Skip to main content
govconCyber
Rule Updates

DFARS 252.204-7012: What Contractors Need to Know in 2026

The cornerstone DoD cyber clause requires NIST 800-171, 72-hour incident reporting, and flow-down. Here is the 2026 picture.

Brandon Hancock, J.D., CMMC-RPPublished May 13, 2026Updated June 8, 20266 min read

For defense contractors, DFARS 252.204-7012 is the clause that started it all. It is the contractual hook that pulls NIST SP 800-171 into your obligations, sets the incident-reporting clock, and pushes requirements down your supply chain. Here is where it stands in 2026.

What the Clause Requires

If you process, store, or transmit Covered Defense Information (CDI) on your systems, DFARS 7012 requires you to:

1. Provide adequate security by implementing NIST SP 800-171. 2. Report cyber incidents to DoD within 72 hours of discovery, through the DoD reporting portal. 3. Preserve and protect affected media and images for at least 90 days to support DoD forensic analysis. 4. Flow the clause down to subcontractors at all tiers that handle CDI.

The Revision 2 vs Revision 3 Question

This is the most common point of confusion in 2026. NIST published SP 800-171 Revision 3 in 2024, but DoD issued a class deviation keeping DFARS 7012 tied to Revision 2 and its 110 controls. DoD has since released "organization-defined parameters" preparing for a Rev 3 transition, signaling the change is coming — but until your contract says otherwise, Rev 2 is the standard you must meet. Don't re-baseline to Rev 3 prematurely; do track the transition.

How It Connects to SPRS and CMMC

DFARS 7012 sets the security requirement; companion clauses 252.204-7019 and 7020 require you to post a current NIST 800-171 assessment score in the Supplier Performance Risk System (SPRS). CMMC then verifies that same 800-171 implementation. They are three views of one obligation.

Heads-up: the 2025–2026 "Revolutionary FAR Overhaul" is renumbering and adjusting several DFARS clauses, including the assessment clauses. Confirm the exact clause numbers in your current solicitation rather than relying on memory.

The Enforcement Reality

The 72-hour reporting requirement and the accuracy of your SPRS score are exactly where enforcement bites. Recent False Claims Act settlements — including defense contractor MORSE Corp's $4.6 million resolution in 2025 — turned on contractors certifying compliance they hadn't achieved or failing to meet required controls. The takeaway: an honest, current score beats an inflated one every time.

What to Do Now

  • Identify where CDI lives in your environment and scope your covered systems.
  • Assess against the 110 Rev 2 controls and post an honest SPRS score.
  • Stand up an incident-response plan that can hit the 72-hour window.
  • Document gaps in a POA&M and remediate the highest-weighted items first.
  • Confirm your subcontract flow-downs are in place.

Key Takeaways

  • DFARS 7012 = NIST 800-171 + 72-hour reporting + flow-down.
  • Stay on Rev 2 (110 controls) until your contract moves you to Rev 3.
  • SPRS accuracy and timely reporting are the enforcement pressure points.

Work through the controls with our Self-Assessment Checklists, or see the full picture on the Defense industry page.

Tags
Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the editor of GovConCyber. He translates federal cybersecurity rules into plain language for the contractor community, with a focus on CMMC, DFARS, and False Claims Act enforcement trends.

About GovConCyber →Subscribe to the newsletter →
Was this post helpful?

Keep reading

Rule UpdatesTrump's AI Executive Order: What the Frontier-Model Review and Coming CISA Directives Mean for ContractorsA June 2, 2026 executive order sets up a voluntary pre-release security review of frontier AI models and puts CISA on a 30-day clock for new cyber directives. Most binding obligations reach contractors through agencies, clauses, and the supply chain.June 8, 2026 · 6 min readRule UpdatesCIRCIA Is Almost Final: The Third Cyber-Reporting Clock Contractors Can't IgnoreCISA's long-delayed cyber-incident reporting rule is back in finalization. For government contractors, it adds a third reporting clock on top of the ones you already run.June 7, 2026 · 6 min readRule UpdatesNIST SP 800-171 Rev 3: What Changed and What to DoRevision 3 restructured the CUI standard. Here's what changed, why DoD contracts still use Rev 2, and how to prepare.April 22, 2026 · 6 min read