DFARS Clauses 7012–7021: What Each One Means
DFARS cyber clauses are legally binding — and they flow down to subcontractors. If any of these appear in your contract, you have explicit cybersecurity obligations.
Why these clauses matter
They’re not boilerplate. Each clause imposes specific requirements, reporting timelines, and rights for the Department of Defense. Ignoring them can jeopardize awards and expose you to False Claims Act risk.
252.204-7012 — The original cybersecurity clause
- Requires safeguarding of Covered Defense Information and rapid incident reporting to DoD within 72 hours.
- Sets requirements for cloud providers hosting that data.
- Often the first indication that CUI is in scope.
252.204-7019 — SPRS score submission
- Mandates a NIST SP 800-171 self-assessment and submission of your score to the Supplier Performance Risk System (SPRS).
- Requires you to affirm the score’s accuracy — overstating is risky.
252.204-7020 — DoD’s right to assess your score
- Allows DoD to perform or commission assessments to validate the SPRS score you submitted under 7019.
- Means your self-assessment needs evidence and documentation to back it up.
252.204-7021 — The CMMC clause
- Published October 2024 in the Federal Register, effective November 10, 2025.
- Requires a formal CMMC certification (usually Level 2) when CUI is involved.
- Moves you from self-attestation to a third-party C3PAO assessment.
- Flows down to all subcontractors that process, store, or transmit covered data.
How to find these clauses in your contract
- Search the contract PDF for
252.204. - Check the statement of work and attachments — clauses sometimes hide there.
- If you’re a subcontractor, ask your prime for the full text of flow-down clauses.
What to do if you find them
- Don’t panic, but don’t wait. Timelines for compliance and assessments are real.
- Start with a gap analysis against NIST SP 800-171.
- Prepare evidence for your SPRS score — it may be audited under 7020.
- Plan for a C3PAO engagement if 7021 is present.
For full context on what data is in scope, see our CMMC Level 1 vs Level 2 guide or review the DoD CMMC Resources page.
Found one of these in your contract? Check your CMMC readiness now →
Found this useful?
Get the CMMC Readiness Checklist — free
15 questions to understand your compliance exposure before you talk to a single vendor.
Ready to get started?
15 minutes. We'll tell you exactly where you stand on CMMC and what your next step should be.
Get in TouchFree. Available to US-based defense contractors.