Cybersecurity & Supply Chain (Parts 4 / 39 / DFARS 204)

DFARS 252.204-7012

Safeguarding Covered Defense Information and Cyber Incident Reporting

The bedrock DoD cybersecurity clause. Requires contractors handling Covered Defense Information (CDI) to implement NIST SP 800-171 protections and to report cyber incidents to DoD within 72 hours. Paired with DFARS 252.204-7019/7020 (NIST 800-171 DoD Assessments) and 252.204-7021 (CMMC). Failure here ripples across CMMC compliance and False Claims Act risk.

FAR / DFARS Part
DFARS Part 204 — Administrative and Information Matters
Prescribed By
DFARS 204.7304 — Required in all DoD solicitations and contracts (with limited exceptions for COTS).
Flow-down to Subcontracts

Yes — must flow down to all subcontracts at all tiers where the sub may have Covered Defense Information (252.204-7012(m)).

What this clause requires

  • 1Implement NIST SP 800-171 (Protecting CUI in Nonfederal Systems and Organizations) security controls — 110 controls across 14 families.
  • 2Submit a System Security Plan (SSP) and Plans of Action and Milestones (POA&M) reflecting implementation status.
  • 3Report cyber incidents to DoD within 72 hours via http://dibnet.dod.mil.
  • 4Preserve incident-related data for 90 days and provide access on request.
  • 5Subcontractor flow-down at all tiers where CDI is shared.
  • 6Cloud services storing CDI must meet FedRAMP Moderate or equivalent.
  • 7Coordinate with the DC3 (DoD Cyber Crime Center) for damage assessment.

When this clause applies

All DoD solicitations and contracts (and orders under them) involving Covered Defense Information. Limited exception for COTS purchases not requiring CDI access. Commercial-item COTS solicitations may still trigger if CDI is involved.

Common pitfalls

!Self-attestation gap — claiming full 800-171 implementation when POA&M shows many open items can be FCA exposure (DOJ v. Aerojet $9M settlement on cyber misrep).
!Missing the 72-hour incident report — strict deadline running from discovery, not from full investigation.
!Flow-down failures — primes are responsible for sub-tier cyber incidents.
!Cloud-service compliance — many SaaS tools used by contractors are not FedRAMP Moderate; using them for CDI is a violation.
!Forgetting incidents involving subs — sub-tier breaches must also be reported.

Proposal-team checklist

  • Confirm SSP is current, signed, and reflects the in-place control implementation honestly.
  • Submit POA&M with realistic remediation dates and ownership.
  • Pre-stage incident-response runbook with dibnet.dod.mil reporting workflow tested annually.
  • Audit cloud services for FedRAMP status — replace non-compliant services BEFORE handling CDI.
  • Add 252.204-7012 flow-down to all sub templates with documented CDI access criteria.

Stop tracking clauses in spreadsheets.

BidCraft auto-detects every FAR / DFARS clause in your RFP, builds the compliance matrix, and structures the response. Try free.

Generate a Proposal →

FAQ

What is Covered Defense Information (CDI)?

Unclassified controlled technical information or other information requiring safeguarding or dissemination controls, as identified in the contract or marked by the Government. Includes Controlled Unclassified Information (CUI) such as export-controlled, OPSEC, and proprietary-government data.

What if I haven't implemented all 110 NIST 800-171 controls?

You can still bid if your SSP and POA&M honestly reflect the status. False attestation of full implementation can result in FCA liability — DOJ has actively prosecuted (Aerojet Rocketdyne $9M, MORSE $4.6M).

How does this relate to CMMC?

CMMC (252.204-7021) verifies the same NIST 800-171 controls plus additional practices at higher CMMC levels. 252.204-7012 self-attestation continues; CMMC adds third-party assessment for Level 2/3 contracts during the phased rollout.

Related clauses

DFARS 252.204-7019
NIST 800-171 Assessment Notice
DFARS 252.204-7020
NIST 800-171 DoD Assessment Requirement
DFARS 252.204-7021
CMMC Requirements
FAR 52.204-25
Section 889 Part A & B Prohibition

Home · All FAR Clauses · Government RFP · Sample Proposal

Reference content based on the Federal Acquisition Regulation and DFARS as of June 2026. Always verify the current clause text at acquisition.gov before relying on it for an actual submission. Educational reference; not legal advice.