CMMCDocs.comMany defense contractors talk about CMMC as if it is the first time the DoD has required cybersecurity. It is not. DFARS 252.204-7012 — Safeguarding Covered Defense Information and Cyber Incident Reporting — has been a contractual requirement since December 31, 2017. CMMC adds verification, but the underlying obligations have been in place for years.
What 7012 Requires
The clause has four core requirements. First, contractors must provide adequate security on all covered contractor information systems. For systems processing, storing, or transmitting CUI, "adequate security" means implementing the 110 security requirements in NIST SP 800-171. Second, contractors must rapidly report cyber incidents to the DoD within 72 hours of discovery via the DIBNet portal. Third, contractors must preserve and protect images of affected systems and relevant monitoring data for at least 90 days after an incident. Fourth, contractors must flow the requirement down to subcontractors who will handle covered defense information.
The Self-Assessment Gap
The problem with 7012 was enforcement. The clause required compliance but relied on contractor self-assessment. There was no independent verification, and the DoD had limited visibility into whether contractors actually implemented the required controls. Many contractors submitted SPRS scores of 110 — claiming full compliance — while their actual security posture was far from it.
This enforcement gap is precisely what CMMC is designed to close. By requiring third-party assessment for Level 2, the DoD introduces independent verification that the controls are actually in place and functioning.
The 72-Hour Reporting Requirement
One of the most operationally significant provisions of 7012 is the 72-hour cyber incident reporting requirement. When a cyber incident occurs on a covered contractor information system, the contractor must report it to DC3 within 72 clock hours. This is not 72 business hours. This requirement applies today, regardless of CMMC status, and failure to report is a contract violation.
Flow-Down Obligations
7012 requires contractors to flow the clause down to subcontractors at any tier when the subcontract involves covered defense information or operationally critical support. Many prime contractors have been inconsistent about flow-down, but this is changing as CMMC draws attention to supply chain cybersecurity. If you are a prime and you are not flowing 7012 to your subs, you are not meeting your contractual obligations.
The Bottom Line
If your contracts include DFARS 252.204-7012, you have been required to implement NIST SP 800-171 since 2017. CMMC does not create a new obligation — it creates a new verification mechanism. Contractors who have been complying with 7012 in good faith are already on the path to CMMC certification. Those who have been ignoring it need to start now, because independent verification is coming.