What Are the DFARS 252.204-7012 Cybersecurity Requirements?

The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of rules and regulations governing how the Department of Defense handles procurement and acquisition activities. In addition, it serves as a framework for private contractors doing business with the agency. DFARS is an extension of the Federal Acquisition Regulation (FAR)—which oversees procurement for all 15 major executive agencies—and can be found in Chapter 2 of Title 48 of the Code of Federal Regulations. 

Because of the national security implications of much of the work that the Defense Department engages in, a great deal of the data, information, and other materials that pass between the agency and its private contractors is highly sensitive in nature. The DoD uses the term covered defense information (CDI) as a broad category for this type of knowledge, which it defines as “unclassified controlled technical information or other information…that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies.” 

Over the past decade or so, private defense contractors and other entities in the vast network that encompasses the U.S.’s defense industrial base (DIB) have experienced a troubling increase in cyberattacks and other cybersecurity threats aimed at penetrating the DIB and stealing such information. 

In response to these new hazards and the growing legion of bad actors behind them, the Department of Defense added a new clause to its acquisition regulation code. This new section, DFARS 252.204-7012, is aimed at ramping up protections for CDI by obligating contractors to implement a comprehensive set of security controls. The overarching goals of the new DFARS clause are to standardize cybersecurity across all defense contractors and combat the rising tide of criminal actors seeking to exploit vulnerabilities within the DIB.  

This new section, DFARS 252.204-7012, is aimed at ramping up protections for CDI by obligating contractors to implement a comprehensive set of security controls.

DFARS 252.204-7012 and the NIST Security Protocol 

DFARS 252.204-7012, officially titled Safeguarding Covered Defense Information and Cyber Incident Reporting, was put into effect on New Year’s Eve 2017. The clause—also referred to as a subsection—introduced a series of new cybersecurity measures that all defense contractors must adhere to. Subsection 252.204-7012 seeks to ensure that all covered defense information is protected from data breaches, cyberattacks, and other significant threats through a heightened security protocol. 

The measures under the DFARS 252.204-7012 umbrella introduce several novel requirements. Arguably the most important of these obligates all contractors to comply with a collection of security controls published by the National Institute of Standards and Technology (NIST), an agency within the Department of Commerce dedicated to advancing American innovation and competitiveness in science, technology, and engineering. Known as NIST Special Publication 800-171, or simply NIST SP 800-171, these guidelines contain 110 individual security controls, grouped into 14 “families.”

• Access Control (AC)
• Awareness and Training 
• Audit and Accountability 
• Configuration Management 
• Identification and Authentication 
• Incident Response 
• Maintenance 
• Media Protection 
• Personnel Security 
• Physical Protection 
• Risk Assessment
• Security Assessment 
• System and Communications Protection 
• System and Information Integrity 

Because of DFARS subsection 252.204-7012, all defense contractors are now subject to NIST SP 800-171, and must implement its 100+ security controls when carrying out work for the Defense Department. The federal government maintains a CUI Registry intended to serve as a universal resource for those seeking to handle CDI and controlled unclassified information (CUI) in an appropriate manner. As outlined by the original SP 800-171 document, this repository “identifies approved CUI categories and subcategories, provides general descriptions for each, identifies the basis for controls, and sets out procedures for the use of CUI, including but not limited to marking, safeguarding, transporting, disseminating, reusing, and disposing of the information.”

All defense contractors are now subject to NIST SP 800-171, and must implement its 100+ security controls when carrying out work for the Defense Department.

Additional Requirements for DFARS Clause 252.204-7012

While the most critical new requirement ushered in by DFARS 252.204-7012 is the NIST cybersecurity protocol, the clause also includes several other important new obligations. 

• The first of these additional requirements concerns reviewing and reporting practices surrounding cybersecurity incidents. If a private company working for the Department of Defense uncovers a cyber incident that impacts CDI or an online system that was responsible for housing and safeguarding CDI, it must swiftly report the incident through specific DoD channels. 
• The contractor is also responsible for conducting a comprehensive review and evaluation of the incident. Such reviews entail identifying any compromised data, hardware, accounts, and information systems. 
• If the incident includes the discovery of malicious software, the contractor should attempt to isolate the software and submit it to the Defense Department’s Cyber Crime Center (DC3). 
• Finally, the party must engage in continued cooperation with the DoD as it carries out its investigation into the incident, including by providing access to any requested data, systems, and equipment. 

