Safeguarding Covered Defense Information and Cyber Incident Reporting
Effective: December 31, 2017
DFARS 252.204-7012 requires DoD contractors that handle Covered Defense Information (CDI) to implement the security requirements of NIST SP 800-171, report cyber incidents to DoD within 72 hours via the DIBNet portal, and use FedRAMP Moderate (or equivalent) cloud services for CDI. It has been the contractual basis for NIST 800-171 across the defense industrial base since 2017.
Who must comply
Any DoD contractor or subcontractor at any tier whose information system processes, stores, or transmits Covered Defense Information.
What it requires
- 01Provide "adequate security" by implementing the security requirements specified in NIST SP 800-171 on all covered contractor information systems.
- 02Submit any deviations or non-implementations of 800-171 controls to the DoD CIO for adjudication.
- 03Report cyber incidents that affect a covered contractor information system or CDI to DoD within 72 hours via the DIBNet portal.
- 04Use cloud service providers that meet FedRAMP Moderate baseline or equivalent for any CDI stored or processed in the cloud.
- 05Preserve and protect images of all known affected information systems and all relevant monitoring/packet capture data for at least 90 days.
- 06Flow the clause down to subcontractors at any tier when subcontractor performance will involve CDI.
Related clauses
- DFARS 252.204-7019Notice of NIST SP 800-171 DoD Assessment Requirements
DFARS 252.204-7019 requires offerors on DoD solicitations involving CUI to have a current NIST SP 800-171 self-assessment score posted in the Supplier Performance Risk System (SPRS) before they are eligible for award. The score must not be more than three years old at the time of the offer.
- DFARS 252.204-7020NIST SP 800-171 DoD Assessment Requirements
DFARS 252.204-7020 is the contract clause companion to -7019: once awarded, the contractor must maintain a current NIST SP 800-171 assessment in SPRS, allow DoD access to verify it, and flow the requirement down to subcontractors that will handle CUI. It binds the obligation throughout contract performance, not just at offer.
- DFARS 252.204-7021Cybersecurity Maturity Model Certification Requirements
DFARS 252.204-7021 is the contract clause that makes a current CMMC certification or self-assessment at the level specified in the contract a material condition of award and continued performance. It triggers the annual senior-official affirmation obligation under 32 CFR 170.22 and is the contractual hook that turns CMMC from a DoD policy into an enforceable requirement.
- DFARS 252.204-7008Compliance with Safeguarding Covered Defense Information Controls
DFARS 252.204-7008 is the solicitation provision that requires offerors on DoD procurements involving Covered Defense Information to represent that, by submission of the offer, they will implement the security requirements of NIST SP 800-171 as required by DFARS 252.204-7012. It is the offer-stage companion that makes -7012 binding at award.