DBITDefenseCMMC Level 2 · Readiness
(561) 887-5470Free DashboardSign in ↗
Regulation · DFARS · May 2, 2026

DFARS 252.204-7012: history and current applicability.

DFARS 252.204-7012 — "Safeguarding Covered Defense Information and Cyber Incident Reporting" — has been in DoD contracts since 2015 and remains the underlying authority for CUI-handling obligations.

Published May 2, 2026South Florida · Palm Beach · Broward · Miami-Dade
(561) 887-5470
Tag
Regulation
Citations
4
Type
Plain summary
Original
no control interpretation
No. 01

Summary and dates.

Origin

Aug 2015
Interim DFARS clause issued requiring contractors to safeguard covered defense information and report cyber incidents.
Federal Register / Acquisition.gov
Oct 2016
Final rule effective; broad applicability across DoD prime and sub contracts handling covered defense information.
Federal Register / Acquisition.gov
Dec 2017
Compliance deadline for the underlying NIST SP 800-171 safeguarding requirements referenced in the clause.
DoD CIO

Why it still matters under CMMC

DFARS 252.204-7012 is the contract clause that obligates safeguarding of covered defense information (a subset of CUI) and incident reporting. CMMC is the verification mechanism that DoD applies on top of that clause. The two are complementary, not substitutes.

Companion DFARS clauses

DFARS 252.204-7019 (NIST SP 800-171 DoD Assessment Requirements) and DFARS 252.204-7020 (related notice provisions) work alongside -7012 to require contractors to post Supplier Performance Risk System (SPRS) scores under specified conditions.

No. 02

Sources and citations.

Primary references

DBIT Defense does not interpret control intent or republish substantive control text. All claims above link to primary sources for verification.

No. 03

Related insights.

01
Timeline · Regulation · March 14, 2026

CMMC 2.0 Final Rule: timeline and structure

The CMMC 2.0 Program rule (32 CFR Part 170) was published in the Federal Register in October 2024 and took effect in December 2024. The dates and document struc…

02
Program · Rollout · March 20, 2026

CMMC phased rollout: Phase 1 through Phase 4

DoD has published a four-phase rollout schedule for CMMC, beginning when the DFARS implementation rule becomes effective and ramping over three years. The phase…

03
Ecosystem · Assessors · April 2, 2026

The C3PAO ecosystem: who they are, where they are

Authorized CMMC Third Party Assessment Organizations (C3PAOs) conduct Level 2 certification assessments. The Cyber-AB maintains the authoritative marketplace li…

04
Standards · NIST · April 18, 2026

NIST SP 800-171: Rev. 2 vs Rev. 3

NIST published Revision 3 of SP 800-171 in May 2024. The CMMC Program rule (32 CFR Part 170) currently references Revision 2 as the underlying control catalog. …

Know where you stand
before the requirement
reaches the contract.

Start with a focused CMMC readiness assessment. We will send a written scoping summary within two business days, or a candid recommendation if it is not the right fit.

Or call directly (561) 887-5470Mon–Fri · 9am – 6pm ET · South Florida

Request a readiness assessment