Defense Acquisition Regulation Supplement (DFARS) Explained
July 18, 2026
By Tracey Birkenhauer, journalist and Chief Impact Officer, STACK Cybersecurity
Executive Summary
DFARS 252.204-7012 is a clause that has appeared in military contracts since 2016, requiring contractors to protect sensitive government data and report cyber incidents within 72 hours. It predates the Cybersecurity Maturity Model Certification (CMMC) program. It's survived every CMMC delay, rewrite, and suspension, including the July 2026 suspension of CMMC's Phase II requirements. This piece explains what DFARS is, what the clause requires, who it applies to, and what's at stake for a business that gets it wrong. If this clause appears in your contract, the obligation to implement NIST SP 800-171 and report incidents on a tight clock applies right now, regardless of what's happening with CMMC.
If a military contract has landed on your desk with the letters "DFARS 252.204-7012" buried somewhere in the terms, it's worth stopping to understand what you just agreed to. This clause carries real legal weight. It can affect whether you keep a contract, and it can expose your business to federal liability if you tell the government you're compliant when you're not.
Before getting into what the clause requires, it helps to understand what DFARS is in the first place, since a lot of the confusion around this topic starts there.
DFARS Definition
DFARS stands for the Defense Federal Acquisition Regulation Supplement. It's the Pentagon's add-on to a much bigger rulebook called the Federal Acquisition Regulation, or FAR. The FAR is the government-wide set of rules that governs how every federal agency buys goods and services, from paper clips to fighter jets. It applies to every executive branch agency, not just the military.
A quick note on naming. The Department of Defense was renamed the Department of War earlier this year. That rename has not been made permanent, so this piece refers to the agency as the Department or the Pentagon throughout rather than committing to either name.
Free Download
Deepfake Compliance Checklist
TAKE IT DOWN Act requirements, 30-state election disclosure obligations, and internal controls for every business type.
DFARS doesn't replace the FAR. It sits on top of it. Where the FAR sets the baseline rules for federal contracting, DFARS adds requirements specific to military work, things like protecting sensitive technical data, restricting where certain materials can be sourced, and setting cybersecurity expectations that a civilian agency contract would never need to address.
Think of the FAR as the general building code for every contractor in the country, and DFARS as the extra code requirements that kick in specifically for military construction. Both apply. DFARS just adds more on top.
DFARS is organized into parts, subparts, and individual clauses, each with its own number. The clause at the center of this article, 252.204-7012, lives in Part 252 of that structure, and it's titled "Safeguarding Covered Defense Information and Cyber Incident Reporting." When a contracting officer inserts this clause into your contract, everything in it becomes a binding obligation the moment you sign.
What 252.204-7012 Requires
The clause has been a standard part of contracts since 2016, and it does two main things.
First, it requires contractors to protect covered defense information (CDI), a category that includes controlled unclassified information (CUI), which is sensitive but unclassified government data, as well as certain technical data and export-controlled information tied to a contract. To meet that protection standard, the clause requires contractors to implement NIST SP 800-171, a set of 110 specific security controls published by the National Institute of Standards and Technology (NIST) that spells out how to protect this kind of data on non-government systems. This applies across a supplier's entire environment, including on-premise servers, employee laptops, and cloud platforms like Microsoft 365 or Amazon Web Services (AWS), wherever that information is stored, processed, or transmitted.
Second, it requires contractors to rapidly report cyber incidents. Under the clause, "rapidly report" has a specific legal meaning: within 72 hours of discovery of any cyber incident affecting covered information. That's a hard clock, and it starts the moment an incident is discovered, not once an investigation concludes and everyone agrees on what happened. Reports are filed through the DoD Cyber Crime Center's DIBNet portal.
Once an incident is reported, contractors also must preserve system images and related data for at least 90 days. They also must be ready to submit any isolated malicious code for forensic analysis, and to support a government damage assessment if one is requested.
The reporting clock isn't a formality. STACK's coverage of the Stryker/Intune wiper attack walked through how quickly a single compromised endpoint can spiral into a full incident response effort. And 72 hours doesn't leave much room for a contractor to determine its reporting obligations quickly.
Who This Applies To
If your contract includes CUI, technical data, or export-controlled information tied to a military program, this clause almost certainly applies to you, and it doesn't stop at your front door. The clause has to flow down into subcontracts wherever that subcontractor will handle covered information or provide what the rule calls operationally critical support. That means a prime contractor is on the hook to make sure every subcontractor touching that data is meeting the same standard, and subcontractors are required to notify the prime, or the next tier up, when they report an incident or request an exception from a control.
