What counts as Covered Defense Information (CDI) under 252.204-7012?

CDI includes unclassified controlled technical information, export-controlled information, other information marked or identified in the contract requiring safeguarding, and Controlled Unclassified Information (CUI) marked in accordance with the CUI Registry.

How quickly must we report a cyber incident under 252.204-7012?

Within 72 hours of discovering the incident. You must report to the DoD Cyber Crime Center (DC3) using a medium assurance certificate. The clock starts when you discover the incident, not when you complete your investigation.

Does 252.204-7012 flow down to all our subcontractors?

Yes. You must include 252.204-7012 in all subcontracts — at all tiers — where the subcontractor will process, store, or transmit CDI, or provide operationally critical support as defined in the contract.

What happens if we have gaps in our NIST SP 800-171 implementation?

You must have a System Security Plan (SSP) documenting your implementation and a Plan of Action and Milestones (POA&M) tracking gaps. Unaddressed gaps without a POA&M can be grounds for contract termination or debarment.

Critical RiskDFARSCybersecurity

252.204-7012 — Safeguarding Covered Defense Information and Cyber Incident Reporting

Last updated: 2026-04-09

Researched by the BidStride Research Team

What This Clause Requires

Requires contractors to implement NIST SP 800-171 security controls to protect Covered Defense Information (CDI) processed on contractor information systems. Mandates rapid cyber incident reporting (72 hours) to DoD.

Official Regulation Text

See 48 CFR 252.204-7012 for the full regulatory text. This clause applies to all contractor information systems that process, store, or transmit Covered Defense Information. Contractors must implement the security requirements in NIST SP 800-171 and rapidly report cyber incidents to DoD.
Source: eCFR, 48 CFR 252.204-7012

Compliance Checklist

Implement NIST SP 800-171 Rev 2 security controls on all covered contractor information systems
Report cyber incidents to DoD Cyber Crime Center (DC3) within 72 hours of discovery
Preserve images of compromised systems for 90 days
Submit a Medium Assurance certificate to report incidents
Conduct a review of all media containing CDI for evidence of compromise

Flow-Down to Subcontractors

Flow-down required

This clause must be included in subcontracts with all subcontractors at all tiers where the subcontractor will perform work covered by this clause. Typically appears in contract Sections H, I.

Frequently Asked Questions

BidStride automatically scans your RFPs for 252.204-7012

Stop hunting through solicitations manually. BidStride identifies every FAR and DFARS clause in your RFP, flags risk level, and surfaces compliance requirements before you submit your bid.

This summary is for informational purposes only and reflects the BidStride Research Team's plain-English interpretation of the regulation. It is not legal advice and does not constitute an attorney-client relationship. Always consult the official Federal Acquisition Regulation (FAR) or Defense Federal Acquisition Regulation Supplement (DFARS) text and qualified legal counsel for compliance decisions.