CMMC

Josef Kamara, CPA, CISSP, CISA · Updated May 2, 2026 · 1 minute read

DFARS 252.204-7012

The Defense Federal Acquisition Regulation Supplement clause that requires defense contractors to provide adequate security on covered contractor information systems and to report cyber incidents to the DoD within 72 hours via DIBNet. The clause has been in force since December 31, 2017 and is the legal predicate for both NIST SP 800-171 implementation and the newer CMMC certification requirement under DFARS 252.204-7021.

The Authority Brief

One compliance analysis per week from Josef Kamara, CPA, CISSP, CISA. Federal and private compliance, written for practitioners.