DFARS 252.204-7012 requires all contractors and subcontractors to implement the same security controls and adhere to the same reporting obligations when handling CDI. To this end, the third prong of the clause mandates that prime contractors flow down the new cybersecurity requirements to all subcontractors by including 252.204-7012 in related contracts. 

The Newest DFARS Clauses

The Department of Defense issued a DFARS Interim Rule in the fall of 2020 that was entered into force on November 30 of the same year. The Interim Rule added three new clauses to Part 252 of DFARS: 252.204-7019, -7020, and -7021. These subsections are intended to build on the obligations introduced in 252.204-7012, while also introducing new mechanisms of accountability for contractors working with the DoD. 

In 2019, the Defense Contract Management Agency was tasked with pursuing a means of standardizing the assessment of individual contractors’ implementation of the NIST SP 800-171 protocol (a requirement for 252.204-7012). The result was the issuance of the NIST SP 800-171 DoD Assessment Methodology, a sophisticated blueprint for contractors to use when evaluating their adherence to the NIST security controls. The first part of the Interim Rule, 252.204-7019, effectively codifies the DoD Assessment Methodology tool into DFARS by requiring all defense contractors to carry out and score these self-assessments. They are additionally obligated to report those scores to the Supplier Performance Risk System (SPRS). 

The first part of the Interim Rule, 252.204-7019, effectively codifies the DoD Assessment Methodology tool into DFARS by requiring all defense contractors to carry out and score these self-assessments. They are additionally obligated to report those scores to the Supplier Performance Risk System (SPRS). 

Subsection 252.204-7020 imposes another layer of accountability on contractors responsible for adhering to the NIST protocol. The clause allows the Defense Department to access a contractor’s facilities, systems, and personnel if the agency deems such access necessary to its efforts to conduct its own independent assessment. 252.204-7020 also stipulates that all prime contractors must require subcontractors to complete their own assessments of NIST SP 800-171 compliance by utilizing the DoD Assessment Methodology, and flow down the language of the clause in all subcontracts. 

Finally, clause 252.204-7021 introduces the Cybersecurity Maturity Model Certification (CMMC), a new framework for assessing contractors’ implementation of cybersecurity practices and related security controls. Because the rules associated with CMMC are still being finalized at the DoD, this subsection currently functions as more of a placeholder for what will eventually become a critical new cybersecurity standard. The Department of Defense is ultimately going to require all contractors to attain certification through CMMC—potentially by late 2024 or early 2025—and DFARS 7021 is being positioned to serve as the vehicle for that requirement within DoD contracts.

The Importance of DFARS 252.204-7012 Compliance 

Cyberattacks and the data breaches they generate and exploit are a growing threat to the U.S. government, the Department of Defense, and the entire DIB. DFARS 252.204-7012 was introduced in 2017 as a robust, rigorous countermeasure to the expanding scope and frequency of these attacks, and today nearly all defense contractors are obligated to comply with it. The clause demands that businesses have a sweeping set of security controls in place, a standard procedure for reviewing and reporting cyber incidents and incursions from malicious software, and established practices for flowing down CDI safeguarding measures to subcontractors. 

DFARS 252.204-7012 was introduced in 2017 as a robust, rigorous countermeasure to the expanding scope and frequency of these attacks, and today nearly all defense contractors are obligated to comply with it.

The consequences for ignoring or inadequately addressing DFARS 252.204-7012 are significant and costly. Defense contractors that don’t implement the NIST security controls are vulnerable to cybercriminals, hackers, and other bad actors intent on stealing sensitive data, and may ultimately find themselves saddled with substantial recovery costs. Perhaps more importantly, though, the Department of Defense has outlined its own suite of responses to a contractor who has not adequately complied with DFARS 252.204-7012 and its associated NIST security protocol. 

The consequences for ignoring or inadequately addressing DFARS 252.204-7012 are significant and costly. Defense contractors that don’t implement the NIST security controls are vulnerable to cybercriminals, hackers, and other bad actors intent on stealing sensitive data, and may ultimately find themselves saddled with substantial recovery costs.

In a 2022 memo, the Office of the Under Secretary of Defense explained that failure to sufficiently implement NIST SP 800-171 would be considered a breach of contract. “Remedies for such a breach,” the memo continued, may include “withholding progress payments; foregoing remaining contract options; and potentially terminating the contract in part or in whole.” Contractors neglecting this critical security regulation put themselves in a precarious position with their employer, placing their existing contract at risk and greatly jeopardizing their ability to secure future acquisitions with the Department of Defense and the federal government.