Compliance · DFARS · DoD Contractors

DFARS 252.204-7012 / 7019 / 7020 / 7021

The four cybersecurity clauses embedded in virtually every DoD contract — explained in plain English for defense contractors, primes, and subcontractors.

Published: May 20, 2026 Clause cluster: 7012 · 7019 · 7020 · 7021 Applies to: DoD contractors & subcontractors handling CUI
Jump to 12-Step Checklist → Free CMMC Readiness Assessment
Introduction

What Are the DFARS Cybersecurity Clauses?

Four DFARS clauses form the cybersecurity compliance backbone for every DoD contractor. They're not optional — if your company holds a DoD contract and handles Controlled Unclassified Information (CUI), these clauses apply to you, period.

252.204-7012 is the original and most foundational. It says: "Implement NIST SP 800-171, safeguard CUI, and report cyber incidents to DoD within 72 hours."

252.204-7019, -7020, and -7021 were added between 2019 and 2021 to sharpen enforcement. 7019 made SPRS score reporting mandatory. 7020 gave DoD the right to audit your assessment results. 7021 tied CMMC certification levels to contract awards.

Together, these four clauses form the compliance chain from "you should be doing this" (7012) to "you must prove you're doing it" (7019/7020) to "you must be certified to win new contracts" (7021).

7012

Safeguarding CUI

Implement NIST 800-171, protect CUI, report incidents to DoD within 72 hours, cloud services must meet FedRAMP Moderate.

7019

Self-Assessment

Formalize the NIST 800-171 self-assessment using DoD's scoring methodology and submit results to SPRS. No score = contract risk.

7020

Government Access

Provide government access to your assessment results and supporting evidence on request. No obstruction, no delay.

7021

CMMC Requirements

CMMC Level 1, 2, or 3 must be achieved as a contract requirement to win awards. Phased rollout began late 2025.

⚠️ These Clauses Flow Down to Subcontractors

If your prime contract contains DFARS 252.204-7012, you must flow down the clause to any subcontractor that will handle CUI on that contract. That means your subs also need a SPRS score, an incident response plan, and NIST 800-171 compliance — regardless of their size. Many primes now block award to subs without a verifiable SPRS score.

For the NIST 800-171 foundation these clauses build on, see our NIST 800-171 compliance guide and our Rev 3 guide for the most current framework version.

Deep Dive

The 4 Clauses, One at a Time

252.204-7012
Safeguarding Covered Defense Information and Cyber Incident Reporting
The original DFARS cybersecurity clause — establishes the NIST 800-171 requirement, CUI handling obligations, 72-hour incident reporting, and cloud service security standards.

What 7012 Requires

7012 has three main obligations that every DoD contractor must meet:

  1. Implement NIST SP 800-171. You must implement all 110 security requirements in NIST SP 800-171 Rev 2 (the version referenced in current contracts). The standard defines how you must safeguard CUI on your internal networks, systems, and devices. You don't need to achieve perfection — you need a documented Plan of Action and Milestones (POA&M) for any gaps. But gaps not documented = gaps not disclosed = potential False Claims Act exposure.
  2. Report cyber incidents within 72 hours. If you have a cyber incident that affects your CUI environment or your ability to perform on the contract, you must report it to DoD's DCISA (Defense Information Systems Agency) within 72 hours of discovery. "Discovery" is key — the clock starts when you first determine an incident occurred, not when you fully characterize it. The report goes to DCISA via their incident reporting portal. Do not wait to confirm scope before reporting — report first, update as you learn more.
  3. Cloud services must be FedRAMP Moderate authorized. If you use cloud services to store, process, or transmit CUI, that service must have a FedRAMP Moderate (or higher) authorization. "We've moved to the cloud" does not satisfy 7012 — you need to verify your cloud provider's FedRAMP status at marketplace.fedramp.gov. AWS GovCloud, Azure Government, and Google Cloud Platform all have FedRAMP Moderate regions.
📌 Cloud Compliance: What "Approved" Looks Like

Your cloud service must appear on the FedRAMP Marketplace as "Authorized" at the Moderate baseline or higher. "In Process" or "JAB P-ATO" is not sufficient to satisfy 7012. Document your cloud provider's authorization in your System Security Plan (SSP). If you're using Microsoft 365 GCC High or GCC, that's FedRAMP Moderate authorized — verify your tenant configuration matches the authorized service configuration.

