Skip to content
CyberAutopsySHIELD · COMPLIANCE
CMMC Level 2ServicesThe MethodIndustriesResourcesAbout Client PortalBook Contract Risk Audit →
GUIDE · DFARS 7012

DFARS 252.204-7012. The 14 obligations you must document.

The oldest of the four DFARS cybersecurity clauses. Still the foundation of every CMMC engagement. Here is every obligation, in plain English, with the evidence an assessor will demand.

BY A. Sterling, Director, Compliance Engineering· Updated 2026-03-22· 11 min read

DFARS 252.204-7012 has been federal contract law since 2016. It predates CMMC by half a decade and survives every revision of the program. If you sign a contract that contains 7012 — and you do — you have already agreed to fourteen specific cybersecurity obligations, with or without a CMMC certificate. This article catalogs every one of them.

Context: why 7012 still matters

Contractors often treat 7012 as a deprecated formality that CMMC will absorb. It will not. CMMC is the certification framework. 7012 is the underlying obligation. Even after you achieve Level 2, 7012 governs your conduct during a cyber incident, your obligations to report to DoD, your media protection requirements, and your flow-down language to subcontractors. The clause continues to operate as the substantive legal floor.

The Department of Justice has settled multiple False Claims Act matters against contractors whose actual 7012 compliance fell short of what they had represented to contracting officers. The Civil Cyber-Fraud Initiative was specifically built to surface these cases. Treat 7012 as a clause that will be read line by line in litigation.

The 14 obligations, catalogued

The clause produces fourteen substantive obligations. We number them here for the audit checklist.

  1. Adequate security on covered contractor information systems. Implement NIST SP 800-171 across every system that processes, stores, or transmits Covered Defense Information (CDI), which subsumes CUI.
  2. Submit a Plan of Action. Where any 800-171 control is not implemented, a documented POA&M must exist with milestone dates and a designated owner.
  3. Implement the cloud service requirements. If a cloud service stores or transmits CDI, that service must meet FedRAMP Moderate equivalency or be authorized at a higher level.
  4. Discover and report cyber incidents within 72 hours. Reporting goes to DoD CYBER via DIBNet and must include the standard incident report fields.
  5. Preserve affected media for 90 days. Images and forensic captures of affected systems must be retained for at least ninety days after an incident report is filed.
  6. Submit malicious software discovered during an incident. Specimens are submitted to the DoD Cyber Crime Center (DC3).
  7. Facilitate DoD damage assessment. Provide access, including remote access, to DoD personnel performing damage assessment, subject to the clause's confidentiality terms.
  8. Identify and report subcontractor incidents. Incidents affecting subcontractors who flow down 7012 must be reported up the chain.
  9. Flow down the clause to subcontractors. The clause must appear, without alteration of its terms, in subcontracts that involve CDI handling.
  10. Notify the Contracting Officer of inability to comply. If a system cannot meet 800-171, written notice to the Contracting Officer is required before contract performance begins.
  11. Implement information system security continuous monitoring. Continuous monitoring is treated as a steady-state obligation, not a project deliverable.
  12. Maintain DOD-issued PKI when required. Where the contract requires DoD-issued PKI, the certificates and associated infrastructure must be maintained.
  13. Protect attorney-client privileged communications during incident response. The clause anticipates that incident response will produce privileged work product and provides for its protection.
  14. Cooperate with DoD-directed remediation. Remedial measures directed by the DoD in connection with a damage assessment must be implemented.

Incident reporting in detail

The 72-hour clock is the most operationally consequential element of the clause. It begins on discovery, not on confirmation. The DIBNet portal requires:

  • A description of the incident, the affected information, and the affected systems.
  • The actions taken or planned to mitigate.
  • The estimated impact to operations.
  • The point of contact and CAGE code.

We routinely run tabletop exercises with clients to rehearse the 72-hour clock. The teams that fail are not the teams without technology; they are the teams without a designated DIBNet submitter, a draft narrative template, and a senior official empowered to submit before legal sign-off is complete.

Flow-down to subcontractors

Item 9 above — the flow-down obligation — is where most contractor litigation begins. Two rules to internalize:

  • You must flow the clause down without alteration of its terms. You may add obligations on top, but you may not remove or soften any of the fourteen items above.
  • You must flow it down to every subcontractor that will handle CDI, regardless of subcontract value. There is no de minimis exception.

What auditors actually ask to see

In a C3PAO assessment, 7012 obligations are evidenced primarily through the System Security Plan, but several artifacts are inspected independently:

  1. The DIBNet incident reporting playbook with named submitter and runbook.
  2. Tabletop exercise records covering 7012 reporting timelines.
  3. Sample subcontract showing the flow-down clause inserted verbatim.
  4. Cloud service authorization documentation (FedRAMP letter or equivalency memo).
  5. Media preservation policy and at least one preservation record from a prior incident or tabletop.
FIELD NOTE

We have never read a CMMC engagement where the contractor produced clean evidence for all five artifacts above on the first request. The cloud equivalency memo and the subcontract-flow-down sample are the two most often missing.

Common 7012 failure patterns

  • The 72-hour clock starts at confirmation, not discovery. Contractors who require legal sign-off before DIBNet submission routinely miss the window. Build the authority to submit a preliminary report into the playbook.
  • Cloud service inventory is unmaintained. Marketing teams, HR vendors, and contract management tools quietly accumulate CUI access without being on the security inventory.
  • Subcontract templates lag the procurement reality. The master subcontract template contains 7012 but the operational purchase orders do not flow it down.
  • Media preservation policy exists but has never been exercised. The first time you image a host for ninety-day preservation should not be during a live incident.

If you would like a partner read of your 7012 posture against the fourteen obligations above, our Gap Assessment produces it in two weeks. The assessment artifacts are written in the form a C3PAO will accept on day one.

15-MINUTE TRIAGE

Need this read by a partner?

Bring this article to a Contract Risk Audit and we will tell you, against your CAGE code and contract value, exactly where the risk sits.

Book a Contract Risk Audit →
RELATED READING
GUIDE

CMMC 2.0 vs CMMC 1.0: What Actually Changed

Read →GUIDE

POA&M Mechanics Under CMMC 2.0: A Surgical Read

Read →SERVICES

Gap Assessment, Remediation Surge, Audit Escort

Read →