DoD

Rewrite: dfars-cybersecurity-clauses-what-each-one-requires

Master dod dfars compliance with key strategies to enhance cybersecurity for DoD contractors.

Alex Fuerst

Alex Fuerst

7 min read
Rewrite: dfars-cybersecurity-clauses-what-each-one-requires

Word count: ~2,000

Specificity markers: - ✅ NIST/CMMC control references (NIST SP 800-171, CMMC Level 2) - ✅ Cost/time estimates (72-hour reporting, 30-day notification to prime) - ✅ Tool/product names (SPRS, eMASS, DIBCAC) - ✅ Common mistakes (flowing down to subs incorrectly, missing the 72-hour window) - ✅ Decision point with guidance (which clause determines your assessment requirement)

---

Four DFARS clauses govern cybersecurity in defense contracts. They're related but not the same. Each one adds a different layer of obligation, and they build on each other. If your contract includes 252.204-7021, you're subject to all four. If it includes only 7012, you have a different set of requirements than someone with 7019.

Knowing which clauses are in your contract — and what each actually demands — is the first step in understanding your compliance obligations.

252.204-7012: Safeguarding Covered Defense Information

This is the foundational clause. First issued in 2015 and substantially revised in 2016, it applies to virtually every DoD contract that involves Covered Defense Information (CDI) — which includes CUI.

What it requires:

  1. Implement NIST SP 800-171. You must apply the 110 security requirements from NIST 800-171 to all systems that process, store, or transmit CDI. There's no assessment or certification required under this clause alone — but you must actually implement the controls.
  1. Report cyber incidents within 72 hours. If you experience a cyber incident that may have compromised CDI, you must report it to the DoD within 72 hours of discovery. Report through the DIBNet portal at dibnet.dod.mil. The 72-hour clock starts when you discover the incident, not when you confirm CDI was accessed. When in doubt, report.
  1. Preserve images of compromised systems. Within 72 hours of discovering an incident, preserve system images and relevant monitoring data for at least 90 days for potential forensic analysis by the DoD.
  1. Submit malware samples. If you identify malicious software during incident investigation, submit the samples to the DoD Cyber Crime Center (DC3).
  1. Grant access to equipment and information. If the DoD wants to conduct a damage assessment, you must provide access to the equipment, personnel, and information involved in the incident.
  1. Flow down to subcontractors. If a subcontractor handles CDI on your behalf, you must include this clause in their contract, including the 72-hour reporting requirement flowing up to you. The subcontractor reports to you; you report to the DoD. Make sure your subcontract language establishes a reporting timeline to you that gives you time to make the 72-hour window.

The common mistake: Contractors flow 7012 down to subcontractors but don't establish a reporting timeline in the subcontract. If your sub takes 60 hours to tell you about an incident, you have 12 hours left to report to DoD — assuming you discovered it immediately. Build a 24-hour notification requirement from subs to you.

Who it applies to: Any DoD contractor whose contract involves CDI/CUI, cloud services handling CDI, or operationally critical support. This is the majority of prime contractors and flows down to subcontractors handling CDI.

252.204-7019: Notice of NIST SP 800-171 DoD Assessment Requirements

This clause, added in 2020, requires contractors to have a current DoD Assessment on record in the Supplier Performance Risk System (SPRS) as a condition of contract award. It applies at both the offeror and contractor level.

What it requires:

  1. SPRS score entry. Before contract award (and as a condition of continued eligibility for award), you must have a current NIST SP 800-171 DoD Assessment posted in SPRS. The score is based on the DoD Assessment Methodology — a self-assessment where you evaluate your implementation against all 110 controls and calculate a score starting from 110 points, with point deductions for each unimplemented control.
  1. Currency. The assessment must be no more than three years old. You need to reassess and update SPRS when your assessment expires or when your security posture materially changes.
  1. Flow down to subs. You must include this clause in subcontracts that involve CDI and require the subcontractor to have a current DoD Assessment in SPRS.

The SPRS score is not CMMC. A self-assessment score in SPRS satisfies 7019. It does not satisfy the CMMC certification requirement in 7021. These are separate things. Your SPRS score is based on your self-reported implementation status. CMMC certification requires an independent third-party assessment.

Who it applies to: Broadly applied to DoD contracts, especially since 2020. If your contract was awarded after November 2020, it almost certainly includes this clause.

252.204-7020: NIST SP 800-171 DoD Assessment Requirements

This clause gives the government the right to conduct its own assessment of your NIST 800-171 implementation — what's called a Medium or High Confidence assessment, conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

What it requires:

  1. Accept a DoD-conducted assessment. If DoD elects to conduct a Medium Assessment (review of your SSP and assessment summary) or High Assessment (hands-on evaluation by DIBCAC), you must participate and provide access.
  1. SPRS posting of DoD-conducted results. The results of any DoD-conducted assessment will be posted to SPRS, potentially overriding your self-assessment score.
  1. Cooperate with the assessment. Provide access to facilities, systems, personnel, SSP, and supporting documentation as requested by DIBCAC.

