies the controls that DFARS 252.204-7012 requires. The two clauses operate together rather than as alternatives.
| Dimension | DFARS 252.204-7012 | DFARS 252.204-7021 (CMMC) |
|---|---|---|
| Function | Operational cybersecurity clause | Assessment and certification clause |
| Standard | NIST SP 800-171 Rev 2 (110 controls) | CMMC Level 1, 2, or 3 per contract |
| Verification | Self-assessment with SPRS reporting (legacy) or CMMC under 7021 | C3PAO assessment for Level 2 prioritized; self-assessment for Level 1 and Level 2 non-prioritized |
| Cyber incident reporting | 72 hours to dibnet.dod.mil | No incident reporting requirement |
| Cloud equivalency | FedRAMP Moderate equivalent required | Inherited from 7012; CMMC does not change cloud requirement |
| Subcontractor flow-down | Paragraph (m); flows to subs providing operationally critical support or handling Covered Defense Information | Flows per CMMC level requirement |
| Effective when | In every CUI-handling DoD contract since November 2013 | In contracts citing 7021 from November 10, 2025 forward, with phased implementation |
CMMC certification under DFARS 7021 does not eliminate any DFARS 7012 obligation. The 72-hour incident reporting clock, the 90-day media preservation, the malicious software submission to DC3, the FedRAMP Moderate cloud equivalency, and the subcontractor flow-down all remain in force regardless of CMMC level. Contractors that decommission 7012 compliance infrastructure after achieving CMMC certification create False Claims Act exposure with no offsetting benefit.
Common Misconceptions
Three patterns recur in DFARS 7012 compliance failures, all rooted in misreading the clause architecture.
“CMMC replaces 7012.” It does not. CMMC under DFARS 7021 is the assessment clause that verifies adequate security under 7012. The cyber incident reporting, media preservation, malicious software submission, and cloud equivalency requirements in 7012 are not subsumed by CMMC. A contractor with a CMMC Level 2 certification still must report cyber incidents within 72 hours, preserve media for 90 days, submit malicious software to DC3, and flow the 7012 clause to subcontractors providing operationally critical support or handling Covered Defense Information. The GCC High migration decision — enclave versus full tenant — determines which systems fall inside the 7012-compliant boundary.
“NIST 800-171 Revision 3 is the new standard.” It is not, for DFARS 7012 purposes. DoD has explicitly not adopted Revision 3 for 7012 compliance. SPRS scoring, CMMC Level 2 assessments, and 7012 self-assessments all run against Revision 2 through 2026 and into 2027 at minimum. Contractors that retool to Revision 3 ahead of DoD adoption may produce defensible cybersecurity but will fail assessments calibrated to Revision 2 control statements.
“FedRAMP Moderate equivalency is satisfied by any reputable cloud provider.” It is not. Equivalency requires implementation of the FedRAMP Moderate baseline and documentation supporting the equivalency claim. The cleanest path is using a FedRAMP Moderate-authorized cloud service. The harder path requires independent assessment of the non-FedRAMP cloud service against the same control set. A SOC 2 Type II report does not establish FedRAMP Moderate equivalency; the control sets are different.
DFARS 252.204-7012 is the operational backbone of defense contractor cybersecurity compliance. CMMC certification is the verification overlay. Contractors that treat the clauses as interchangeable build compliance programs that produce both 7012 violations and CMMC findings simultaneously. Contractors that treat them as a system, 7012 as the operating standard and CMMC as the assessment, pass audits and survive incidents. The 72-hour clock, the 90-day media hold, the FedRAMP Moderate cloud requirement, and the subcontractor flow-down are not negotiated away by any CMMC level. They are the floor.
Frequently Asked Questions
What does DFARS 252.204-7012 require?
