The defense contractor’s general counsel forwards two documents on a Tuesday morning. The first is the new DoD contract referencing Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021, the Cybersecurity Maturity Model Certification (CMMC) clause. The second is a memo from the cybersecurity team asking whether DFARS 252.204-7012 still applies now that CMMC is in place. The answer is yes, and the contractor that does not understand why is building a compliance program with a hole in the middle.
DFARS 252.204-7012 has been in force since November 2013. It survived the original CMMC framework. It survived CMMC 2.0. It survived the February 2026 class deviations under the Federal Acquisition Regulation Overhaul that deleted DFARS 7019 and renumbered 7020. It is the operational cybersecurity clause for every defense contract that handles Covered Defense Information. CMMC under DFARS 252.204-7021 is the assessment clause that verifies the controls 7012 has been requiring all along. The two clauses are complementary, not redundant.
The contractors that fail enforcement actions under the False Claims Act treat the two clauses as interchangeable. The contractors that succeed treat them as a system: 7012 specifies what to do, 7021 verifies that you did it.
DFARS 252.204-7012 (“Safeguarding Covered Defense Information and Cyber Incident Reporting”) requires defense contractors handling Covered Defense Information to implement adequate security per NIST Special Publication 800-171 Revision 2 (110 controls), report cyber incidents to the Department of Defense within 72 hours via dibnet.dod.mil, preserve affected media for 90 days, submit malicious software to the DoD Cyber Crime Center, ensure cloud computing services meet FedRAMP Moderate equivalency, and flow the clause to subcontractors handling Covered Defense Information. CMMC under DFARS 252.204-7021 verifies these controls; it does not replace them.
The Clause Architecture as of April 2026
DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” remains in force as written. The full clause text is published at acquisition.gov. The cybersecurity obligation is anchored to NIST Special Publication 800-171 Revision 2. The 72-hour cyber incident reporting requirement to DoD via dibnet.dod.mil is intact. The cloud computing services equivalency to FedRAMP Moderate baseline is intact. The subcontractor flow-down requirement in paragraph (m) is intact.
What changed in February 2026 was a set of class deviations under the Federal Acquisition Regulation Overhaul that reshaped the DFARS clauses adjacent to 7012. DFARS 252.204-7019, which required contractors to post Supplier Performance Risk System (SPRS) self-assessment scores before award, was deleted. DFARS 252.204-7020 was renumbered to 252.204-7997 and updated. Assessment obligations now flow primarily through CMMC under DFARS 252.204-7021 rather than through stand-alone SPRS submission requirements. The cybersecurity clause, 7012, was unchanged.
The CMMC 2.0 Final Rule under 32 CFR Part 170 became effective December 16, 2024. The companion DFARS 252.204-7021 acquisition clause, codified at 48 CFR, was finalized in 2025 with the integrating final rule taking effect November 10, 2025. Phased implementation continues through 2026. New contracts containing DFARS 252.204-7021 require CMMC certification at the level specified in the solicitation as a condition of award.
DFARS 7012 Is Operational; DFARS 7021 Is Assessment
The structural distinction matters. DFARS 252.204-7012 specifies the cybersecurity obligations: implement adequate security, report incidents, preserve media, ensure cloud equivalency, flow to subcontractors. DFARS 252.204-7021 specifies the assessment regime: hold a CMMC certification at the required level before award, performed by a Certified Third-Party Assessment Organization (C3PAO) or self-assessment depending on contract requirements. The contractor’s adequate security under 7012 is what the C3PAO assesses under 7021. They are not redundant; 7012 carries the operational requirements that exist regardless of CMMC level, including the 72-hour incident reporting clock that no CMMC certification removes.
Adequate Security: NIST 800-171 Revision 2, Not Revision 3
DFARS 252.204-7012 paragraph (b)(2)(ii)(A) defines adequate security by reference to NIST SP 800-171 Revision 2 in its entirety. All 110 security requirements across 14 control families. Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, System and Information Integrity. None of the 110 controls is optional under 7012.
