DFARS 252.204-7012 has set the cybersecurity baseline for defense contracts since 2017. What changed recently is enforcement. CMMC requirements are now written into DoD contracts, and the Justice Department is using the False Claims Act to pursue contractors that billed the government while misrepresenting their security posture. The gap between “we think we’re compliant” and “we can prove it” now decides contract eligibility.
Many contractors assume firewalls, antivirus, and basic access controls are enough. DFARS compliance is both narrower and stricter than that. It requires implementing a specific set of controls for protecting Controlled Unclassified Information (CUI), documenting how you meet each one, and being able to show evidence on demand.
This guide covers what the clause actually requires, how assessment and reporting work after the 2025 and 2026 rule changes, how DFARS connects to CMMC, what non-compliance now costs, and a practical path to get and stay compliant.
What DFARS 252.204-7012 requires
DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” is a mandatory DoD contract clause. The current version dates to May 2024. It applies to DoD contracts and subcontracts at every tier where a contractor processes, stores, or transmits covered defense information, with a narrow exception for contracts solely for commercial off-the-shelf (COTS) items.
The clause does three core things:
- Requires adequate security on any system that handles covered defense information. In practice, that means implementing the 110 security controls in NIST SP 800-171.
- Requires reporting cyber incidents that affect covered defense information to DoD within 72 hours of discovery.
- Requires preserving images of affected systems and relevant monitoring data for at least 90 days, and flowing the same obligations down to subcontractors.
Covered defense information is unclassified controlled technical information and other CUI categories that are marked or identified in the contract. If your contract includes the 7012 clause, you are responsible for protecting that information whether you hold it directly or pass it to a subcontractor.
The NIST SP 800-171 controls behind the clause
This is where many summaries get it wrong. NIST SP 800-171 is not “14 requirements.” It is 110 individual security requirements, organized into 14 families. DFARS 7012 makes all 110 contractually mandatory. The families are not split into “basic” and “advanced” tiers, and they are numbered 3.1 through 3.14.
| Family | Numbering | Controls | What it covers |
|---|---|---|---|
| Access Control | 3.1 | 22 | Who and what can reach CUI: least privilege, remote access, session control |
| Awareness and Training | 3.2 | 3 | Role-based security training and insider-threat awareness |
| Audit and Accountability | 3.3 | 9 | Logging, log protection, and tracing actions to individuals |
| Configuration Management | 3.4 | 9 | Baseline configurations, change control, software restrictions |
| Identification and Authentication | 3.5 | 11 | Unique user IDs, multi-factor authentication, authenticator management |
| Incident Response | 3.6 | 3 | Incident handling and the 72-hour reporting capability |
| Maintenance | 3.7 | 6 | Authorized, controlled, and documented system maintenance |
| Media Protection | 3.8 | 9 | Marking, handling, sanitizing, and destroying media that holds CUI |
| Personnel Security | 3.9 | 2 | Screening and access changes when staff join or leave |
| Physical Protection | 3.10 | 6 | Limiting physical access to systems and facilities |
| Risk Assessment | 3.11 | 3 | Periodic risk assessment and vulnerability scanning |
| Security Assessment | 3.12 | 4 | Assessing control effectiveness, the SSP, and the POA&M |
| System and Communications Protection | 3.13 | 16 | Boundary protection, encryption in transit and at rest, network architecture |
| System and Information Integrity | 3.14 | 7 | Flaw remediation, malware protection, security monitoring |
A note on versions. The 110-control, 14-family structure above is NIST SP 800-171 Revision 2. NIST published Revision 3 in May 2024, which reorganizes the controls into a different structure. DFARS 7012 and CMMC Level 2 still reference Revision 2, so Revision 2 is what governs current compliance. Plan around it until DoD formally adopts Revision 3.
How assessment and reporting work now
This is the section that has changed the most, and where outdated guidance does the most damage.
NIST 800-171 implementation has been required under 7012 since the end of 2017. The weakness was enforcement. The clause required controls but built in no verification.
That changed in November 2020, when DoD added DFARS 252.204-7019 and 7020. Those clauses required contractors to self-assess against NIST 800-171 using the DoD Assessment Methodology and to post a summary score to the Supplier Performance Risk System (SPRS). A current score, meaning less than three years old, became a condition of award. The score is not a formality. Full implementation of all 110 controls scores 110, and missing controls subtract weighted points, so a score can go negative. In SPRS you cannot mark the higher-weighted controls as not met, and only a limited set of low-weight controls can sit on a Plan of Action and Milestones (POA&M). In practice, you need most of the 110 controls actually in place before a score means anything.
Then the framework shifted again. As of February 1, 2026, under the Revolutionary FAR Overhaul, DoD eliminated the standalone 7019 self-assessment provision and renumbered 7020. The self-assessment and SPRS reporting obligation did not disappear. It was consolidated into the CMMC framework under DFARS 252.204-7021. SPRS remains the system of record. These changes were made by class deviation rather than formal rulemaking, so you will see both old and new clause numbers in circulation for a while.
The practical takeaway is simple. Assessment and reporting now run through CMMC, and your SPRS status is what a contracting officer checks before an award.
How DFARS connects to CMMC
For years, CMMC was a future requirement. It is not anymore.
The 32 CFR CMMC Program rule took effect in December 2024. The 48 CFR acquisition rule took effect on November 10, 2025, which activated DFARS 252.204-7021 and started putting CMMC requirements into new contracts. DoD is phasing this in over roughly three years:
- Phase 1, began November 10, 2025. Level 1 and Level 2 self-assessment requirements appear in new contracts. Contracting officers may also require a third-party (C3PAO) Level 2 assessment for sensitive work at their discretion.
