Cyber Security Blog NIST 800-53 NIST 800-171 DFARS FARS DoD DOJ DOE

DFARS 252.204-7012 & NIST SP 800-171: How to become compliant

DFARS 252.204-7012 & the associated 110 NIST SP 800-171 controls are an important regulatory requirement included on many DoD contracts. Here is a how-to.

DFARS 252.204-7012 is a clause from the “Defense Federal Acquisition Regulation Supplement (DFARS)” that requires DoD contractors to provide “adequate security” for information systems that “process, store, or transmit covered defense information”. “Adequate security” is accomplished by implementing the NIST SP 800-171 set of security controls on systems containing “covered defense information” and by “rapidly reporting cyber incidents” to the DoD. 

What is the "Defense Federal Acquisition Regulation Supplement (DFARS 252.204-7012)"?


The federal government uses a set of procurement rules and policies called the “Federal Acquisition Regulation (FAR)” that companies and government agencies must comply with when awarding a contract. The “Defense Federal Acquisition Regulation Supplement (DFARS)” includes the regular FAR requirements plus any additional requirements set by the Department of Defense. Today we will be looking at DFARS clause 252204-7012 which pertains to information security in your organization.

The objective of DFARS 252.204-7012 is to protect "Covered Defense Information"

Covered Defense Information is an umbrella term that includes “Controlled Technical Information (CTI)” and “Controlled Unclassified Information (CUI)”.

controlled-technical information-covered-defense-information-controlled-unclassified-information-cui-cti-cdi.png


  • Controlled Technical Information (CTI):
    • Definition: information with military or space application that is subject to controls Example: engineering drawings, technical reports, computer software code etc.
  • Controlled Unclassified Information (CUI):
    • Definition: information that requires security controls consistent with applicable law, regulations, and government-wide policies but is unclassified (i.e. not classified by the government as “secret”, “top secret”, “confidential” etc.)
    • Example: Human resources information, PII, process sheets, and manuals. The whole list of categories is available here.

Does your information system contain “covered defense information (CDI)”? The answer is likely YES.

“The Contractor shall provide adequate security on all covered contractor information systems.”

Defense Federal Acquisition Regulation Supplement (DFARS)

It is extremely rare for a DoD contractor to not have CDI on their systems due to the broad scope of information that is considered to be CDI. Common types of CDI that are likely on your systems include: employee social security numbers, employee healthcare information, company trade secrets, and product designs. Systems that process, store, or transmit CDI are referred to as “covered contractor information systems” and as the contractor it is your responsibility to provide “provide adequate security” for those systems. So how do you “adequately protect” those systems?

DFARS 252.204-7012 mandates that CDI is adequately protected by NIST SP 800-171 security controls.

“the covered contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171”

Defense Federal Acquisition Regulation Supplement (DFARS)

NIST SP 800-171 consists of 110 security controls that must be implemented so that your organization can “provide adequate security” for covered defense information (CDI). NIST SP 800-171 includes the following security families:

NIST SP 800-171 control families

DFARS 252.204-7012 mandates that “cyber incidents” are reported within 72 hours of discovery.

Not only do you have to protect your systems processing, storing, or transmitting covered defense information, you must also report any cyber incidents effecting them to the DoD within 72 hours of incident discovery. Examples of a cyber incident include the installation of malware, a denial of service attack, or a lost hard drive. Additionally, contractors must conduct an investigation to determine which systems were affected by the cyber incident and submit an incident report to the DoD at The contractor must also provide images of the compromised systems to the DoD along with 90 days worth of logs relevant to the incident. If you are a sub-contractor you must notify the prime Contractor (or next higher-tier subcontractor) as soon as practical by providing them with the incident number (assigned by the DoD).

DoD will begin auditing companies’ cybersecurity procedures that want to win contracts and it plans to start within the next 18 months, according to Ellen Lord, DoD undersecretary for acquisition and sustainment.

Federal News Network

How do you become compliant?

  1. Identify where covered defense information is processed, stored, or transmitted in your environment.
  2. Determine which of the 110 controls you have in place and which ones you don’t.
  3. Create a plan of action & milestones (POA&M) to implement the absent controls.
  4. Document your in-place and planned controls in a system security plan.
  5. Begin implementing the absent security controls inline with your POA&M.

How we can help?

Desired Outcomes specializes in providing DFARS 252.204-7012/NIST SP 800-171 consulting services to small businesses. We can identify covered defense information in your environment, create a gap assessment report for you, help you create a plan of action and milestones document (required for compliance), and create your system security plan (required for compliance). We will also provide you with expert advice on implementing the 110 controls in your environment to maximize cost savings and productivity while still being compliant and secure.

Visit our About US page.


  • DoD mandates that “covered defense information” is protected by 110 NIST SP 800-171 controls.
  • If you are a DoD contractor or plan to become one you more than likely have “covered defense information” on your systems and thus need to implement the 110 NIST SP 800-171.
  • To become compliant you must have a plan of action & milestones document along with a system security plan document.
  • You are obligated to report cyber incidents to the DoD within 72 hours of discovery.

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

Reach out for a free consultation

The below button will take you to a google form, once submitting a consultant will reach out to you.

Let's keep in touch

You have Successfully Subscribed!