DFARS 252.204-7012 controls discussion for CMMC


Why is there a page for DFARS 252.204-7012 on a CMMC website?

DFARS 7012 is a contract requirement for defense contractors that handle Controlled Unclassified Information (CUI).

It requires implementing cyber-security per NIST Special Publication 800-171 and mandatory reporting to the DoD if the contractor has a cyber incident.

Unlike the CMMC, DFARS 7012 is currently required and should be a priority for DoD contractors that deal with CUI.

You can tell if your contract requires compliance by looking for a contract clause that calls out “DFARS 252.204-7012”. If this is the case, you should also check out the NIST SP 800-171 page.


Download links for DFARS 252.204-7012 resources:

Official DFARS 7012 source: https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012

DFARS 204-7302 (related policy): https://www.acq.osd.mil/dpap/dars/dfars/html/current/204_73.htm

NIST Special Publication 800-171 rev2: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final

NIST page about DFARS for manufacturers: https://www.nist.gov/mep/cybersecurity-resources-manufacturers/dfars-compliance

NIST self-assessment handbook for using SP 800-171 controls for DFARS requirements: http://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf

If you know of other official or helpful resources, please comment to help others! I’ll add the links to this page.

Leave a Reply

Your email address will not be published. Required fields are marked *