What are the most common pitfalls with DFARS 252.204-7012?

Treating the SSP as a one-time document instead of a living artifact • Missing the 72-hour cyber incident reporting deadline • Using cloud services not equivalent to FedRAMP Moderate • Failing to flow the clause down to subcontractors handling CDI • Not posting current self-assessment score in SPRS

DFARS ClauseCybersecurity

DFARS 252.204-7012 — Safeguarding Covered Defense Information and Cyber Incident Reporting

Requires DoD contractors and subcontractors handling Covered Defense Information (CDI) to implement NIST SP 800-171 security controls and report cyber incidents within 72 hours.

View official clause text on acquisition.gov

When This Clause Applies

Required in all DoD solicitations and contracts (including commercial items) except for COTS purchases. Flows down to all subcontractors handling CDI.

What This Means for Contractors

Contractors must implement all 110 NIST 800-171 controls (or document deficiencies in a System Security Plan + Plan of Action & Milestones). Must report cyber incidents to dibnet.dod.mil within 72 hours. Must preserve and protect images of affected systems for at least 90 days. Cloud services storing CDI must be FedRAMP Moderate equivalent or higher.

Common Pitfalls

1Treating the SSP as a one-time document instead of a living artifact
2Missing the 72-hour cyber incident reporting deadline
3Using cloud services not equivalent to FedRAMP Moderate
4Failing to flow the clause down to subcontractors handling CDI
5Not posting current self-assessment score in SPRS

Related Clauses

DFARS 252.204-7019

Notice of NIST SP 800-171 DoD Assessment Requirements

Requires offerors on DoD solicitations involving CDI to have a current Basic, Medium, or High self-assessment score posted in the Supplier Performance Risk System (SPRS).

DFARS 252.204-7020

NIST SP 800-171 DoD Assessment Requirements

Contract clause version of the SPRS requirement — flows down to subcontractors and requires score updates during performance.

DFARS 252.204-7021

Cybersecurity Maturity Model Certification Requirements

Implements the CMMC program — requires contractors handling FCI or CDI to achieve and maintain a CMMC certification at the level specified in the solicitation.

Continue Your Research

DoD Procurement Guide

Cybersecurity clauses primarily apply to DoD acquisitions. See DoD's vehicles and small business focus.

NAICS 518210 — Data Processing, Hosting, and Related Services

Find federal contracts under NAICS 518210. Common agencies, set-asides, contract values.

NAICS 541330 — Engineering Services

Find federal contracts under NAICS 541330. Common agencies, set-asides, contract values.

Browse Full FAR Clause Library

All FAR and DFARS clauses we've documented with plain-English summaries.

GovCon Compliance Blog

Latest guidance on FAR/DFARS updates, CMMC, NIST 800-171, and capture strategy.

Need help complying with DFARS 252.204-7012?

Aliff helps GovCon firms map clause requirements to deliverables, build compliance evidence, and respond to CO inquiries with confidence.

Schedule a Compliance Review Browse Clause Library