What is DFARS 7012 and Why It's Important

July 25, 2024

The DFARS 252.204-7012 clause (aka DFARS 7012) was created in response to increases in cyberthreats aimed at our Defense Industrial Base (DIB). It took effect in 2017 & established security requirements that contractors must meet to safeguard sensitive defense information.

This blog explains what DFARS 252.204-7012 is, who needs to comply, and how to make compliance simpler and more affordable.

What is DFARS 7012
DFARS 7012 requirements
Who needs to comply with DFARS 252.204-7012
What is the DFARS Interim Rule?
Risks of noncompliance with DFARS 252.204-7012
How do DFARS 7012, NIST 800-171 and CMMC overlap
How to reduce DFARS 7012 compliance costs
FAQ

What is DFARS 7012?

DFARS 7012 is a requirement issued by the DoD with the goal of protecting controlled unclassified information (CUI). DFARS 7012 does not apply to contractors who supply only Commercial off the Shelf (COTS) items to the DoD.

DFARS 7012 requirements

There are three main requirements spelled out in DFARS 7012 to ensure the protection of CUI:

Protect unclassified Covered Defense Information (CDI) in accordance with NIST 800-171. To provide adequate security, contractors must implement the 110 security controls stipulated in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.
Report any cyber incidents to the DoD and provide access to servers and logs, per clauses (c)-(g). Contractors need to report all cyber incidents (even commercial attacks) to the DoD Cyber Crimes Center (DC3), share all cyber incident data, retain that data for 90 days, and assist DC3 with any follow up investigations as needed. See the (c)-(g) section below, which specifies these requirements.
Ensure Cloud Service Providers (CSPs) Meet FedRAMP Moderate or Equivalent standards. Contractors must confirm that their CSPs have achieved the Federal Risk and Authorization Management Program (FedRAMP) Baseline Moderate or Equivalent standard. PreVeil is the first CSP to meet this stringent FedRAMP Moderate Equivalency requirement for CMMC and DFARS 7012 compliance.

Note that the DFARS 7012 clause also requires defense contractors to flow down all the 7012 requirements to their subcontractors.

Who needs to comply with DFARS 252.204.7012

All contractors that handle unclassified Covered Unclassified Information (CUI)—i.e., Contractor Proprietary Information, Controlled Technical Information, and Controlled Defense Information (CDI)— will have a DFARS 7012 clause in their contract and therefore must comply with its provisions. That’s been the case since 2017.

We recommend that you review your organization’s DoD contract to check if it contains the DFARS 7012 clause, in which case you need to comply with it. Note that your contract may be with another organization above you in the defense supply chain, rather than directly with the

Going forward, compliance with DFARS 7012 will be a distinct competitive advantage for contractors bidding for DoD work. And noncompliance will be a disqualifier.

What is DFARS 7012 (c)-(g)?

DFARS 252.204-7012 (c)-(g) stipulate actions that an organization must take in the event of a cybersecurity incident. Note that DFARS 252.204-7012 (c)-(g) is currently in effect and has been for several years. Briefly, the requirements are:

c) cyber incident reporting to the DoD Cyber Crimes Center (DC3)

d) malicious software, if discovered, to be submitted to DC3

e) media preservation and protection for 90 days

f) provide DC3 access to additional information if requested

g) assist DoD with cyber incident damage assessment if requested

Further, if an organization uses a cloud service provider (CSP), the CSP also must comply with 7012 (c)-(g). Responsibility for confirming CSP compliance lies with the contractor. The CAP states:

“Ultimately, the OSC [Organization Seeking Certification] is solely responsible for their relationship with any External Cloud Service Providers and how those cloud services…are meeting the requirements for CMMC certification.”

Those requirements include 7012 (c)-(g).

Read the CMMC Guide used by 5,000 Defense Contractors

Explaining DFARS 7019, 7020, and 7021

In November 2020, the DoD released its DFARS Interim Rule, formally known as the Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements. The goal of this supplement was to increase compliance with DFARS 7012. The Interim Rule introduced three new clauses – 7019, 7020 and 7021.

Clause 7019 dramatically strengthens DFARS 7012 by requiring that contractors conduct a NIST SP 800-171 self-assessment according to DoD Assessment Methodology. Further, self-assessment scores must be reported to the DoD via its Supplier Performance Risk System (SPRS). SPRS scores must be submitted by the time of contract award and not be more than three years old.
Clause 7020 notifies contractors that the DoD reserves the right to conduct a higher-level assessment of contractors’ cybersecurity compliance, and that contractors must give DoD assessors full access to their facilities, systems, and personnel. Further, 7020 strengthens 7012’s flow down requirements by holding contractors responsible for confirming that their subcontractors have SPRS scores on file prior to awarding them contracts.
Clause 7021 paves the way for rollout of the DoD’s Cybersecurity Maturity Model Certification (CMMC) program. The CMMC Proposed Rule was published in the Federal Register on December 26, 2023 with the expectation that CMMC will become law in Q4 2024 and begin to appear in contracts in Q1 2025. Visit our CMMC Timeline blog for the latest updates. 7021 also stipulates that contractors will be responsible for flowing down the CMMC requirements to their subcontractors.

Risks of non-compliance with DFARS 7012

Noncompliance with DFARS 7012, 7019 and 7020 presents serious business risks.

