The DFARS Cyber Clauses, Decoded: 7012, 7019, 7020, 7021, and 7025

Open a DoD contract and you'll find a run of cryptic clause numbers: 252.204-7012, -7019, -7020, -7021, -7025. They aren't a random list. They're layers of one cybersecurity system, each doing a specific job, from safeguarding data to reporting breaches to certifying your compliance. Here is what each one requires.

Five clauses, one system

These five clauses stack. The oldest sets the security baseline. The next pair makes you prove it. The last pair adds independent certification on top. Read them as a sequence and they stop looking like alphabet soup.

Clause

Name

Type

Core requirement

252.204-7012

Safeguarding CDI & Cyber Incident Reporting

Contract clause

Implement NIST 800-171; report incidents within 72 hours; preserve media 90 days; flow down

252.204-7019

Notice of NIST SP 800-171 DoD Assessment Requirements

Solicitation provision

Have a current (≤3-year) 800-171 assessment score in SPRS to be eligible for award

252.204-7020

NIST SP 800-171 DoD Assessment Requirements

Contract clause

Maintain the SPRS score; grant DoD access for higher assessments; verify subcontractors

252.204-7021

Cybersecurity Maturity Model Certification Requirements

Contract clause

Hold the required CMMC level at award and maintain it; flow down

252.204-7025

Notice of CMMC Level Requirements

Solicitation provision

States the required CMMC level for the procurement

252.204-7012: the safeguarding baseline

DFARS 252.204-7012 is the foundation, and it has been in DoD contracts since 2016. If you handle covered defense information (CDI) — broadly, the CUI and controlled technical information tied to a contract — this clause applies.

It requires three things. First, adequate security: implement the 110 controls of NIST SP 800-171 on any system that stores, processes, or transmits CDI. Second, incident reporting: when you discover a cyber incident, you report it to DoD within 72 hours through the DIBNet portal, preserve affected system images for at least 90 days, and submit any isolated malware to the DoD Cyber Crime Center. Third, flow-down: the clause goes into your subcontracts, unaltered, whenever a subcontractor will handle CDI.

Two details catch people out. Cloud services that store or process CDI have to meet the FedRAMP Moderate baseline, or its equivalent. And 7012 is self-attested. You sign the contract, you're on the hook, and nobody certifies you. That last point is exactly what CMMC was built to change.

252.204-7019 and -7020: prove your score

If 7012 says implement NIST 800-171, this pair says prove you did, and put a number on it.

252.204-7019 is a solicitation provision. Before you can win a contract that carries 7012, you need a current NIST SP 800-171 DoD Assessment on file in the Supplier Performance Risk System (SPRS). "Current" means not more than three years old. For most companies that means a Basic Assessment: your own scoring of the 110 controls, submitted to SPRS.

252.204-7020 is the matching contract clause. It obligates you to keep that score current, to give the Government access if it decides to run a higher-confidence assessment (a Medium or High Assessment conducted by DoD personnel), and to confirm your subcontractors have their own current scores in SPRS before you award to them. The contracting officer checks SPRS before award and before exercising an option. No score, no award.

252.204-7021 and -7025: the CMMC layer

The newest pair, both effective November 10, 2025, add the certification layer that 7012 lacked.

252.204-7025 is the solicitation provision that tells you which CMMC level the contract requires: Level 1, Level 2 (self or C3PAO), or Level 3. It's how you learn the bar before you bid.

252.204-7021 is the contract clause that makes the level binding. You must hold the required CMMC status at the time of award, keep it for the life of the contract, and flow the requirement down to subcontractors at the level appropriate to the data they handle. Where 7019 and 7020 ask for a self-reported number, 7021 can require an independent certification behind it.

How they fit together

Here is the part worth internalizing: three of these clauses look at the same thing from different angles. 7012 requires the 110 NIST 800-171 controls. 7019 and 7020 assess and record your implementation of them. 7021 certifies it. Same controls, three levels of scrutiny.

During the CMMC rollout, both regimes run at once. A single contract can carry 7012, the 7019/7020 SPRS pair, and the 7021/7025 CMMC pair at the same time. They don't cancel each other out, and this is the common misread: CMMC does not replace 7012. Meeting 7012 was never enough to satisfy CMMC, and earning a CMMC status doesn't retire your 7012 obligations, including the 72-hour reporting duty. If you handle CUI, you live under both.