- Phase 2, begins November 10, 2026. Level 2 C3PAO certification becomes a standard requirement on new and renewing contracts that involve CUI.
- Full implementation by 2028, when CMMC requirements apply to essentially all in-scope contracts.
CMMC Level 2 maps directly to the same 110 NIST 800-171 controls. There are no additional controls to learn. A Level 2 certification is, in effect, a verified version of the DFARS self-assessment you should already be performing. Contractors who implemented 7012 properly are most of the way to certification. Contractors who reported optimistic SPRS scores without the controls behind them now face a third party checking the work.
This is why “wait and see” no longer works as a strategy. The contractors moving now treat strong compliance as a way to stay eligible and to win against competitors who are not ready. For a closer look at the assessment itself, see our template for CMMC audit preparation and how to pass your CMMC audit.
What non-compliance now costs
The cost of falling short is concrete, and it has shifted from “possible penalty someday” to “lost revenue now.”
Lost eligibility. With CMMC in contracts, the rule is direct: no required certification or status, no award. Primes are enforcing flow-down aggressively, so a subcontractor that cannot demonstrate compliance gets dropped from the supply chain. For most contractors, this is the largest and most immediate cost, in the form of revenue that is foreclosed before a proposal is even scored.
Termination and remediation. DoD can terminate a contract for default if a contractor fails to protect covered defense information or meet required controls. A reportable incident adds its own remediation, notification, and oversight costs on top of that.
False Claims Act exposure. This is the consequence that has grown fastest. Since launching its Civil Cyber-Fraud Initiative in 2021, the Justice Department has used the False Claims Act to pursue contractors that accepted DoD payments while misrepresenting their cybersecurity compliance. Recent settlements show the pattern:
- MORSE Corp paid $4.6 million in 2025 over failures to implement NIST 800-171 controls and an SPRS score reported higher than an outside assessor later calculated.
- Raytheon, RTX, and successor company Nightwing agreed to $8.4 million tied to non-compliance across 29 DoD contracts.
- Georgia Tech Research Corporation settled for $875,000 over missing controls and a System Security Plan that was put in place late.
Two details matter for every contractor. First, many of these cases begin as whistleblower (qui tam) suits filed by current or former employees, so internal knowledge of an inflated score is a live risk, not a hypothetical one. Second, an inaccurate SPRS score is itself a trigger. Reporting a number you cannot support with evidence is the specific behavior the government has pursued.
A practical implementation roadmap
Getting compliant is a project with a clear sequence. The phases below are typical, and the timelines depend on the size and complexity of your environment.
Phase 1: Scope and gap assessment
Identify every system that processes, stores, or transmits CUI, and draw your compliance boundary deliberately. Most cost overruns trace back to a boundary drawn too wide. Inventory hardware, software, and data flows, then assess your current controls against all 110 NIST 800-171 requirements to find the gaps. Pair this with a structured cybersecurity risk assessment so remediation is prioritized by real risk, not just checklist order.
Phase 2: Implement and document
Close gaps starting with the highest-weighted controls and the ones other controls depend on. That usually means access control, boundary protection, multi-factor authentication, encryption, and audit logging first. Write the policies and procedures that support each control as you go. Documentation here is not paperwork for its own sake. It is the evidence an assessor and a contracting officer rely on, and its absence has been a named failure in enforcement cases.
Phase 3: Build the SSP, score, and submit
Develop a System Security Plan that states how you meet each control, who owns it, and what evidence supports it. Put any remaining gaps on a POA&M, within the limits SPRS allows. Calculate your score honestly and submit it. If you are pursuing CMMC Level 2 certification, this is the package a C3PAO will assess.
Many contractors bring in outside help at the implementation and documentation stage, where the work is detailed and the cost of a mistake is high. NIST 800-171 compliance consulting can shorten the timeline and keep your SSP defensible.
Common pitfalls
- Overscoping the boundary. Pulling systems that never touch CUI into scope inflates both cost and effort. Do the data-flow analysis first so you protect what you must and nothing more.
- A thin or missing SSP. A stale or absent System Security Plan was a named failure in recent False Claims Act cases. Build it early and keep it current as your environment changes.
- Ignoring subcontractor flow-down. Primes are responsible for their subcontractors’ compliance. Put the requirement in subcontracts and verify it rather than assuming it.
- Missing the 72-hour reporting window. Have an incident response process that already knows what counts as reportable, who reports it, and how fast.
- Inflated SPRS scores. This is the highest-risk shortcut on the list. A score you cannot back with evidence is now both a contract liability and a legal one.
- Treating compliance as one-and-done. Controls drift as systems, vendors, and staff change. Maintaining them is part of the requirement, not an afterthought.
Where to start
If you hold or want DoD contracts, the question is no longer whether to comply. It is whether you can prove it. Start by confirming three things: which CUI you actually handle, whether your SPRS score reflects controls you can evidence, and what CMMC level your contracts require.
A gap assessment answers all three. Nexeris reviews your current posture against NIST 800-171, identifies what is missing, and gives you a prioritized roadmap to a defensible score and CMMC readiness. For contractors that need ongoing security leadership without a full-time hire, our virtual CISO services cover the same ground on a continuing basis.
Request a DFARS gap assessment to see exactly where you stand and what it takes to close the distance.