This flow-down structure is where a lot of smaller firms get tripped up. A company might never deal directly with the Department, but if it's three tiers deep in a supply chain handling a prime's technical drawings, the obligations under 252.204-7012 still apply in full.
Why This Matters Even When CMMC Doesn't
This clause predates CMMC entirely, and it has outlasted every version of that program. When the Department suspended CMMC 1.0 in 2021 and rebuilt it as CMMC 2.0, this clause didn't move. When the Department suspended CMMC's Phase II third-party assessment requirement in July 2026, this clause didn't move either. CMMC is the mechanism the Department uses to verify a contractor's security controls match what that contractor claims. DFARS 252.204-7012 is the underlying legal obligation that verification is checking against. One can pause. The other cannot, because it's written directly into the contract itself.
Free Download
AI Business Tips E-Book
When implemented incorrectly, any technology with access to sensitive data can create security risks. Because AI systems rely on large volumes of proprietary data, companies must prioritize security from the outset when evaluating AI implementation or selecting AI solutions. When used responsibly and securely, AI can streamline operations, help solve critical business challenges, and build client trust. Understanding real examples and their impact can help you make informed decisions about adopting AI.
That distinction matters because it's easy for a business owner to see news about a CMMC delay and assume the pressure is off. It isn't. The requirement to implement NIST SP 800-171 and report incidents within 72 hours has applied continuously since 2016, regardless of what's happening with CMMC's certification timeline. Contractors tracking their own compliance posture against these controls often use a scoring tool to keep their SPRS score and their actual environment in sync, rather than discovering a gap during an assessment.
What's at Stake for Noncompliance
The consequences here go beyond losing a contract. A contractor who represents itself as compliant with NIST SP 800-171, whether through a System Security Plan, a self-assessment score submitted to the Supplier Performance Risk System (SPRS), or a signed contract certification, when the actual environment doesn't match that representation, can face liability under the False Claims Act (FCA). The FCA is a federal law that allows the government to pursue triple damages against a business that knowingly submits false statements in connection with a government contract. It's been the basis for enforcement actions against defense contractors who overstated their cybersecurity posture.
A missed 72-hour reporting window carries its own risk. Contracting officers can treat a failure to report on time as a separate compliance failure apart from the incident itself, and a contractor's track record on incident reporting can factor into future award decisions.
Download the STACK Cybersecurity Cyber Liability Insurance Checklist
Take An Honest Look
For a business trying to figure out where it stands, the starting point is straightforward. Pull your active contracts and search for "252.204-7012" directly in the text. If it's there, the obligations apply in full, whether anyone has walked you through them. From there, identify exactly what CUI or technical data your business handles and where it lives, since that scope defines what must be protected. Then take an honest look at your environment against the 110 controls in NIST SP 800-171, ideally before a contracting officer or an incident forces that comparison for you.
"The businesses that get hurt by this clause are almost never the ones that got a bad audit. They're the ones who assumed a clause buried in contract boilerplate didn't apply to them. By the time an incident happens, the 72-hour clock is already running whether you built an incident response plan or not."
Rich Miller, Founder and CEO, STACK Cybersecurity
Building toward that standard now, rather than waiting for a CMMC assessment or a breach to force the issue, is the only version of this that doesn't end with a difficult conversation with a contracting officer.
Frequently Asked Questions (FAQs)
Does DFARS 252.204-7012 still apply now that CMMC Phase II is suspended?
Yes. The clause is a separate, standalone contract obligation. It has applied since 2016 and doesn't depend on whether CMMC's certification requirements are active.
What counts as a reportable cyber incident under the clause?
Any event that compromises, or could reasonably have compromised, the confidentiality, integrity, or availability of covered defense information on a contractor's systems or a subcontractor's systems. Contractors don't need to wait for a confirmed breach with proven damage before reporting.
Where do I report a cyber incident under DFARS 252.204-7012?
Through the DoD Cyber Crime Center's DIBNet portal, within 72 hours of discovery.
Does this clause apply to subcontractors, or just prime contractors?
It applies to subcontractors as well, wherever the subcontract involves covered defense information or operationally critical support. The clause has to flow down without alteration.
What's the difference between DFARS 252.204-7012 and CMMC?
DFARS 252.204-7012 is the legal requirement to protect covered information and report incidents. CMMC is the Department's verification program for confirming a contractor's security controls match what it has self-reported. The clause is the obligation; CMMC is the check.
Not Sure Where Your Business Stands on DFARS Compliance?
Start with a Cybersecurity Risk Assessment to see how your environment measures up against NIST SP 800-171. You can also contact STACK Cybersecurity to talk through incident response readiness and the 72-hour reporting clock. Check out our Cybersecurity & AI Resources.