DoD Safeguarding & NIST SP 800-171 Β· DFARS 252.204-7012

Safeguarding Covered Defense Information & Cyber Incident Reporting

Also known as: DFARS 7012, safeguarding clause, CDI safeguarding, 72-hour cyber-incident reporting

What you do here: Protect CDI to NIST SP 800-171, report cyber incidents within 72 hours, and flow the clause down

At a Glance

Who it applies to
DoD contractors and subcontractors whose systems process, store, or transmit Covered Defense Information (CDI)
What it obligates
Implement NIST SP 800-171, report cyber incidents within 72 hours, preserve images, and meet cloud requirements
Governing authority
DFARS 252.204-7012, prescribed by DFARS 204.7304
Reporting deadline
72 hours from discovery of a cyber incident, via dibnet.dod.mil (requires a DoD-approved medium-assurance certificate)
Flow-down
Yes β€” the clause flows down to all subcontracts involving CDI, including for commercial items

What It Is

DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is the central DoD cybersecurity clause and the one that put NIST SP 800-171 into contracts. It applies whenever a DoD contractor's information system will process, store, or transmit 'Covered Defense Information' (CDI) β€” which is Controlled Unclassified Information that is either provided to the contractor by DoD or collected/developed by the contractor in performing the contract, in categories like controlled technical information. The clause does four main things. First, safeguarding: you must provide 'adequate security,' which for covered systems means implementing the security requirements in NIST SP 800-171 (with a System Security Plan and a Plan of Action & Milestones for anything not yet met). Second, cyber-incident reporting: if you discover a cyber incident affecting a covered system or CDI, you must rapidly report it to DoD within 72 hours through the DIBNet portal (dibnet.dod.mil), which requires a DoD-approved medium-assurance certificate to access. Third, forensics: you must preserve and protect images of affected systems for at least 90 days and give DoD access to conduct a damage assessment if requested. Fourth, cloud and flow-down: if you use an external cloud service to store CDI, that provider must meet the FedRAMP Moderate baseline (or equivalent), and you must flow the clause down to subcontractors whose work involves CDI, including for commercial items. DFARS 7012 is the clause that CMMC and the SPRS self-assessment (DFARS 7019/7020) are built to verify β€” it creates the obligation; CMMC and SPRS prove you met it.

When It Applies

  • On DoD contracts and subcontracts whose performance involves Covered Defense Information (CDI) on the contractor's systems.
  • When a cyber incident is discovered β€” triggering the 72-hour report to DoD through DIBNet.
  • When CDI is stored in an external cloud service β€” triggering the FedRAMP Moderate (or equivalent) requirement.
  • As a flow-down: to all subcontracts (including for commercial items) where the subcontractor will handle CDI.

Key Features

FeatureWhat It Means
Requires NIST SP 800-171'Adequate security' for covered systems means implementing the NIST SP 800-171 security requirements, with an SSP and a POA&M for gaps.
72-hour incident reportingA discovered cyber incident affecting CDI or a covered system must be reported to DoD within 72 hours via dibnet.dod.mil.
Forensic preservationYou must preserve system images for at least 90 days and allow DoD to conduct a damage assessment on request.
Cloud must meet FedRAMP ModerateAn external cloud service storing CDI must meet the FedRAMP Moderate baseline (or equivalent) and pass through DoD-specific requirements.
Flows down for CDIThe clause flows down to subcontractors whose systems handle CDI, including for commercial items β€” the prime must ensure it's included.

The SDVOSB Angle

For a small SDVOSB pursuing DoD work, DFARS 7012 is the moment cybersecurity stops being optional and starts being a real cost of doing business. The clause obligates full NIST SP 800-171 implementation, and the 72-hour incident-reporting requirement means you need a DIBNet account and medium-assurance certificate arranged before an incident, not during one. Two practical priorities: first, stand up the SSP and POA&M early and honestly, because DFARS 7019/7020 will require you to post a NIST 800-171 assessment score to SPRS and CMMC will eventually require a third party to verify it β€” an overstated posture is a False Claims Act risk. Second, watch the cloud and flow-down: if you store CDI in a cloud service it must meet FedRAMP Moderate (many popular commercial tiers don't; the government versions do), and if a similarly situated subcontractor handles CDI you must flow the clause down and confirm they can actually meet it. Price the compliance cost into your bid β€” for many small firms it's the single biggest reason a DoD set-aside is or isn't worth pursuing.

How to Comply

  1. Determine whether the contract involves CDI, and if so, scope which of your systems will handle it.
  2. Implement NIST SP 800-171 on covered systems, with a System Security Plan (SSP) and a Plan of Action & Milestones (POA&M).
  3. Set up a DIBNet account and DoD-approved medium-assurance certificate in advance so you can report an incident within 72 hours.
  4. If CDI goes to a cloud, use a service that meets FedRAMP Moderate (or equivalent) and the DoD pass-through requirements.
  5. Flow DFARS 252.204-7012 down to subcontractors handling CDI and confirm they can comply.