Where firms slip

A handful of mistakes recur:

  • Flow-down gaps. Primes forget that 7012 and 7021 have to reach subcontractors who touch the data. An uncovered sub is your exposure, not just theirs.

  • 72-hour unreadiness. Firms treat incident reporting as a policy line, not a drill. When an incident lands, the 72-hour clock is already running.

  • Stale SPRS scores. A score older than three years makes you ineligible, quietly, at award or option time.

  • Cloud that isn't FedRAMP-equivalent. A commodity tool holding CUI can put you out of step with 7012, and nobody notices until an assessment.

  • Assuming CMMC ends 7012. It doesn't. Both apply.

Key Takeaways

  • Five clauses, one system: 7012 sets the NIST 800-171 baseline, 7019/7020 make you prove it in SPRS, 7021/7025 add CMMC certification.

  • 7012 is the foundation: implement the 110 controls, report incidents within 72 hours via DIBNet, preserve media 90 days, flow down — and it's self-attested.

  • 7019/7020 require a current (three years or newer) NIST 800-171 score in SPRS to be eligible for award, and the contracting officer verifies it.

  • 7025 names your required CMMC level; 7021 makes you hold and maintain it, with flow-down to subcontractors.

  • CMMC does not replace 7012. If you handle CUI, both regimes apply at once during the rollout.

FAQ

What's the difference between DFARS 7012 and CMMC? DFARS 252.204-7012 requires you to implement NIST SP 800-171 and report cyber incidents, and it is self-attested: you certify your own compliance by signing the contract. CMMC, established in contracts through DFARS 252.204-7021, adds an independent verification layer on top. They are complementary, not alternatives, and a firm handling CUI must satisfy both.

What are DFARS 7019 and 7020? They are the NIST SP 800-171 DoD Assessment pair. 252.204-7019 (a solicitation provision) requires a current assessment score in SPRS to be eligible for award. 252.204-7020 (a contract clause) requires you to keep that score current, allow the Government to run a higher-level assessment, and confirm your subcontractors' scores.

How fast do I have to report a cyber incident under DFARS? Within 72 hours of discovering the incident, reported to DoD through the DIBNet portal. You also preserve affected system images for at least 90 days and submit any isolated malware to the DoD Cyber Crime Center.

Does a CMMC certification replace my DFARS 7012 obligations? No. 7012 continues to apply in full, including the 72-hour reporting requirement and the flow-down to subcontractors. Earning a CMMC status does not retire those duties.

Which clause tells me my required CMMC level? DFARS 252.204-7025, "Notice of CMMC Level Requirements," states the required level in the solicitation so you know the bar before you bid.

Federal Cyber Brief goes out every Tuesday — 15 vetted federal IT and cybersecurity contracts from SAM.gov, filtered by set-aside and NAICS, each with a Bid/No-Bid signal. Plus compliance updates and recompete alerts. Free to subscribe.

SOURCES

All primary. Verified as of June 2026.

  • DFARS 252.204-7012 (acquisition.gov / eCFR), May 2024. "Rapidly report" = within 72 hours of discovery; adequate security via NIST SP 800-171; 90-day media preservation; malware submission to the DoD Cyber Crime Center; cloud subject to 252.239-7010 / FedRAMP Moderate equivalent; flow-down to subcontractors handling CDI.

  • DFARS Subpart 204.73 (acquisition.gov). Prescription of 7012, 7019, and 7020; the requirement to have at least a current (≤3-year) Basic NIST SP 800-171 DoD Assessment in SPRS at time of award; contracting-officer verification of the SPRS score before award and option exercise.

  • DFARS 252.204-7019 and 252.204-7020 (acquisition.gov / eCFR). Basic / Medium / High assessment definitions; SPRS posting; Government access for Medium and High assessments; subcontractor score verification.

  • DFARS 252.204-7021 and 252.204-7025 (acquisition.gov), effective Nov. 10, 2025. Required CMMC status at award and maintenance; the four CMMC level fill-ins in the solicitation.

  • 32 CFR Part 170 (eCFR). The CMMC program that 7021/7025 implement in contracts.

Keep Reading