Cybercriminals target smaller organizations because they’re often more vulnerable than higher-resourced prime contractors. The potential result is loss of your organization’s IP and its ability to operate, as well as the burden of associated recovery costs, including possibly a ransomware payment.

Moreover, DFARS 7012 requires that all cyber incidents be reported to the DoD. If the ensuing investigation reveals a lack of adequate security—i.e., failure to comply with your DFARS 7012 contract clause—then the DoD may consider that a breach of contract and can take several possible corrective actions.

In a June 2022 memo, the DoD noted that:

Failure to have or to make progress on a plan to implement NIST SP 800-171 requirements may be considered a material breach of contract requirements (emphasis added). Remedies for such a breach may include: withholding progress payments; foregoing remaining contract options; and potentially terminating the contract in part or in whole.

Note too that organizations that misrepresent their cybersecurity levels are subject to penalties levied by the DoD and/or the Department of Justice (DoJ) under the False Claims Act. Further, DoJ launched a robust Civil Cyber-Fraud Initiative to increase compliance with Federal cybersecurity regulations. This Initiative brought their first case to court in August 2024.

How DFARS 7012, NIST 800-171 and CMMC overlap

DFARS 7012 requires implementation of the 110 security controls specified in NIST SP 800-171. CMMC Level 2—the minimum level that must be attained by contractors that handle CUI—will require compliance with the same 110 NIST SP 800-171 security controls.

The key difference is that under CMMC, compliance will be checked by independent third-party assessors (C3PAOs) certified by the CyberAB, the CMMC Accreditation Body.

As Stacy Bostjanik (Chief Defense Industrial Base Cybersecurity, U.S. Department of Defense) said during PreVeil’s CMMC Summit, “CMMC is just the validation program that people have done what they already agreed to do in complying and establishing the requirements of NIST 800-171 in their current networks.”

To learn more, see PreVeil’s Guide, Complying with the DoD’s Cybersecurity Maturity Model Certification (CMMC 2.0).

How to reduce DFARS 7012 Compliance Costs

Reduce your compliance boundary: If only a portion of your organization handles CUI, then it makes sense to narrow the scope of the security requirements by creating a separate enclave. This translates into a simpler assessment process that saves you time and money. Some solutions like Microsoft GCC High often need to be deployed across entire organizations, adding significant costs and complexity.
Choose a platform that’s easy to use and deploy: Platforms like Microsoft GCC High often require expensive consultants, separate email addresses, and a full rip-and-replace. Look for a solution that can be deployed in hours, uses your existing email addresses, and integrates directly with the tools you’re already using, like Outlook, Gmail, File Explorer and MacFinder.
Deploy a solution with proven CMMC credentials: If your organization has migrated to the cloud, know that standard commercial cloud services such as Microsoft 365 Commercial do not meet CMMC requirements for storing, processing and transmitting CUI. You want to verify that it has FIPS 140-2 encryption modules, meets DFARS c-g, is FedRAMP Moderate or Equivalent, and has been used to pass multiple DoD assessments.
Use pre-filled compliance documentation to save you time and money: To pass an assessment, contractors will need detailed, evidence based documentation clarifying how the controls are addressed within their company. This can be a daunting, time-consuming and costly task so look for a solution that offers pre-filled documentation including a System Security Plan (SSP) and Standard Operating Procedures.

Conclusion

PreVeil is the leading solution for NIST, CMMC and DFARS 7012 compliance and is trusted by more than 1,100 small and midsize defense contractors. PreVeil customers have achieved perfect 110 out of 110 NIST 800-171 scores in rigorous DIBCAC and JSVA audits.

To learn more about how PreVeil can help your organization achieve DFARS 7012 and CMMC Level 2 compliance, schedule a free 15 minute call with our compliance team.

Frequently Asked Questions

What’s the difference between DFARS 7012 and CMMC

The key difference between the DFARS 7012 and CMMC Level 2 requirements is that under DFARS 7012, compliance with NIST SP 800-171 has not been consistently enforced. Under CMMC, compliance will be checked by independent third-party assessors (C3PAOs) certified by the CyberAB, the CMMC Accreditation Body.

Is CMMC replacing DFARS?

No, CMMC is not replacing DFARS. Instead, the DFARS 7021 clause will be used to bring CMMC requirements into a contract.

Author

Orlee Berlove, reviewed by Noël Vestal, PMP, CMMC RP

Noël Vestal is PreVeil's Compliance Officer and CMMC Certified Professional (CCP) with over 15 years in DoD IT program management. She implemented the NIST 800-171/CMMC Level 2 compliance program for an OSC member of the DIB. She has her M.S. in Information Technology and holds certifications from the CMMC Accreditation Body (CyberAB), Project Management Professional (PMP), and CompTIA’s Security + certification.

Orlee Berlove has been a marketing leader for over 25 years, and is currently the Senior Director of Marketing at PreVeil. She has her Masters of Engineering, Operations Research and her Bachelor of Arts from Cornell University.

Related Blog

See All Blog

November 12, 2024

6 Ways to Save Money on CMMC Costs

CMMC

October 25, 2024

Top Cybersecurity Events

October 17, 2024

The CMMC Final Rule is Published: What Contractors Need to Know

CMMC

What is DFARS 252.204-7012 and Why It’s Important

By: Orlee Berlove, reviewed by Noël Vestal, PMP, CMMC RP