CMMCDocs.comHome / Glossary / DFARS 252.204-7012
DFARS 252.204-7012
Also known as: 7012 · DFARS 7012 · Safeguarding Clause
The DFARS clause requiring defense contractors to implement NIST SP 800-171, report cyber incidents within 72 hours, and protect CUI. The legal precursor to CMMC.
DFARS 252.204-7012, 'Safeguarding Covered Defense Information and Cyber Incident Reporting,' is the Defense Federal Acquisition Regulation Supplement clause that requires defense contractors to implement the security controls in NIST SP 800-171 on any system that processes, stores, or transmits Controlled Unclassified Information.
The clause has been in effect since 2017. It requires contractors to (a) provide adequate security per NIST SP 800-171, (b) report cyber incidents to DoD via DIBNet within 72 hours, (c) preserve and protect compromised media, and (d) flow the same requirements down to subcontractors that handle CUI.
CMMC 2.0 is the verification mechanism for DFARS 252.204-7012 — it confirms contractors actually meet the 800-171 requirements they have been self-attesting to since 2017. If 7012 is in your contract, CMMC certification is either already required or coming.
Stop Googling. Start working.
CMMCDocs has all 110 NIST SP 800-171 Rev 2 requirements built in — with the language, the templates, and the evidence vault you need. Spin up a free demo workspace and click around the way an assessor would.
Get my demo account