A comprehensive guide to achieving DFARS 252.204-7012 compliance for defense contractors and subcontractors. This resource maps DFARS requirements to NIST SP 800-171 controls, provides a self-assessment scorecard, explains the relationship to CMMC (Cybersecurity Maturity Model Certification), and offers practical implementation guidance.
Whether you are a prime contractor, subcontractor, or managed service provider supporting the defense industrial base (DIB), this guide gives you the structure to assess your current posture and plan your path to compliance.
- What Is DFARS 252.204-7012
- Who Must Comply
- Key Requirements
- NIST SP 800-171 Control Families
- Self-Assessment Scorecard
- Implementation Roadmap
- CMMC Alignment
- Common Compliance Gaps
- Required Documentation
- Incident Reporting Requirements
- Subcontractor Flow-Down Requirements
- Frequently Asked Questions
DFARS 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting," is a contract clause that the Department of Defense (DoD) includes in contracts and subcontracts where contractors will process, store, or transmit Covered Defense Information (CDI) or operate systems connected to DoD networks.
The clause requires contractors to:
- Implement NIST SP 800-171 security requirements to protect Controlled Unclassified Information (CUI)
- Report cyber incidents to the DoD within 72 hours
- Preserve evidence of cyber incidents for 90 days
- Flow down the requirement to subcontractors who handle CDI
- Provide access to equipment, information, and personnel for DoD forensic analysis if needed
| Term | Definition |
|---|---|
| Covered Defense Information (CDI) | Unclassified controlled technical information or other information that requires safeguarding or dissemination controls per DoD policy, CUI Registry, or contract |
| Controlled Unclassified Information (CUI) | Information the Government creates or possesses, or that an entity creates or possesses for the Government, that requires safeguarding or dissemination controls |
| Covered Contractor Information System | An unclassified information system owned or operated by a contractor that processes, stores, or transmits CDI |
| Cyber Incident | Actions taken through computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein |
You must comply with DFARS 252.204-7012 if:
- You have a DoD contract or subcontract containing the DFARS 7012 clause
- You process, store, or transmit Covered Defense Information (CDI)
- You operate information systems on behalf of the DoD
- You are a subcontractor at any tier who handles CDI that flows down from a prime contract
Common industries affected:
- Defense manufacturing
- Aerospace engineering
- IT services and consulting for DoD
- Research institutions with DoD grants
- Logistics and supply chain companies
- Professional services firms (legal, accounting, HR) supporting defense contractors
All 110 security requirements across 14 control families must be assessed. Each requirement must be either:
- Implemented -- the control is fully in place
- Planned -- documented in a Plan of Action and Milestones (POA&M) with a remediation timeline
- Not Applicable -- documented justification for why the control does not apply to your environment
Contractors must conduct a NIST SP 800-171 DoD Assessment (Basic, Medium, or High) and submit their score to the Supplier Performance Risk System (SPRS).
Scoring methodology:
- Start with 110 points (all controls implemented)
- Subtract the weighted value for each control not implemented
- Scores range from 110 (perfect) to -203 (nothing implemented)
- Minimum threshold for contract award: varies by contract, but 110 is the target
Your organization must have a current self-assessment score in SPRS. The assessment includes:
- Date of assessment
- Scope of assessment (which systems)
- Assessment score
- Date score will reach 110 (if not already there)
The 110 requirements are organized into 14 families:
| # | Control Family | # of Controls | Key Focus Areas |
|---|---|---|---|
| 1 | Access Control (AC) | 22 | Account management, least privilege, session controls, remote access, wireless |
| 2 | Awareness and Training (AT) | 3 | Security training, insider threat awareness |
| 3 | Audit and Accountability (AU) | 9 | Event logging, audit review, audit protection, timestamps |
| 4 | Configuration Management (CM) | 9 | Baseline configs, change control, least functionality, software restrictions |
| 5 | Identification and Authentication (IA) | 11 | MFA, password management, device identification, replay resistance |
| 6 | Incident Response (IR) | 3 | IR capability, testing, reporting |
| 7 | Maintenance (MA) | 6 | Controlled maintenance, maintenance tools, remote maintenance |
| 8 | Media Protection (MP) | 9 | Media access, marking, storage, transport, sanitization |
| 9 | Personnel Security (PS) | 2 | Screening, personnel actions during termination/transfer |
| 10 | Physical Protection (PE) | 6 | Physical access, monitoring, visitor control, emergency power |
| 11 | Risk Assessment (RA) | 3 | Risk assessments, vulnerability scanning |
| 12 | Security Assessment (CA) | 4 | Assessments, POA&M, continuous monitoring, system connections |
| 13 | System and Communications Protection (SC) | 16 | Boundary protection, encryption (at rest and in transit), CUI separation |
| 14 | System and Information Integrity (SI) | 7 | Flaw remediation, malicious code protection, monitoring, alerts |
Use this scorecard to assess your compliance posture. For each control, mark your status and calculate your score.