Watch Out For

  • Waiting until after an incident to get a DIBNet certificate β€” you can't meet the 72-hour clock without one.
  • Storing CDI in a commercial cloud tier that isn't FedRAMP Moderate β€” a very common and serious gap.
  • Treating the SSP/POA&M as boilerplate β€” DFARS 7019/7020 and CMMC will test whether it's real.
  • Missing the flow-down β€” a subcontractor handling CDI without DFARS 7012 is the prime's noncompliance.

Run the Numbers

Price-to-Win Calculator β†’

Frequently Asked

What is DFARS 252.204-7012?

DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is the core DoD cybersecurity clause. It requires DoD contractors whose systems handle Covered Defense Information (CDI) to implement the NIST SP 800-171 security requirements, report cyber incidents to DoD within 72 hours through the DIBNet portal, preserve system images for at least 90 days, ensure any cloud storing CDI meets the FedRAMP Moderate baseline, and flow the clause down to subcontractors that handle CDI.

How fast do I have to report a cyber incident under DFARS 7012?

Within 72 hours of discovering the incident. DFARS 252.204-7012 requires 'rapid reporting' β€” no later than 72 hours after discovery of a cyber incident affecting a covered contractor information system or the Covered Defense Information on it β€” through the DoD's DIBNet portal at dibnet.dod.mil. Because DIBNet access requires a DoD-approved medium-assurance certificate, you should obtain that certificate before an incident occurs, since you cannot realistically meet the 72-hour deadline if you start the process only after being breached.

What is the difference between CDI, CUI, and FCI?

FCI (Federal Contract Information) is the broad category of non-public contract information protected by the 15 basic controls in FAR 52.204-21. CUI (Controlled Unclassified Information) is the governmentwide category of more sensitive information marked for protection. CDI (Covered Defense Information) is DoD's term for the CUI that a DoD contract requires you to protect β€” CUI provided by DoD or generated in performing the contract. When a DoD contract involves CDI, DFARS 252.204-7012 requires full NIST SP 800-171 protection, well above the FCI baseline.

Primary Sources

Plain-English reference, not legal advice. Cybersecurity and information-safeguarding rules are fact-specific and change often β€” the FAR, DFARS, NIST publications, and the CMMC program rule are amended and phased in over time. Always read the current FAR/DFARS text and the safeguarding clauses in your specific contract, check the version of NIST SP 800-171 your contract requires, confirm the SPRS and CMMC requirements with the contracting officer, and consult qualified counsel or a cybersecurity professional before relying on a compliance position or making a certification.

Last updated Update cadence: Quarterly, plus on FAR/DFARS amendment, a new NIST SP 800-171 revision, or CMMC phase-in changes
Change log (1)
  1. LaunchedPublished the federal contract cybersecurity & information safeguarding requirements reference covering the obligations an SDVOSB takes on across a federal (especially DoD) set-aside β€” basic safeguarding of Federal Contract Information (FAR 52.204-21), the Section 889 covered-telecom prohibition (FAR 52.204-25), the DoD safeguarding of Covered Defense Information and 72-hour cyber-incident reporting (DFARS 252.204-7012), the NIST SP 800-171 control set with its System Security Plan and POA&M, the SPRS self-assessment score (DFARS 252.204-7019 / -7020), the CMMC program and its three levels (DFARS 252.204-7021 / 32 CFR Part 170), Controlled Unclassified Information marking and handling (32 CFR Part 2002 / EO 13556), and the emerging governmentwide FAR CUI rule β€” each with an at-a-glance quick-facts card, a when-it-applies list, a key-features table, an SDVOSB-specific angle, a how-to-comply checklist, watch-outs, FAQPage, Article, Dataset, and BreadcrumbList structured data, primary-source FAR/DFARS/CFR/NIST citations, and cross-links into the glossary, contracting systems (SPRS, SAM.gov), clauses, forms, contract types, how-to guides, FAQ, and the price-to-win and win-probability calculators.

Related Safeguarding Requirements

Systems You’ll Use

SPRS — Supplier Performance Risk System→
SAM.gov — System for Award Management→

Clauses That Apply

FAR 52.204-21 — Basic Safeguarding of Covered Contractor Information Systems→

How It Plays by Contract Type

FFP β€” Firm-Fixed-Price (FFP)β†’
CPFF β€” Cost-Plus-Fixed-Fee (CPFF)β†’

The Authorities Explained

13 CFR § 125.6 — Limitations on Subcontracting→

Terms Used on This Page

FARSimilarly Situated Entity

In the FAQ Knowledge Base

What VA IT contracts are available to SDVOSBs?β†’
How does security clearance affect SDVOSB contracting?β†’
← All Cybersecurity & Information Safeguarding Requirements