What "CUI" Actually Means in Practice

DFARS 7012 uses the term "Covered Defense Information" (CDI), which maps directly to CUI as defined by NARA in 32 CFR Part 2002. CUI includes unclassified information that requires safeguarding per law, regulation, or government policy — things like export-controlled drawings, ITAR technical data, contract performance data, and program office information.

If you're a defense contractor and handle any technical drawings, proposals, contract data, teardown reports, or program information that came from a government customer — that's almost certainly CUI and DFARS 7012 applies to you.

✅ You're In Scope If…

You hold any DoD contract — prime or subcontract — and your systems process, store, or transmit any information a government customer shared with you in connection with that contract. It's not about your industry classification. It's about what information touched your systems.

252.204-7019
Notice of NIST SP 800-171 DoD Assessment Requirements
Made NIST 800-171 self-assessment and SPRS scoring a formal contract requirement — effective October 1, 2021. No SPRS score = potential contract default.

What 7019 Changed

7019 formalized what 7012 implied: contractors need a measurable, reportable security posture. Before 7019, "we're working on NIST 800-171" was an acceptable answer on many contracts. After October 2021, that stopped.

Under 7019, you must:

  • Complete a self-assessment against NIST SP 800-171 using the DoD Assessment Methodology (a specific scoring tool, not just your own opinion)
  • Score yourself on all 110 requirements — Met, Not Met, or Not Applicable — then calculate a composite score
  • Submit your score to the Supplier Performance Risk System (SPRS) at pris.windows.com
  • Provide your current SPRS score to the contracting officer upon request, and reflect it accurately in any representations and certifications
🚨 No SPRS Score = Presumed Non-Compliant

If you have a DoD contract awarded after Oct 1, 2021 and you don't have a SPRS score on file, DoD can treat that as a contract compliance failure. Contracting officers and primes increasingly check SPRS before issuing task orders or subcontract awards. A missing score is a red flag in source selection — even if your actual security posture is good.

The SPRS Score Breakdown

The DoD Assessment Methodology scores you from –203 to +110 against NIST 800-171 Rev 2's 110 requirements. Here's what the ranges mean:

Score Range What It Means Contract Impact
110 All 110 requirements fully implemented Best possible posture — no POA&M needed
80–109 Minor gaps, manageable POA&M Acceptable to most primes and COs
50–79 Significant gaps — POA&M required Primes may require gap closure before award
Below 50 High risk — major control failures Red flag in source selection; primes may pass
Not submitted Score not in SPRS Effectively treated as "unknown" — risk to contract

For a full walkthrough of how to calculate and submit your SPRS score, see our SPRS Score Guide.

252.204-7020
NIST SP 800-171 DoD Assessment Requirements
Gives DoD the right to access and review your NIST 800-171 assessment results, System Security Plan, and supporting documentation upon request.

What 7020 Means in Practice

7020 is straightforward: if a contracting officer, DoD inspector general, or authorized government representative asks to see your assessment results, SSP, or POA&M, you must provide them within 10 business days. This isn't a suggestion.

The clause applies to both current contractors and those seeking new awards. Government reviewers can include DoD IG, DCSA assessors, or contracting officer-designated third parties.

⚠️ Do Not Obstruct Government Assessment Access

If DoD requests access to your assessment documentation and you delay, obstruct, or refuse, that itself is a contract violation. Have your SSP and assessment documentation organized and accessible — not locked in a spreadsheet that only one person knows how to open.

CMMC assessments by authorized C3PAOs (Third Party Assessors) are a specific form of government-authorized assessment access under 7021/CMMC. For what to expect in a CMMC Level 2 assessment, see our C3PAO Assessment Guide.

252.204-7021
CMMC Requirements
Ties CMMC certification levels to DoD contract awards — Phase 2 rollout began late 2025. Level 1, 2, or 3 required depending on contract scope.

CMMC: The Certification Layer on Top of DFARS

7021 is the enforcement mechanism that makes 7012 real. It says: "You cannot win this contract unless you have a CMMC certification at the specified level." The levels map to the DFARS requirements like this:

CMMC Level What It Requires DFARS Clause Basis Assessment Type
Level 1 Basic safeguarding of FCI (Federal Contract Information) FAR 52.204-21 Self-assessment only
Level 2 NIST 800-171 (110 practices) for CUI protection DFARS 252.204-7012 Self-assessment or C3PAO third-party assessment
Level 3 NIST 800-171 + selected NIST 800-53 controls DFARS 252.204-7012 + DoD-defined subset Government-led assessment (DIBCAC)

For defense subcontractors and most SMBs, CMMC Level 2 is the target. Our CMMC Level 2 Requirements Guide covers the 110 practices in detail.