- Implemented: Full points (no deduction)
- Partially Implemented: Deduct the weighted value
- Not Implemented: Deduct the weighted value
- POA&M: Deduct the weighted value (but document your remediation plan)
| Control | Description | Weight | Status | Notes |
|---|---|---|---|---|
| 3.1.1 | Limit system access to authorized users | 5 | [ ] |
|
| 3.1.2 | Limit system access to authorized functions/transactions | 5 | [ ] |
|
| 3.1.3 | Control CUI flow per approved authorizations | 5 | [ ] |
|
| 3.1.4 | Separate duties to reduce risk | 1 | [ ] |
|
| 3.1.5 | Employ least privilege | 5 | [ ] |
|
| 3.1.6 | Use non-privileged accounts for non-security functions | 5 | [ ] |
|
| 3.1.7 | Prevent non-privileged users from executing privileged functions | 5 | [ ] |
|
| 3.1.8 | Limit unsuccessful logon attempts | 5 | [ ] |
|
| 3.1.9 | Provide privacy and security notices | 1 | [ ] |
|
| 3.1.10 | Use session lock after inactivity | 1 | [ ] |
|
| 3.1.11 | Terminate sessions after defined conditions | 1 | [ ] |
|
| 3.1.12 | Monitor and control remote access | 5 | [ ] |
|
| 3.1.13 | Employ cryptographic mechanisms for remote access | 5 | [ ] |
|
| 3.1.14 | Route remote access via managed access control points | 5 | [ ] |
|
| 3.1.15 | Authorize remote execution of privileged commands | 5 | [ ] |
|
| 3.1.16 | Authorize wireless access | 1 | [ ] |
|
| 3.1.17 | Protect wireless access using authentication and encryption | 5 | [ ] |
|
| 3.1.18 | Control connection of mobile devices | 1 | [ ] |
|
| 3.1.19 | Encrypt CUI on mobile devices | 5 | [ ] |
|
| 3.1.20 | Verify/control connections to external systems | 1 | [ ] |
|
| 3.1.21 | Limit use of portable storage on external systems | 1 | [ ] |
|
| 3.1.22 | Control CUI posted on public systems | 5 | [ ] |
Continue this pattern for all 14 control families in your working copy.
| Control Family | Max Points | Your Score | Gap |
|---|---|---|---|
| Access Control | -- | -- | -- |
| Awareness & Training | -- | -- | -- |
| Audit & Accountability | -- | -- | -- |
| Configuration Management | -- | -- | -- |
| Identification & Authentication | -- | -- | -- |
| Incident Response | -- | -- | -- |
| Maintenance | -- | -- | -- |
| Media Protection | -- | -- | -- |
| Personnel Security | -- | -- | -- |
| Physical Protection | -- | -- | -- |
| Risk Assessment | -- | -- | -- |
| Security Assessment | -- | -- | -- |
| System & Comm Protection | -- | -- | -- |
| System & Info Integrity | -- | -- | -- |
| TOTAL | 110 | -- | -- |
- Identify all systems that process, store, or transmit CUI
- Document your CUI boundary (which systems, networks, and locations are in scope)
- Inventory all CUI data types your organization handles
- Map data flows -- where does CUI enter, move within, and leave your environment
- Identify all users with access to CUI
- Assess all 110 NIST 800-171 controls using the scorecard above
- Calculate your SPRS score
- Document findings for each non-compliant control
- Prioritize gaps by weight (higher-weight controls first)
- Create a Plan of Action and Milestones (POA&M) for each gap
- Assign owners and deadlines to each remediation item
- Estimate budget for required tools, services, and personnel
- Identify quick wins (low-effort, high-impact controls)
Quick Wins (Weeks 7-10):
- Enable MFA on all accounts
- Configure account lockout policies
- Deploy encryption at rest and in transit
- Implement session timeout and screen lock
Medium Effort (Weeks 11-18):
- Deploy SIEM/log management
- Implement vulnerability scanning
- Establish configuration baselines
- Create and enforce security policies
Major Projects (Weeks 19-26):
- Network segmentation for CUI boundary
- Implement privileged access management
- Deploy DLP (Data Loss Prevention) tooling
- Complete all documentation and policies
- Conduct internal re-assessment
- Update SPRS score
- Address any remaining gaps
- Prepare for third-party assessment (if pursuing CMMC certification)
CMMC 2.0 directly incorporates NIST SP 800-171:
| CMMC Level | Requirements | Assessment Type | Who Needs It |
|---|---|---|---|
| Level 1 | 15 basic practices (FAR 52.204-21) | Annual self-assessment | All DoD contractors handling FCI |
| Level 2 | All 110 NIST SP 800-171 controls | Self-assessment or C3PAO assessment | Contractors handling CUI |
| Level 3 | NIST SP 800-172 (enhanced) | Government-led assessment (DIBCAC) | Highest priority programs |
Key point: If you comply with DFARS 7012 and NIST 800-171, you are substantively aligned with CMMC Level 2. CMMC adds the requirement for third-party certification (C3PAO assessment) for certain contracts.