DFARS 252.204-7012 requires defense contractors handling Covered Defense Information to implement adequate security per NIST SP 800-171 (Revision 2 is the operative baseline under current DoD policy and DFARS PGI; the clause text itself does not specify a revision number, requiring implementation “as soon as practical, but not later than December 31, 2017”). Contractors must report cyber incidents to the Department of Defense within 72 hours via dibnet.dod.mil, preserve affected media for 90 days, submit malicious software to the DoD Cyber Crime Center, ensure cloud computing services meet FedRAMP Moderate equivalency, and flow the clause to subcontractors providing operationally critical support or handling Covered Defense Information.
Does CMMC 2.0 replace DFARS 7012 compliance?
No. DFARS 252.204-7021 (the CMMC clause) is the assessment regime that verifies the controls DFARS 252.204-7012 has required since November 2013. The 72-hour incident reporting, 90-day media preservation, malicious software submission, FedRAMP Moderate cloud equivalency, and subcontractor flow-down requirements in 7012 remain in force regardless of CMMC level.
Is NIST 800-171 Revision 2 or Revision 3 the standard for DFARS 7012?
Revision 2. The Department of Defense has explicitly not adopted Revision 3 for DFARS 7012 enforcement. SPRS scoring, CMMC Level 2 assessments, and 7012 self-assessments all run against Revision 2 through 2026 and into 2027 at minimum. The DoD Assessment Methodology v1.2.1 is calibrated to Revision 2 control statements.
What changed under the February 2026 DFARS class deviations?
Industry reporting suggests a February 1, 2026 DFARS class deviation may have suppressed -7019 for new prime contracts and routed pre-award assessment obligations through CMMC under DFARS 252.204-7021. As of May 2026, both DFARS -7019 and -7020 remain listed as active in the codified DFARS at acquisition.gov; the operative status for new awards is subject to potential class-deviation suppression pending primary-source verification of the OSD memo at acq.osd.mil or the Federal Register. Reports of a renumber to “DFARS 252.240-7997” are not supported by primary source. That subpart does not exist in DFARS Part 252. DFARS 7012 itself was unchanged by the deviation regardless. Contractors should review their compliance documentation to confirm references to clauses cited in solicitations match the current published text at acquisition.gov.
What does the 72-hour cyber incident reporting clock require?
DFARS 7012 paragraph (c) requires the contractor to report cyber incidents to DoD via dibnet.dod.mil within 72 hours of discovery. The reporting requires a medium assurance certificate to access the portal. The clause defines a cyber incident broadly to include actions with potential adverse effect, not only confirmed breaches. The clock starts at discovery, not at confirmation.
How does FedRAMP Moderate equivalency work for cloud services?
DFARS 7012 paragraph (b)(2)(ii)(D) requires cloud services storing, processing, or transmitting Covered Defense Information to meet FedRAMP Moderate equivalency. The cleanest path is using a cloud service with an existing FedRAMP Moderate authorization. The harder path requires independent assessment of a non-FedRAMP cloud service against the FedRAMP Moderate Rev 5 baseline (approximately 323 controls drawn from NIST SP 800-53 Rev 5 with FedRAMP additions). A SOC 2 Type II report does not satisfy this requirement.
What does subcontractor flow-down under paragraph (m) require?
Paragraph (m) requires the prime contractor to include the substance of DFARS 7012 in subcontracts that involve operationally critical support or in which subcontract performance will involve Covered Defense Information, regardless of subcontractor tier. “Operationally critical support” is defined in paragraph (a) as airlift, sealift, intermodal transportation, or logistical support essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation. The prime must determine whether the subcontractor performs operations subject to the clause and obtain confirmation. Subcontractors must rapidly report cyber incidents to the prime; the prime then reports to DoD within its 72-hour window.
Does a CMMC Level 2 certification eliminate the 7012 cyber incident reporting requirement?
No. CMMC certification verifies that the contractor has implemented the controls; it does not change operational obligations like the 72-hour cyber incident reporting clock, the 90-day media preservation requirement, or the malicious software submission to the DoD Cyber Crime Center. These obligations under DFARS 7012 are independent of CMMC level and remain in force throughout the contract performance period.
Subscribe to The Authority Brief for next week’s analysis.
