The DFARS 252.204-7012 clause (aka DFARS 7012) was created in response to increases in cyberthreats aimed at contractors in our Defense Industrial Base (the DIB). It went into effect at the end of 2017 and established  cybersecurity requirements that contractors must meet to safeguard the defense information they handle during the course of their work for the DoD.

This blog explains what DFARS 252.204-7012 is, who needs to comply, and the risks of non-compliance.

What is DFARS 7012?

DFARS 7012  is a requirement issued by the Department of Defense whose overarching goal is to  ensure the protection of controlled unclassified information (CUI) DFARS 7012 does not apply to contractors who supply only Commercial off the Shelf (COTS) items to the DoD.

DFARS 7012 requirements

There are three main requirements spelled out in DFARS 7012 to ensure the protection of CUI:

  • Protect unclassified Covered Defense Information (CDI) in accordance with NIST 800-171. To provide adequate security, contractors must implement the 110 security controls stipulated in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. 
  • Report any cyber incidents to the DoD and provide access to servers and logs. Contractors need to report all cyber incidents (even commercial attacks) to the Department of Defense Cyber Crimes Center (DC3), share all cyber incident data, retain that data for 90 days, and assist DC3 with any follow up investigations as needed. See PreVeil’s blog on DFARS 7012 (c)-(g), which specify these requirements.
  • Ensure Cloud Service Providers (CSPs) Meet FedRAMP Moderate or Equivalent standards. Contractors must confirm that their Cloud Service Providers (CSP) have achieved the Federal Risk and Authorization Management Program (FedRAMP) Baseline Moderate or Equivalent standard. PreVeil is the first Cloud Service Provider (CSP) to meet this stringent FedRAMP Moderate Equivalency requirement for CMMC and DFARS 7012 compliance.

Note that the DFARS 7012 clause also requires defense contractors to flow down all the 7012 requirements to their subcontractors.

Who needs to comply with DFARS 252.204.7012

All contractors that handle unclassified Covered Unclassified Information (CUI)—i.e., Contractor Proprietary Information, Controlled Technical Information, and Controlled Defense Information (CDI)— will have a DFARS 7012 clause in their contract and therefore must comply with its provisions. That’s been the case since 2017.

We recommend that you review your organization’s DoD contract to check if it contains the DFARS 7012 clause, in which case you need to comply with it. Note that your contract may be with another organization above you in the defense supply chain, rather than directly with the 

Going forward, compliance with DFARS 7012, will be a distinct competitive advantage for contractors bidding for DoD work. And noncompliance will be a disqualifier.

What is the DFARS Interim Rule? Explaining DFARS 7019, 7020, and 7021

In November 2020, the DoD released its DFARS Interim Rule, formally known as the Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements. The goal of this supplement was to increase compliance with DFARS 7012. The Interim Rule introduced three new clauses – 7019, 7020 and 7021.

  • Clause 7019 dramatically strengthens DFARS 7012 by requiring that contractors conduct a NIST SP 800-171 self-assessment according to DoD Assessment Methodology. Further, self-assessment scores must be reported to the DoD via its Supplier Performance Risk System (SPRS). SPRS scores must be submitted by the time of contract award and not be more than three years old.
  • Clause 7020 notifies contractors that the DoD reserves the right to conduct a higher-level assessment of contractors’ cybersecurity compliance, and that contractors must give DoD assessors full access to their facilities, systems, and personnel. Further, 7020 strengthens 7012’s flow down requirements by holding contractors responsible for confirming that their subcontractors have SPRS scores on file prior to awarding them contracts.
  • Clause 7021 paves the way for rollout of the DoD’s Cybersecurity Maturity Model Certification (CMMC) program. The CMMC Proposed Rule was published in the Federal Register on December 26, 2023 with the expectation that CMMC will become law in Q4 2024 and begin to appear in contracts in Q1 2025. Visit our CMMC Timeline blog for the latest updates. 7021 also stipulates that contractors will be responsible for flowing down the CMMC requirements to their subcontractors.

Risks of noncompliance with DFARS 7012

Noncompliance with DFARS 7012,7019 and 7020 presents serious business risks.

