DFARS 252.204-7012 - Safeguarding Covered Defense Information
DFARS clause 252.204-7012 (48 CFR 252.204-7012, clause edition MAY 2024). Requires DoD contractors to provide adequate security on covered contractor information systems by implementing NIST SP 800-171, to rapidly report cyber incidents (within 72 hours of discovery) to DoD via dibnet.dod.mil using a DoD-approved medium assurance certificate, to submit isolated malicious software to the DoD Cyber Crime Center (DC3), to preserve affected media and monitoring data for at least 90 days, to support forensic analysis and damage assessment, and to flow the clause down to in-scope subcontracts. External cloud service providers must meet a FedRAMP Moderate-equivalent baseline.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (7)
DFARS 7012: Adequate Security
| Code | Title |
|---|---|
| DFARS-7012-b | Adequate security - implement NIST SP 800-171 |
| DFARS-7012-b-cloud | Cloud and external service provider security |
| DFARS-7012-b-var | Variance requests and alternative measures |
DFARS 7012: Cyber Incident Reporting
| Code | Title |
|---|---|
| DFARS-7012-c | Cyber incident reporting (72-hour rapid report) |
DFARS 7012: Definitions and Scope
| Code | Title |
|---|---|
| DFARS-7012-a | Definitions |
DFARS 7012: Forensics and Damage Assessment
| Code | Title |
|---|---|
| DFARS-7012-f | Access to additional information or equipment for forensic analysis |
| DFARS-7012-g | Cyber incident damage assessment activities |
DFARS 7012: Information Protection and Use
| Code | Title |
|---|---|
| DFARS-7012-hk | DoD safeguarding and use of contractor attributional/proprietary information |
DFARS 7012: Malicious Software and Media Preservation
| Code | Title |
|---|---|
| DFARS-7012-d | Malicious software submission to DC3 |
| DFARS-7012-e | Media preservation and protection (90 days) |
DFARS 7012: Other Requirements and Subcontract Flowdown
| Code | Title |
|---|---|
| DFARS-7012-l | Other safeguarding or reporting requirements |
| DFARS-7012-m | Subcontract flowdown |
Your Compliance Coverage
If you comply with DFARS 252.204-7012 - Safeguarding Covered Defense Information, you already cover:
Maps to 3 other frameworks
Frequently Asked Questions
What is DFARS 252.204-7012 - Safeguarding Covered Defense Information?
DFARS 252.204-7012 - Safeguarding Covered Defense Information is a compliance framework from United States (DoD) with 7 domains and 12 controls. DFARS clause 252.204-7012 (48 CFR 252.204-7012, clause edition MAY 2024). Requires DoD contractors to provide adequate security on covered contractor information systems by implementing NIST SP 800-171, to rapidly report cyber incidents (within 72 hours of discovery) to DoD via dibnet.dod.mil using a DoD-approved medium assurance certificate, to submit isolated malicious software to the DoD Cyber Crime Center (DC3), to preserve affected media and monitoring data for at least 90 days, to support forensic analysis and damage assessment, and to flow the clause down to in-scope subcontracts. External cloud service providers must meet a FedRAMP Moderate-equivalent baseline. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does DFARS 252.204-7012 - Safeguarding Covered Defense Information have?
DFARS 252.204-7012 - Safeguarding Covered Defense Information has 12 controls organised across 7 domains. The largest domains are DFARS 7012: Adequate Security (3 controls), DFARS 7012: Forensics and Damage Assessment (2 controls), DFARS 7012: Malicious Software and Media Preservation (2 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does DFARS 252.204-7012 - Safeguarding Covered Defense Information map to?
DFARS 252.204-7012 - Safeguarding Covered Defense Information maps to 3 other compliance frameworks. The top mapping partners are NIST Cybersecurity Framework 2.0 (33% coverage), NIST SP 800-53 Rev 5 (17% coverage), CMMC 2.0 (17% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with DFARS 252.204-7012 - Safeguarding Covered Defense Information compliance?
Start your DFARS 252.204-7012 - Safeguarding Covered Defense Information compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about DFARS 252.204-7012 - Safeguarding Covered Defense Information requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 12 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.
Get Started Free →Free forever — no credit card required