📌 CMMC Phase 2 Rollout Status (2026)

The CMMC program rule (32 CFR Part 170) was finalized in October 2024. Phase 2 rollout began in late 2025 — new DoD contracts are now flowing in with CMMC requirements at the OSC (Offeror Self-Assessment) pathway level. If you're pursuing new DoD contracts, assume CMMC Level 2 self-assessment (or third-party for higher-value contracts) is required and begin preparing now. Our CMMC Phase 2 guide covers the full timeline and implication.

Applicability

Which Clauses Apply to You?

The four clauses have different applicability triggers. Here's a quick decision guide:

Your Situation 7012 7019 7020 7021
DoD prime contract, handle CUI, awarded Oct 2021 or later ✅ Required ✅ Required ✅ Required ⚠️ Depends on contract CMMC requirement
DoD prime contract, handle CUI, awarded before Oct 2019 (never modified) ✅ Required ❌ May not apply — check contract language ❌ May not apply ❌ Not yet in contract
Subcontractor receiving CDI/CUI from a DoD prime ✅ Required (via flow-down) ✅ Required ✅ Required ⚠️ Depends on prime contract CMMC level
Federal contractor (non-DoD) handling CUI ❌ DFARS not applicable ❌ DFARS not applicable ❌ DFARS not applicable ❌ DFARS not applicable
DoD contractor handling FCI only (no CUI) ❌ Not directly — FAR 52.204-21 applies instead ❌ Not applicable ❌ Not applicable ⚠️ CMMC Level 1 may apply via FAR
✅ How to Check Your Contract for These Clauses

Search your contract documents for "252.204-7012", "252.204-7019", "252.204-7020", and "252.204-7021." If any of these clause numbers appear, that clause is part of your contract. You can also search SAM.gov for your contract and look at the listed DFARS clauses. When in doubt, ask your contracting officer — they're the authoritative source for what applies to your specific contract.

SPRS Score

SPRS Score Submission Walkthrough

The Supplier Performance Risk System (SPRS) is DoD's publicly accessible database for contractor security self-assessments. Contracting officers can see your score — and so can the primes evaluating your subcontract proposal. Here's how to get yours into the system.

Step 1: Register at the SPRS Portal

Go to https://www.spris.windows.com. You'll need to register as a contractor entity. Use your CAGE code and DUNS number. If your company doesn't have a CAGE code, you'll need to get one via SAM.gov before accessing SPRS. For the full SAM.gov registration guide, see our SAM.gov Registration Guide.

Step 2: Complete the DoD Assessment Methodology

The DoD Assessment Methodology questionnaire has 110 questions mapped to NIST SP 800-171 Rev 2. For each requirement, you mark it as:

  • Met — The requirement is fully implemented and documented
  • Not Met — The requirement is not implemented or only partially implemented
  • Not Applicable — The requirement does not apply to your environment (must be justified)

Use NIST SP 800-171A (the assessment guide) to evaluate each requirement against your actual systems and processes. Do not score yourself based on what you intend to do — score based on what you have done.

Step 3: Calculate Your Score

Requirements are weighted in the DoD methodology — some requirements have a higher score impact than others. The maximum score is +110 (all requirements met); the minimum is –203 (maximum deficiency). Scores below 80 typically indicate significant gaps that primes and contracting officers will scrutinize.

📌 Your Score Is Visible to DoD and Primes

SPRS scores are visible to contracting officers and to primes reviewing subcontract proposals. A low or missing score can cause you to lose competitive evaluations even if your technical capabilities are strong. An accurate score of 85 with a solid POA&M is far better than a misrepresentation of 110 when you have documented gaps.

Step 4: Submit and Update Annually

After calculating, submit your score through the SPRS portal. The score is valid for one year — or until you have a major change to your CUI environment (new systems, significant architecture changes, security incidents). Update and resubmit after material changes.

For a complete step-by-step with the full scoring methodology, see our SPRS Score Guide.

Legal Risk

False Claims Act: The Cost of Getting It Wrong

The False Claims Act (31 USC 3729) is the government's primary civil fraud tool. It allows the government to sue contractors who submit false claims for payment — or who make false statements that cause a claim to be submitted. Penalties are severe:

  • Statutory penalty: Up to $27,894 per violation (adjusted annually for inflation)
  • Treble damages: Up to 3x the actual damages caused by the false claim
  • Qui tam provisions: Private individuals can file suit on behalf of the government and collect 15–30% of any recovery
  • Exclusion and debarment: Companies found liable can be excluded from future government contracting
🚨 False Claims Act Exposure for DFARS Compliance

Contractors face False Claims Act risk in three specific DFARS scenarios: (1) Representing CMMC Level 2 certification when you haven't been assessed or certified; (2) Certifying a false SPRS score that overstates your security posture; (3) Continuing to accept payment on a contract where you've had a reportable cyber incident and failed to disclose it. The DoJ has signaled increased enforcement attention on government contractor cybersecurity compliance — Aerojet Rocketdyne paid $9M in 2022, and the pattern has continued.