Cybercriminals know that smaller organizations are often more vulnerable than higher-resourced prime contractors and don’t hesitate to go after easier targets. The potential result is loss of your organization’s IP and its ability to operate, as well as the burden of associated recovery costs, including possibly a ransomware payment.

Moreover, DFARS 7012 requires that all cyber incidents be reported to the DoD. If the ensuing investigation reveals a lack of adequate security—i.e., failure to comply with your DFARS 7012 contract clause—then the DoD may consider that a breach of contract and can take several possible corrective actions.

In a June 2022 memo, the DoD noted that:

“Failure to have or to make progress on a plan to implement NIST SP 800-171 requirements may be considered a material breach of contract requirements (emphasis added). Remedies for such a breach may include: withholding progress payments; foregoing remaining contract options; and potentially terminating the contract in part or in whole.”

Note too that organizations that misrepresent their cybersecurity levels are subject to penalties levied by the DoD and/or the Department of Justice (DoJ) under the False Claims Act. Further, DoJ launched a robust Civil Cyber-Fraud Initiative last year in an effort to increase compliance with Federal cybersecurity regulations.

How do DFARS 7012, NIST 800-171 and  and CMMC overlap

DFARS 7012 requires implementation of the 110 security controls specified in NIST SP 800-171. CMMC Level 2—the minimum level that must be attained by contractors that handle CUI—will require compliance with the same 110 NIST SP 800-171 security controls.

The key difference is that under CMMC, compliance will be checked by independent third-party assessors (C3PAOs) certified by the CyberAB, the CMMC Accreditation Body.

As Stacy Bostjanik (Chief Defense Industrial Base Cybersecurity, U.S. Department of Defense) said during PreVeil’s CMMC Summit, “CMMC is just the validation program that people have done what they already agreed to do in complying and establishing the requirements of NIST 800-171 in their current networks.”

To learn more, see PreVeil’s white paper, Complying with the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC 2.0).

How to reduce DFARS 7012 Compliance Costs

  1. Reduce your compliance boundary: If only a portion of your organization handles CUI, then it makes sense to narrow the scope of the security requirements by creating a separate enclave. This translates into a simpler assessment process that saves you time and money. Some solutions like Microsoft GCC High often need to be deployed across entire organizations, adding significant costs and complexity.
  2. Choose a platform that’s easy to use and deploy: Platforms like Microsoft GCC High often require expensive consultants, separate email addresses, and a full rip-and-replace. Look for a solution that can be deployed in hours, uses your existing email addresses, and integrates directly with the tools you’re already using, like Outlook, Gmail, File Explorer and MacFinder.
  3. Deploy a solution with proven CMMC credentials: If your organization has migrated to the cloud, know that standard commercial cloud services such as Microsoft 365 Commercial do not meet CMMC requirements for storing, processing and transmitting CUI. You want to verify that it has FIPS 140-2 encryption modules, meets DFARS c-g, is FedRAMP Moderate or Equivalent, and has been used to pass multiple DoD assessments.
  4. Use pre-filled compliance documentation to save you time and money: To pass an assessment, contractors will need detailed, evidence based documentation clarifying how the controls are addressed within their company. This can be a daunting, time-consuming and costly task so look for a solution that offers pre-filled documentation including a System Security Plan (SSP) and Standard Operating Procedures.

Conclusion

PreVeil is the leading solution for NIST, CMMC and DFARS 7012 compliance and is trusted by more than 1,100 small and midsize defense contractors. PreVeil customers have achieved perfect 110 out of 110 NIST 800-171 scores in rigorous DIBCAC and JSVA audits.

To learn more about how PreVeil can help your organization achieve DFARS 7012 and CMMC Level 2 compliance, schedule a free 15 minute appointment with our compliance team.

Frequently Asked Questions

What’s the difference between DFARS 7012 and CMMC

The key difference between the DFARS 7012 and CMMC Level 2 requirements is that under DFARS 7012, compliance with NIST SP 800-171 has not been consistently enforced. Under CMMC, compliance will be checked by independent third-party assessors (C3PAOs) certified by the CyberAB, the CMMC Accreditation Body.

Is CMMC replacing DFARS?

No, CMMC is not replacing DFARS. Instead, the DFARS 7021 clause will be used to bring CMMC requirements into a contract.