NIST published Revision 3 in May 2024. The Department of Defense has explicitly not adopted Revision 3 for DFARS 7012 enforcement. SPRS scoring, CMMC Level 2 assessments, and 7012 compliance all run against Revision 2. The reasons are operational: the DoD Assessment Methodology v1.2.1, the SPRS scoring algorithm, and the C3PAO assessment process were all calibrated to Revision 2 control statements. Migration to Revision 3 would require recalibration across the entire defense industrial base.
Contractors should expect Revision 2 to remain the operational standard through 2026 and into 2027 at minimum. Discussion of the differences between Revision 2 and Revision 3 and the projected adoption timeline is covered in detail separately. For DFARS 7012 compliance today, the answer is Revision 2.
The System Security Plan and Plan of Action
Adequate security under 7012 requires more than implementing controls. NIST SP 800-171 Revision 2 control 3.12.4 requires a System Security Plan (SSP) describing the system boundary, environment of operation, security requirement implementation status, and relationships with other systems. Control 3.12.2 requires a Plan of Action and Milestones (POA&M) for any control not fully implemented at the time of self-assessment. The SSP and POA&M are the artifacts assessors review first. Generic vendor-template language without specific implementation detail produces immediate findings under both 7012 self-assessment and CMMC assessment regimes.
Cyber Incident Reporting: The 72-Hour Clock
Paragraph (c) of DFARS 252.204-7012 requires the contractor to report cyber incidents to the Department of Defense within 72 hours of discovery. The reporting destination is dibnet.dod.mil. The contractor must hold a medium assurance certificate to access the reporting portal. Acquiring the certificate after an incident occurs is too late.
The clause defines a cyber incident in paragraph (a) as actions taken through computer networks that compromise or are an actual or potentially adverse effect on covered contractor information systems or covered defense information residing therein. The definition is broader than a confirmed breach. It includes events with potential adverse effect, which captures suspected intrusions, anomalous activity that warrants investigation, and confirmed compromises. The 72-hour clock starts at discovery, not at confirmation.
Media Preservation and Malicious Software Submission
Paragraph (e) requires the contractor to preserve and protect images of all known affected information systems and all relevant monitoring and packet capture data for at least 90 days from the date of the cyber incident report. The preservation obligation runs in parallel with any internal incident response activities. Wiping affected systems before the 90-day period closes, even after restoring from clean backups, violates the clause. Paragraph (f) requires submission of malicious software discovered during the incident to the DoD Cyber Crime Center (DC3). Contractors should pre-establish DC3 submission procedures rather than improvise during an active incident.
The audit fix. Establish the cyber incident reporting infrastructure before an incident occurs. Acquire the medium assurance certificate from an approved external certificate authority. Document the dibnet.dod.mil reporting workflow with named personnel and backup contacts. Build a 90-day media preservation procedure into the incident response plan. Pre-establish DoD Cyber Crime Center submission procedures for malicious software. Test the workflow during a tabletop exercise. The 72-hour clock is the wrong time to discover that the medium assurance certificate is in the wrong contractor’s name.
Cloud Computing Services and FedRAMP Moderate Equivalency
Paragraph (b)(2)(ii)(D) of DFARS 252.204-7012 requires that any cloud computing service used to store, process, or transmit Covered Defense Information meet security requirements equivalent to FedRAMP Moderate baseline. The requirement applies whether the cloud service is provided by the prime contractor, a subcontractor, or a third-party service the contractor uses to deliver on the contract.
FedRAMP Moderate equivalency is more demanding than it sounds. The cloud service provider must implement the controls equivalent to the FedRAMP Moderate baseline (325 controls from NIST SP 800-53 Revision 5), and the contractor must obtain documentation supporting the equivalency. The cleanest path is to use a cloud service provider with an existing FedRAMP Moderate authorization. The harder path is using a non-FedRAMP cloud service and producing equivalency documentation, which requires independent assessment against the same control set the FedRAMP Moderate baseline measures.
The DoD has issued guidance through DFARS 252.239-7010 and PGI 204.7303 on documenting cloud equivalency. The most common DFARS 7012 finding under this paragraph is that the contractor selected a Software-as-a-Service product without verifying FedRAMP Moderate authorization status, then could not produce equivalency documentation when asked. The verification step belongs in the procurement workflow, not the audit response workflow.