What Triggers False Claims Act Risk

Risk Scenario What It Looks Like Why It's a Problem
False CMMC representation Claiming Level 2 certification without a valid C3PAO assessment Contract award based on false certification — FCA claim if discovered
Inflated SPRS score Scoring requirements "Met" when technical controls are not in place False statement to government on which contract decisions were made
Non-disclosed cyber incident Having a CUI breach and continuing to perform without reporting to DoD within 72 hours Contract performance based on undisclosed cybersecurity failure
Misrepresenting CMMC level on a repriced/renegotiated contract Obtaining a contract at favorable terms by misrepresenting your certification level False claim for payment tied to false certification

How to Protect Yourself

The best False Claims Act protection is accurate self-assessment and honest disclosure. Document your NIST 800-171 controls in a System Security Plan. Maintain a current POA&M for all gaps. Submit an accurate SPRS score — not an aspirational one. And if you have a cyber incident, report it within 72 hours even if you're not yet sure of the full scope. The penalty for late reporting is a contract violation; the penalty for no reporting can be an FCA action.

⚠️ Know Your Current Score Before Bidding

If you're responding to a subcontract opportunity and your prime asks you to confirm your SPRS score, give an accurate number — not the score you wish you had. An accurate score of 72 with a detailed POA&M is a manageable risk. A fabricated score of 100 when you have 30 unimplemented requirements is a legal liability.

Implementation

12-Step DFARS Implementation Checklist

Work through this checklist in order. Steps 1–4 are foundation work that everything else builds on. Steps 5–10 are the technical implementation. Steps 11–12 are ongoing maintenance and compliance reporting.

Foundation: Know Your Scope (Steps 1–4)

  1. Identify all systems that process, store, or transmit CUI Map your CUI boundary — every workstation, server, cloud service, and network segment that touches CUI. Do not over-scope (expensive) or under-scope (non-compliant). A written scope statement is your starting document.
  2. Get or update your CAGE code and DUNS number Required for SPRS registration. If you don't have a CAGE code, get one at sam.gov. This is prerequisite for everything that follows.
  3. Register at the SPRS portal (pris.windows.com) Even if you haven't completed your assessment yet, register your entity. Document your entity ID — you'll need it for subcontract applications and DCSA reporting.
  4. Determine which DFARS clauses are in your contract Review your prime contract for DFARS 252.204-7012, -7019, -7020, and -7021. Check if your prime has flowed these clauses down to you as a subcontractor. If any clause is present, that requirement applies to you.

Assessment: Document Your Current State (Steps 5–6)

  1. Conduct a gap assessment against NIST SP 800-171 Rev 2 Assess all 110 requirements using NIST SP 800-171A as your guide. Score each as Met, Not Met, or Not Applicable. Use the DoD Assessment Methodology scoring format. Document every finding — this is your compliance record.
  2. Create or update your System Security Plan (SSP) Your SSP describes your security posture, CUI boundary, technical controls, and implementation status for each requirement. It's the primary document government assessors will ask to see. Use NIST's SSP template as your starting point.

Implementation: Close Your Gaps (Steps 7–10)

  1. Implement MFA for all remote and privileged access This is the single highest-value control for most SMB defense contractors. Implement multi-factor authentication for all users with access to CUI systems — at minimum via Microsoft Entra ID, Duo, or Okta. MFA is in roughly 40% of all 110 requirements' implementation scope.
  2. Encrypt CUI at rest and in transit Enable BitLocker/FileVault on all endpoints that can store CUI. Enforce TLS 1.2+ for all network communications. Configure your email service (Microsoft 365 GCC or GCC High for DoD contractors) for CUI-appropriate encryption. Verify your cloud storage and collaboration tools are FedRAMP authorized.
  3. Build your incident response plan and establish DCSA reporting relationship Write a documented IR plan that covers: incident identification, initial containment, 72-hour DoD reporting procedure, evidence preservation, and post-incident review. Identify your DCSA POCs before you need them. Test your plan annually via tabletop exercise.
  4. Create your Plan of Action and Milestones (POA&M) For every requirement you scored Not Met, document: what the gap is, who owns fixing it, what resources are needed, and the target completion date. POA&M is required by 7012 and demonstrates you're aware of and managing your gaps — not ignoring them.

