What Is DFARS 7012? The Definitive Guide for Defense Contractors

Everyone in the Defense Industrial Base is fixated on CMMC. But while staring at the horizon, many are ignoring the contract they’ve likely already signed: DFARS 252.204-7012.

The Defense Federal Acquisition Regulation Supplement (DFARS) is the rulebook for DoD procurement. Because defense work involves handling sensitive data like Covered Defense Information (CDI) and Controlled Unclassified Information (CUI) the government requires specific cybersecurity safeguards and adequate security to be in place before your business is able to win contracts with the DoD.

DFARS 7012 one of those cybersecurity requirements. It mandates that contractors protect CDI and CUI data by implementing the 110 security controls of NIST 800-171. Even as the Cybersecurity Maturity Model Certification (CMMC) rolls out, DFARS 7012 remains a key part of defense contracts.

In this post, we explain what DFARS 7012 is, what it means, and who needs to comply.

What is DFARS 7012?

The Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 is a contract clause mandating that any contractor handling Controlled Unclassified Information (CUI) or Covered Defense Information (CDI) must implement specific cybersecurity controls to protect that data.

DFARS 252.204-7012 came into effect in 2017. So if you’re a prime contractor or subcontractor with the Department of Defense (DoD) and you touch CUI or CDI, you’ll have the DFARS 7012 clause in your contract, meaning you must comply with the specified cybersecurity standards. Even if your contract isn’t directly with the DoD or a prime contractor, if you handle any CUI or CDI DFARS will apply.

What Are the DFARS 7012 Requirements?

DFARS 7012 details several requirements for safeguarding CUI and CDI, including:

1. NIST SP 800-171 Implementation

The main DFARS 7102 security requirement is to implement the 110 security controls outlined in NIST(National Institute of Standards and Technology) SP 800-171. This includes requirements for Multifactor Authentication (MFA), FIPS-validated encryption, physical access controls, and incident response capabilities.

To achieve NIST SP 800-171 compliance you must implement all 110 controls and meet the 320 assessment objectives to verify the controls are in place and working as expected. If you can’t meet a specific control, you must have a documented Plan of Action and Milestones (POAM) explaining exactly how and when you will fix it.

2. Cloud Service Providers Must Meet FedRAMP Standards

If you use a cloud service provider to store, process, or transmit Covered Defense Information, that provider must meet FedRAMP Moderate or Equivalent standards.

You cannot throw CUI into a standard commercial Dropbox, a free Trello board, or a basic Gmail account. Using non-compliant commercial cloud tools for defense data is an immediate breach of contract. You generally need to be looking at Government Community Cloud versions of these tools (like AWS GovCloud or Microsoft 365 GCC High).

DIg Deeper: Read our guide on CMMC vs FedRAMP.

3. Cyber Incident Reporting

Another part of DFARS 7102 relates to incident reporting. Any cybersecurity incidents impacting CDI or any system that houses or safeguards CDI must be reported to the DoD Cyber Crimes Center through official channels. There are also requirements to share access to servers and logs and to retain data for up to 90 days in case any follow-ups are required.

The service organization or contractor is also responsible for evaluating any security incidents to identify any systems, data, or hardware that may have been compromised.

Subcontractor Flowdown: Your Vendors Are Your Liability

Clause (m) of DFARS 7012 requires you to pass these requirements down to any subcontractor who touches CUI.

If you hire a dev shop to write code for a defense project, or a consultant to analyze data, and you send them CDI, they must also be DFARS 7012 compliant.

You are responsible for verifying the compliance of your supply chain before sharing data. If they are compromised and the data gets out, it is your problem. If you need help managing this web of vendors, automated third-party risk management tools can save you dozens of hours of manual follow-up.

DFARS 7012, NIST 800-171, and CMMC: What You Need to Know

Both DFARS 7012 and CMMC Level 2 (the level required if a service organization handles CUI on behalf of the DoD) require the implementation of the 110 controls within NIST SP 800-171. The main difference is that DFARS 7012 implementation can be self attested by completing a Basic Assessment and submitting the results into the Supplier Performance Risk System (SPRS), whereas CMMC Level 2 requires can’t be achieved via a self-assessment and requires a formal assessment from a third-party assessor (C3PAO) certified by the CyberAB.

Every organization in the DIB will need to meet both DFARS 7012 and CMMC requirements now that the CMMC final rule is in place. Subcontractors will also need to meet the same requirements as prime contractors if CDI is shared as part of the contract.

The way I look at it is:

• DFARS 7012 is the legal clause that mandates how you must safeguard CDI and CUI.
• NIST 800-171 is how you safeguard the data (by implementing the 110 security controls).
• CMMC Level 2 compliance verifies that you have the controls in place and working.

The Costs of DFARS 7012 to DoD Contractors

The cost of DFARS 252.204-7012 compliance varies widely. For organizations starting from little or no existing NIST implementation, the total costs (including internal labour, consultancy, updating hardware) can run into low six-figures. For a large enterprise organization with thousands of employees and complex environments, the costs can extend into several hundred thousand dollars, or in some cases exceed $1m.

Thankfully, organizations won’t have to fork out twice to meet both DFARS 7012 and CMMC requirements. For a detailed breakdown of the financial commitment needed to meet CMMC compliance requirements, see our analysis of CMMC certification costs.

The DFARS 7012 compliance checklist

1. Scope the Data and Set the Boundary

Map exactly where CUI and CDI enters, flows, and rests within your systems. You cannot secure what you haven't located. Next, you’ll want to scope the boundary within  your systems (known as a CUI enclave).

By doing this, you limit the scope of DFARS 7012 to a specific part of your system and company. The rest of your company can operate like a normal commercial business. If you don't tag your data and you let CUI bleed into your general Slack channels or email servers, suddenly your entire company is in scope.

For more on how to define these boundaries, check out our guide on CMMC scoping.

2. Choose the Right Tech Stack

Many contractors assume that complying with DFARS 7012 and CMMC requires a total migration to Microsoft GCC High. But for many organizations, there are faster, less disruptive ways to secure CUI. You must verify that your chosen platform(s):

• Uses FIPS 140-2 validated encryption modules.
• Meets the incident reporting requirements of DFARS 7012 (c-g).
• Achieves FedRAMP Moderate equivalency or higher.

If you aren't sure which tech stack fits your budget and compliance level, our virtual CISOs (vCISO) often help companies evaluate their architecture to avoid overspending on enterprise-grade government clouds they don't actually need.

3. Automate Your Documentation

To pass an assessment or defensibly self-attest to DFARS 7012 standards, you need detailed, evidence-based documentation explaining exactly how you address every security control. This centers on your System Security Plan (SSP) and Plan of Action and Milestones (POAM).

Writing an SSP from scratch is a massive drain on internal resources. It requires mapping hundreds of technical workflows to regulatory standards so a best practice is to lean on templates and automation where you can. Workstreet is an AI-powered CMMC RPO and we can help you automate the heavy lifting and achieve CMMC compliance faster.

Final thoughts

DFARS 7012 and CMMC are the price of admission for defense contractors.

The days of "trust me, I'm secure" are over. The DoD is now mandating compliance and those requirements are flowing down from prime contractors, too. If you’re not DFARS 7012 and CMMC compliant, your organization won’t be eligible for any contracts involving CUI and CDI.

That is where we can help. Workstreet offers the only AI-powered CMMC RPO service designed to streamline this specific journey. We help you define your boundaries, automate the heavy lifting of NIST 800-171, and ensure you are audit-ready.