Subcontractor Flow-Down Under Paragraph (m)
Paragraph (m) of DFARS 252.204-7012 requires the contractor to include the substance of the clause in subcontracts where the subcontractor will perform operational technology activities or where Covered Defense Information will be stored, processed, or transmitted. Flow-down is not optional and is not limited by tier. The obligation flows through prime to first-tier subcontractor to lower-tier subcontractor wherever Covered Defense Information moves.
The clause requires the contractor to determine whether the subcontractor is performing operations subject to the clause and to obtain the subcontractor’s confirmation. Paragraph (m)(2) requires the subcontractor to rapidly report to the prime contractor any cyber incident affecting Covered Defense Information, which the prime then reports to DoD. The 72-hour clock at the prime level is independent of the timeline the subcontractor takes to notify the prime, which means the prime needs subcontractor reporting in materially less than 72 hours to meet its own obligation.
Common failures: prime contractors incorporating the clause by reference without confirming subcontractor capability; primes treating flow-down as a contracting formality rather than an operational requirement; subcontractors failing to maintain SSPs or POA&Ms; primes lacking visibility into the cyber incident reporting capability of their CUI-handling subcontractors. Each of these failures is identifiable in a contractor’s compliance documentation before an incident occurs.
The Relationship to CMMC 2.0
CMMC 2.0 under DFARS 252.204-7021 verifies the controls that DFARS 252.204-7012 requires. The two clauses operate together rather than as alternatives.
| Dimension | DFARS 252.204-7012 | DFARS 252.204-7021 (CMMC) |
|---|---|---|
| Function | Operational cybersecurity clause | Assessment and certification clause |
| Standard | NIST SP 800-171 Rev 2 (110 controls) | CMMC Level 1, 2, or 3 per contract |
| Verification | Self-assessment with SPRS reporting (legacy) or CMMC under 7021 | C3PAO assessment for Level 2 prioritized; self-assessment for Level 1 and Level 2 non-prioritized |
| Cyber incident reporting | 72 hours to dibnet.dod.mil | No incident reporting requirement |
| Cloud equivalency | FedRAMP Moderate equivalent required | Inherited from 7012; CMMC does not change cloud requirement |
| Subcontractor flow-down | Paragraph (m); flows to all CUI-handling subs | Flows per CMMC level requirement |
| Effective when | In every CUI-handling DoD contract since November 2013 | In contracts citing 7021 from November 10, 2025 forward, with phased implementation |
CMMC certification under DFARS 7021 does not eliminate any DFARS 7012 obligation. The 72-hour incident reporting clock, the 90-day media preservation, the malicious software submission to DC3, the FedRAMP Moderate cloud equivalency, and the subcontractor flow-down all remain in force regardless of CMMC level. Contractors that decommission 7012 compliance infrastructure after achieving CMMC certification create False Claims Act exposure with no offsetting benefit.
Common Misconceptions
Three patterns recur in DFARS 7012 compliance failures, all rooted in misreading the clause architecture.
“CMMC replaces 7012.” It does not. CMMC under DFARS 7021 is the assessment clause that verifies adequate security under 7012. The cyber incident reporting, media preservation, malicious software submission, and cloud equivalency requirements in 7012 are not subsumed by CMMC. A contractor with a CMMC Level 2 certification still must report cyber incidents within 72 hours, preserve media for 90 days, submit malicious software to DC3, and flow the 7012 clause to subcontractors handling Covered Defense Information.
“NIST 800-171 Revision 3 is the new standard.” It is not, for DFARS 7012 purposes. DoD has explicitly not adopted Revision 3 for 7012 compliance. SPRS scoring, CMMC Level 2 assessments, and 7012 self-assessments all run against Revision 2 through 2026 and into 2027 at minimum. Contractors that retool to Revision 3 ahead of DoD adoption may produce defensible cybersecurity but will fail assessments calibrated to Revision 2 control statements.
“FedRAMP Moderate equivalency is satisfied by any reputable cloud provider.” It is not. Equivalency requires implementation of the FedRAMP Moderate baseline and documentation supporting the equivalency claim. The cleanest path is using a FedRAMP Moderate-authorized cloud service. The harder path requires independent assessment of the non-FedRAMP cloud service against the same control set. A SOC 2 Type II report does not establish FedRAMP Moderate equivalency; the control sets are different.