Based on assessments across hundreds of defense contractors, these are the most frequently failed controls:
| Rank | Control | Issue | Typical Remediation |
|---|---|---|---|
| 1 | 3.5.3 -- MFA | MFA not enforced for all users, especially remote access | Deploy MFA platform (Duo, Azure AD) |
| 2 | 3.12.4 -- System security plan | SSP is missing, incomplete, or outdated | Create comprehensive SSP document |
| 3 | 3.11.2 -- Vulnerability scanning | No regular scanning program | Deploy vulnerability scanner, schedule monthly |
| 4 | 3.1.12 -- Remote access monitoring | VPN/RDP access not monitored or logged | Implement SIEM with VPN log ingestion |
| 5 | 3.13.11 -- FIPS-validated crypto | Non-FIPS encryption used for CUI | Switch to FIPS 140-2 validated modules |
| 6 | 3.14.1 -- Flaw remediation | No documented patch management process | Establish patch policy with SLAs |
| 7 | 3.8.9 -- Media sanitization | No documented media destruction process | Create media handling procedures |
| 8 | 3.6.1 -- Incident response | No IR plan or untested plan | Create and test IR plan |
At minimum, you must maintain:
| Document | Purpose | Update Frequency |
|---|---|---|
| System Security Plan (SSP) | Describes your system boundary, architecture, and how each control is implemented | Annually + after changes |
| Plan of Action & Milestones (POA&M) | Tracks unimplemented controls with remediation timeline | Monthly review |
| Risk Assessment | Identifies and prioritizes risks to CUI | Annually |
| Incident Response Plan | Procedures for detecting, reporting, and recovering from incidents | Annually + after incidents |
| Configuration Management Plan | Baseline configurations and change control procedures | Annually |
| Security Policies | Acceptable use, access control, password, media protection, etc. | Annually |
| CUI Scoping Documentation | Data flow diagrams, system boundary, CUI inventory | As changes occur |
| Training Records | Proof of security awareness training completion | Per training cycle |
| Audit Logs | Evidence of monitoring and review | Retained per policy |
DFARS 7012 has specific incident reporting requirements:
- 72 hours: Report cyber incidents to DIBNet (https://dibnet.dod.mil) within 72 hours of discovery
- 90 days: Preserve images of affected systems and relevant monitoring data for 90 days
- Date the incident was discovered
- Location and type of data compromised
- Type of compromise (malware, unauthorized access, exfiltration, etc.)
- Affected programs and contracts
- Forensic analysis results (if available)
- Actions taken to contain and mitigate
- Do not delay reporting to complete forensic analysis -- report what you know within 72 hours
- Do not destroy or alter evidence
- Do not disconnect from the DoD without coordination (if you have DoD network connections)
If you use subcontractors who will handle CDI:
- Include DFARS 252.204-7012 in your subcontract
- Verify subcontractor compliance (request their SPRS score)
- Limit CDI sharing to the minimum necessary
- Document which subcontractors have access to CDI
- Monitor subcontractor compliance through periodic assessments
- Require notification if a subcontractor's compliance posture changes
Q: What is the minimum SPRS score needed to win a DoD contract? A: There is no universal minimum, but the DoD evaluates SPRS scores as part of source selection. A score of 110 (full compliance) is the target. Scores below 110 require an active POA&M showing a path to full compliance.
Q: Can I use a cloud provider (AWS, Azure, GCP) for CUI? A: Yes, but the cloud environment must meet FedRAMP Moderate (or equivalent) requirements. Use dedicated GovCloud regions where available. You remain responsible for controls you manage (shared responsibility model).
Q: How long does it take to become DFARS compliant? A: Typical timeline is 6-12 months for organizations starting from scratch. Organizations with existing security programs may achieve compliance in 3-6 months.
Q: Do I need CMMC certification to be DFARS compliant? A: DFARS compliance (NIST 800-171 self-assessment + SPRS score) is required now. CMMC certification (third-party assessment) is being phased in through 2026-2028, starting with select contracts.
Q: What happens if I am not compliant? A: Risks include: losing contract eligibility, False Claims Act liability (knowingly misrepresenting compliance), breach of contract, and inability to respond to new DoD solicitations.
Created and maintained by Petronella Technology Group - a cybersecurity and managed IT services firm based in Raleigh, NC. With 23+ years of experience and zero client breaches, we help businesses secure their infrastructure and achieve compliance.
- Website: petronellatech.com
- Phone: 919-348-4912
- Free Assessment: Book a consultation
Need help implementing these controls? Petronella Technology Group provides comprehensive compliance consulting:
- CMMC Compliance Guide - Full CMMC Level 2 preparation
- NIST 800-171 Compliance - CUI protection and DFARS alignment
- Cybersecurity Services - Managed security and assessments
- AI-Powered Security - AI infrastructure with compliance built in
Petronella Technology Group is a CMMC-RP certified cybersecurity firm headquartered in Raleigh, NC. Our entire team holds CMMC Registered Practitioner credentials. Contact us or call (919) 348-4912.
MIT License - See LICENSE for details.