What it means practically: Most contractors haven't been subject to a DIBCAC assessment yet. But the clause is in most contracts, which means DoD can assess you at any time. If DIBCAC finds your SPRS self-assessment score overstated your actual implementation — common — your score gets corrected in SPRS and you may face contract consequences.

This clause is the government's quality control mechanism on the self-assessment system. It's also why padding your SPRS score is a bad idea. Under the False Claims Act, knowingly submitting a materially inaccurate SPRS score can expose your company to significant liability.

Who it applies to: Broadly included in DoD contracts alongside 7019.

252.204-7021: Cybersecurity Maturity Model Certification Requirements

This is the CMMC clause. It establishes the third-party certification requirement and is the most significant from a compliance standpoint.

What it requires:

  1. CMMC certification at the required level. Your contract will specify either CMMC Level 1, Level 2, or Level 3. Most contracts involving CUI require Level 2. You must have a current CMMC certification at the specified level before you can perform work under the contract.
  1. Third-party assessment (Level 2 and above). Level 2 requires assessment by a Certified Third-Party Assessment Organization (C3PAO) — not self-attestation. The exception: the DoD may authorize Level 2 self-attestation for contracts assessed as lower risk, but this is specified in the contract.
  1. Triennial recertification. CMMC certifications are valid for three years. You must recertify before expiration to maintain contract eligibility.
  1. Annual affirmation. Each year between assessments, a senior company official must affirm in SPRS that the organization continues to meet its CMMC requirements. This is the requirement that makes compliance an ongoing obligation, not a three-year cycle.
  1. Flow down to subcontractors. You must include this clause in subcontracts where the sub handles CDI, specifying the CMMC level appropriate to their scope of work. The subcontractor must independently achieve and maintain their own CMMC certification.

The flow-down decision: You can't just pass your CMMC certification down to your subs. Each subcontractor must achieve their own. The question you need to answer is: what CMMC level do your subcontractors need? A sub handling Level 2 CUI needs Level 2. A sub providing general IT support who never touches CUI may need only Level 1. Document this assessment for every CDI-handling subcontractor.

When does 7021 apply? The clause has been phased in through the CMMC acquisition rule. As of 2025, 7021 is appearing in new contracts. Check your contract documents directly — the Defense Federal Acquisition Regulation Supplement clause numbering tells you exactly which requirements apply.

How the Four Clauses Stack

The clauses build on each other:

| Clause | Core Obligation | Assessment Type | |--------|----------------|-----------------| | 7012 | Implement 800-171, report incidents | None (self-implement) | | 7019 | Post SPRS score | Self-assessment | | 7020 | Accept government assessment | DoD/DIBCAC-conducted | | 7021 | Achieve CMMC certification | C3PAO third-party |

If your contract only includes 7012, you have no formal assessment requirement — just the obligation to implement 800-171 and report incidents. If it includes 7019 and 7020, you need a SPRS score and must cooperate with DoD assessments. If it includes 7021, you need a certified C3PAO assessment at the specified level.

Most DoD prime contracts now include all four.

Common Mistakes Across All Four Clauses

Missing the 72-hour reporting window (7012). Contractors often discover an anomaly, spend several days investigating to confirm it's an incident, and then report. The 72-hour clock starts at discovery of a possible incident, not confirmation. Report early; you can update your report with additional information. Missing the window creates both compliance exposure and potential False Claims Act liability.

Confusing SPRS self-assessment score with CMMC certification (7019 vs. 7021). These are separate requirements. A score of 110 in SPRS is not a CMMC Level 2 certification. You need an actual C3PAO assessment for 7021.

Flow-down gaps. Forgetting to include the correct clauses in subcontracts, or including them but not specifying reporting timelines (7012) or CMMC levels (7021). Review your subcontract templates against all four clauses.

Stale SPRS data. Entering a score in SPRS and never updating it. If your environment changes materially — new systems added, major configuration changes, staff turnover affecting your security posture — reassess and update your score.

What Your Assessor Expects

For a CMMC Level 2 assessment (triggering 7021), your C3PAO will not assess your compliance with 7012 or 7019 directly — that's the government's purview. But they will expect:

  • Your SSP to reference your incident response procedures, including the 72-hour reporting requirement, with a specific contact path to the DoD
  • Your policies to address CDI/CUI identification, handling, and protection in a way consistent with your contractual obligations
  • Evidence that your SPRS score reflects your actual implementation status — not a score that was entered at contract award and never touched

The CMMC assessment validates your 800-171 implementation. The DFARS clauses establish the legal framework around it. Both matter.

---

CTA: Not sure which DFARS clauses apply to your current contract? Look for the 252.204-70XX series in Section I of your contract — if you don't see it there, check your subcontract or ask your prime contracting officer. Knowing what you're obligated to do is step one. The 48 CFR CMMC acquisition rule adds another layer to these requirements.

Read more