DFARS 7012. The contract clause that started all of this.
The Defense Federal Acquisition Regulation Supplement clause 252.204-7012 is the contractual teeth behind CMMC. It requires adequate security, 72-hour incident reporting, and evidence preservation for 6 years.
Overview
DFARS 7012 has been in contracts since 2015 — long before CMMC. For nearly a decade, contractors self-attested compliance with NIST 800-171 under 7012's 'adequate security' requirement. The DoD's own audits found over 75% of contractors had not actually implemented what they attested to. CMMC exists to fix that gap with third-party assessment.
7012 is still the contractual mechanism. CMMC is the assessment regime built on top. You cannot be CMMC-compliant without meeting 7012, and you cannot honor 7012 without the controls CMMC verifies.
Scope
Any DoD contract or subcontract involving covered defense information (a superset that includes most CUI) will include the 7012 clause with flow-down requirements.
Cyber incidents must be reported to DC3 via dibnet.dod.mil within 72 hours, with 90 days of post-incident artifact retention on top of the 6-year baseline.
Core Requirements
- 01Implement 'adequate security' — defined as NIST SP 800-171 Rev 2
- 02Report cyber incidents within 72 hours via dibnet.dod.mil
- 03Preserve and protect images of affected systems for at least 90 days
- 04Retain records of incident artifacts for at least 6 years
- 05Grant DoD access to analyze malicious software recovered from incidents
- 06Flow 7012 down to subcontractors handling covered defense information
The platform includes the 7012(c) 72-hour incident reporting workflow, a 6-year evidence retention vault, and automated subcontractor flow-down tracking so you meet the clause in practice, not just on paper.
Have a contract requiring this framework?
Book a 30-minute call. We'll scope your obligation and give you a fixed-price proposal the same week.