Maintenance: Submit and Stay Current (Steps 11–12)

  1. Submit your SPRS score Calculate your score using the DoD Assessment Methodology. Submit to SPRS at pris.windows.com. Make sure your score accurately reflects your current implementation status — not your target state. Resubmit after any major change to your CUI environment.
  2. Schedule annual review cadence Set an annual reminder to: reassess your NIST 800-171 controls, update your SSP, recalculate your SPRS score, review your POA&M for completed items, and test your incident response plan. CMMC requires ongoing certification maintenance — DFARS compliance is not a one-time event.

Download the DFARS Compliance Checklist PDF

A printable one-page checklist covering all 12 steps with your key decision points and deadlines.

FAQ

Frequently Asked Questions

What is DFARS 252.204-7012?

DFARS 252.204-7012 (Safeguarding Covered Defense Information) is the foundational cybersecurity clause in DoD contracts. It requires contractors to implement NIST SP 800-171 controls, safeguard CDI/CUI on their networks, report cyber incidents to DoD within 72 hours, and use FedRAMP-authorized cloud services. It's been in DoD contracts since 2015 and flows down to subcontractors who handle CUI. The clause is not optional if it appears in your contract.

Do I need a SPRS score if my company only handles CUI occasionally?

Yes — if DFARS 252.204-7012 is in your contract, you're required to complete a NIST 800-171 self-assessment and submit your score to SPRS. There's no "occasional CUI handler" exception. The requirement is binary: the clause applies or it doesn't. Only contracts awarded before Oct 1, 2019 and never since modified may have a different posture — verify with your contracting officer.

Is DFARS the same as CMMC?

No. DFARS 252.204-7012 is the requirement to implement NIST 800-171 and self-assess. DFARS 252.204-7021 added CMMC certification as a contract award requirement. CMMC is the third-party validation that you actually implemented the controls. DFARS says what you must do; CMMC verifies you did it.

What are the False Claims Act risks for DFARS non-compliance?

Penalties up to $27,894 per violation plus treble damages. The specific risk scenarios: representing CMMC Level 2 certification when not certified; submitting an inaccurate SPRS score that overstates your posture; failing to report a cyber incident within 72 hours and continuing to accept payment. Aerojet Rocketdyne paid $9M in 2022 for alleged false cybersecurity certifications. Accurate self-assessment and honest disclosure are your best protection.

What is the difference between DFARS 7012, 7019, 7020, and 7021?

7012 (2015) is the original — implement NIST 800-171, protect CUI, report incidents in 72 hours, use FedRAMP cloud. 7019 (2021) added the SPRS self-assessment requirement as a formal contract obligation. 7020 (2021) requires you to give government access to your assessment documentation on request. 7021 (2021) ties CMMC certification levels to contract awards — you can't win certain contracts without the required certification level.

How do I submit my SPRS score?

Register at pris.windows.com (requires CAGE code and DUNS). Complete the DoD Assessment Methodology questionnaire against all 110 NIST 800-171 Rev 2 requirements. Calculate your score (–203 to +110). Submit to SPRS. Resubmit annually or after major changes to your CUI environment. Your score is visible to contracting officers and primes reviewing your proposals.

Does DFARS 7012 apply to my subcontractor?

Yes, if you flow down DFARS 252.204-7012 to a subcontractor that will handle CUI on the contract, that subcontractor must comply with NIST 800-171, self-assess, and submit a SPRS score. Many primes now require a valid SPRS score from subcontractors as a precondition to award — check your subcontract flow-down requirements carefully.

What happens if I have a cyber incident but don't report it within 72 hours?

It's a contract violation that can result in termination for default, payment withholding, and False Claims Act exposure if you continue to perform while in non-compliance. The 72-hour clock starts at "discovery" — not "confirmed breach." Report first, update as you learn more. Have your incident response plan and DCSA reporting contacts established before you need them.

📚 Continue Your Compliance Journey

DFARS clauses build on NIST 800-171. For the full framework: NIST 800-171 Rev 3 Guide · NIST 800-171 Rev 2 Guide. For CMMC certification: CMMC Level 2 Requirements · CMMC Phase 2 Timeline · C3PAO Assessment Guide. For SPRS scoring: SPRS Score Guide · SAM.gov Registration.