DFARS 252.204-7012 is the operational backbone of defense contractor cybersecurity compliance. CMMC certification is the verification overlay. Contractors that treat the clauses as interchangeable build compliance programs that produce both 7012 violations and CMMC findings simultaneously. Contractors that treat them as a system, 7012 as the operating standard and CMMC as the assessment, pass audits and survive incidents. The 72-hour clock, the 90-day media hold, the FedRAMP Moderate cloud requirement, and the subcontractor flow-down are not negotiated away by any CMMC level. They are the floor.
Frequently Asked Questions
What does DFARS 252.204-7012 require?
DFARS 252.204-7012 requires defense contractors handling Covered Defense Information to implement adequate security per NIST SP 800-171 Revision 2 (110 controls), report cyber incidents to the Department of Defense within 72 hours via dibnet.dod.mil, preserve affected media for 90 days, submit malicious software to the DoD Cyber Crime Center, ensure cloud computing services meet FedRAMP Moderate equivalency, and flow the clause to subcontractors handling Covered Defense Information.
Does CMMC 2.0 replace DFARS 7012 compliance?
No. DFARS 252.204-7021 (the CMMC clause) is the assessment regime that verifies the controls DFARS 252.204-7012 has required since November 2013. The 72-hour incident reporting, 90-day media preservation, malicious software submission, FedRAMP Moderate cloud equivalency, and subcontractor flow-down requirements in 7012 remain in force regardless of CMMC level.
Is NIST 800-171 Revision 2 or Revision 3 the standard for DFARS 7012?
Revision 2. The Department of Defense has explicitly not adopted Revision 3 for DFARS 7012 enforcement. SPRS scoring, CMMC Level 2 assessments, and 7012 self-assessments all run against Revision 2 through 2026 and into 2027 at minimum. The DoD Assessment Methodology v1.2.1 is calibrated to Revision 2 control statements.
What changed under the February 2026 DFARS class deviations?
The February 2026 class deviations under the Federal Acquisition Regulation Overhaul deleted DFARS 252.204-7019, renumbered 7020 to 7997, and routed assessment obligations primarily through CMMC under DFARS 7021. DFARS 7012 itself was unchanged. Contractors should review their compliance documentation to confirm references to deleted clauses are updated, but the cybersecurity obligation under 7012 continues as written.
What does the 72-hour cyber incident reporting clock require?
DFARS 7012 paragraph (c) requires the contractor to report cyber incidents to DoD via dibnet.dod.mil within 72 hours of discovery. The reporting requires a medium assurance certificate to access the portal. The clause defines a cyber incident broadly to include actions with potential adverse effect, not only confirmed breaches. The clock starts at discovery, not at confirmation.
How does FedRAMP Moderate equivalency work for cloud services?
DFARS 7012 paragraph (b)(2)(ii)(D) requires cloud services storing, processing, or transmitting Covered Defense Information to meet FedRAMP Moderate equivalency. The cleanest path is using a cloud service with an existing FedRAMP Moderate authorization. The harder path requires independent assessment of a non-FedRAMP cloud service against the FedRAMP Moderate baseline (325 controls from NIST SP 800-53 Rev 5). A SOC 2 Type II report does not satisfy this requirement.
What does subcontractor flow-down under paragraph (m) require?
Paragraph (m) requires the prime contractor to include the substance of DFARS 7012 in subcontracts where Covered Defense Information will be stored, processed, or transmitted, regardless of subcontractor tier. The prime must determine whether the subcontractor performs operations subject to the clause and obtain confirmation. Subcontractors must rapidly report cyber incidents to the prime; the prime then reports to DoD within its 72-hour window.
Does a CMMC Level 2 certification eliminate the 7012 cyber incident reporting requirement?
No. CMMC certification verifies that the contractor has implemented the controls; it does not change operational obligations like the 72-hour cyber incident reporting clock, the 90-day media preservation requirement, or the malicious software submission to the DoD Cyber Crime Center. These obligations under DFARS 7012 are independent of CMMC level and remain in force throughout the contract performance period.
Subscribe to The Authority Brief for next week’s analysis.
