There is a version of the compliance conversation happening inside defense contracting organizations right now that goes something like this: CMMC covers our cybersecurity obligations, so we just need to get our CMMC Level 2 assessment done and we are covered. It is a reasonable assumption. It is also wrong.
DFARS 252.204-7012 has not been replaced by CMMC. It has not been absorbed into DFARS 252.204-7021. It has not been modified under the Revolutionary FAR Overhaul. The clause is in effect exactly as written, and it imposes obligations that CMMC does not address.
Contractors conflating the two frameworks are leaving real compliance gaps in active contracts, gaps that carry cyber incident reporting liability, cloud security exposure, and potential False Claims Act risk.
DFARS 252.204-7012 is titled Safeguarding Covered Defense Information and Cyber Incident Reporting. Its scope is broader than the name suggests.
The clause applies when a contractor's information system processes, stores, or transmits Covered Defense Information (CDI), or when the contractor provides operationally critical support. CDI is defined to include Controlled Unclassified Information (CUI) that is collected, developed, received, transmitted, used, or stored by or on behalf of a contractor in performance of a contract.
When the clause applies, it imposes four distinct requirements:
• Adequate security. The contractor must apply security requirements in NIST SP 800-171 to all covered contractor information systems. This is the same technical baseline that CMMC Level 2 maps to. The difference is in how compliance is validated and enforced.
• Cyber incident reporting. The contractor must report cyber incidents to the DoD within 72 hours of discovery via the DCISE portal at DC3. This is a standalone obligation under 7012 with no equivalent provision in CMMC.
• Malicious software submission. If malicious software is discovered and isolated in connection with a reported cyber incident, the contractor must submit it to the DoD Cyber Crime Center (DC3).
• Media preservation and protection. Following a cyber incident, the contractor must preserve images of all known affected systems and relevant monitoring and packet capture data for at least 90 days, available for potential DoD forensic analysis.
• Cloud service provider requirements. Any cloud service used to process, store, or transmit CDI must meet security requirements equivalent to FedRAMP Moderate, or a higher standard agreed upon with the contracting officer.
None of these obligations disappear when a contractor achieves CMMC Level 2 certification. They are parallel requirements under a separate clause.
How 7012 and CMMC Relate to Each Other
CMMC Level 2, enforced through DFARS 252.204-7021, establishes whether a contractor holds a qualifying assessment status to handle CUI on a given program. It draws on the same 110 security requirements from NIST SP 800-171 that 7012 references.
But the two clauses serve different functions. CMMC is an assessment and certification framework. It answers the question: has this contractor's security posture been evaluated against a defined standard, and is that status recorded in SPRS? DFARS 252.204-7012 is an operational obligation framework. It answers the question: when a contractor handles CDI or supports critical operations, what must they do and what must they report?
Achieving CMMC Level 2 certification demonstrates that your controls are in place. DFARS 252.204-7012 governs what you are required to do when something goes wrong, or when you move CDI into the cloud, regardless of your CMMC status.
TABLE 1. DFARS 252.204-7012 VS. CMMC LEVEL 2: KEY DISTINCTIONS
| DFfffARS 252.204-7f012 | CMMC Level 2 / DFARS 252.204-7021vv | |
| Trigger | Receipt or transmission of Covered Defense Information on contractor IT systems | Processing, storing, or transmitting CUI on contractor IT systems |
| Core requirement | Adequate security aligned to NIST SP 800-171; cyber incident reporting; media preservation | Qualifying CMMC Level 2 assessment status recorded in SPRS; annual affirmation |
| Incident reporting | Required. 72-hour window to report to DoD. | Not separately addressed. 7012 governs. |
| Cloud requirement | Cloud providers must meet FedRAMP Moderate or equivalent | No separate cloud provision. 7012 governs. |
| Media preservation | Required for 90 days following cyber incident | Not addressed |
| Status in 2026 | Unchanged. Fully in effect. | Unchanged. Phased enforcement through 2028. |
The most common scoping error is assuming that if CMMC applies to a program, 7012 does not need separate attention. In practice, the clauses appear together in solicitations precisely because they cover different ground.
Three specific areas where conflation creates compliance risk:
Cloud environments
Many contractors have moved workloads to Microsoft 365 GCC High, Azure Government, or AWS GovCloud. These environments support CMMC evidence collection and can help demonstrate NIST SP 800-171 control implementation. But DFARS 252.204-7012 independently requires that any cloud service processing CDI meet FedRAMP Moderate or equivalent. The contractor is responsible for verifying and documenting that requirement, not assuming it is satisfied by the cloud provider's general compliance posture. That verification needs to be explicit in your System Security Plan.
Incident reporting timelines
CMMC does not establish a cyber incident reporting requirement. DFARS 252.204-7012 does, and the 72-hour window runs from discovery, not from the time an investigation is complete or a root cause is identified. Contractors that treat incident response as a compliance exercise rather than an operational one routinely miss this window. The consequence is not a CMMC finding. It is a contract violation with potential False Claims Act exposure under DFARS.
Subcontractor flowdown
DFARS 252.204-7012 requires prime contractors to flow the clause down to subcontractors when CDI will be processed, stored, or transmitted on subcontractor systems, or when the subcontract involves operationally critical support. This flowdown obligation exists independently of CMMC flowdown requirements under 252.204-7021. A prime that manages CMMC flowdown carefully but ignores 7012 flowdown is still out of compliance with its prime contract.
The Department of Justice Civil Cyber-Fraud Initiative has made clear that misrepresentations about cybersecurity compliance in federal contracting are actionable under the False Claims Act (31 U.S.C. § 3729 et seq.). That exposure is not limited to CMMC attestations.
A contractor that certifies compliance with contract terms, including DFARS 252.204-7012, while operating a cloud environment that does not meet FedRAMP Moderate, or that fails to report a cyber incident within 72 hours, has made a potentially material misrepresentation to the government. The fact that CMMC certification is in order does not resolve that exposure.
Compliance officers and program managers on active DoD contracts should be asking whether their contract compliance certifications accurately reflect 7012 obligations, not just CMMC status.
• Review every active DoD contract for the presence of DFARS 252.204-7012. If CDI is in scope, confirm that your System Security Plan explicitly addresses each of the clause's five requirement areas.
• Verify your cloud service providers against the FedRAMP Moderate baseline or document an equivalent standard agreed upon with your contracting officer. Do not assume compliance based on the provider's general certifications.
• Confirm your incident response plan includes the 72-hour reporting window, names the DCISE portal at DC3 (dc3.mil) as the reporting destination, and assigns clear ownership for that obligation. Test the process before you need it.
• Audit your subcontract agreements for 7012 flowdown. If a subcontractor is handling CDI and the clause is not flowed down, that is a prime contract compliance gap, not a subcontractor problem.
• Do not treat CMMC certification as a substitute for 7012 compliance documentation. Both need to be current, accurate, and defensible.
Does achieving CMMC Level 2 certification satisfy DFARS 252.204-7012?
No. CMMC Level 2 certification confirms that your security posture has been assessed against NIST SP 800-171 requirements and that status is recorded in SPRS. DFARS 252.204-7012 imposes separate obligations, including 72-hour cyber incident reporting, media preservation, malicious software submission, and FedRAMP Moderate requirements for cloud services. These are independent contract requirements that remain in effect regardless of CMMC status.
Has DFARS 252.204-7012 been changed under the Revolutionary FAR Overhaul?
No. As of the current class deviations implementing the FAR overhaul, DFARS 252.204-7012 and its companion provision DFARS 252.204-7008 are unchanged. The overhaul restructured and renumbered several related clauses, including provisions tied to NIST self-assessments and CMMC, but 7012 remains in its current form and fully in effect.
What is the difference between CUI and Covered Defense Information under 7012?
Covered Defense Information (CDI) is the term used in DFARS 252.204-7012 and is defined to include CUI as well as other unclassified information marked or identified in the contract that requires safeguarding. In most current DoD contracts, CDI and CUI overlap substantially, but the 7012 definition is contractually specific. Review your contract's definition of CDI against what your organization actually processes.
If a cyber incident occurs, what specifically must be reported and to whom?
Under DFARS 252.204-7012, contractors must report cyber incidents to the DoD within 72 hours of discovery using the DCISE portal, operated by the DoD Cyber Crime Center (DC3) at dc3.mil. The report must include a description of the technique or method used in the incident, a description of the CDI compromised, any identified compromised systems, and other details defined in the clause. Contractors should also preserve system images and relevant monitoring data for at least 90 days pending potential DoD forensic review. DFARS 252.204-7012 is not a legacy requirement waiting to be replaced. It is an active contract obligation governing how your organization handles incidents, manages cloud environments, and flows compliance requirements to subcontractors. Getting CMMC right matters. Getting 7012 right matters just as much. Contact us today to learn more.
