DFARS 252.204-7008
Compliance with Safeguarding CDI Controls Solicitation provision: submission of an offer constitutes the contractor representation that it will implement NIST SP 800-171 on all covered contractor information systems used in performance of the resulting contract.
Assessment CUI Subcontracting
DFARS 252.204-7009
Limits on Third-Party Cyber Incident Info Restricts how support contractors can use and disclose cyber incident information that other contractors report to DoD. Protects defense-industrial-base reporters from competitive misuse of their incident disclosures.
Incident reporting Third-party
DFARS 252.204-7012
Safeguarding CDI + Cyber Incident Reporting The foundational DFARS cybersecurity clause. Requires NIST SP 800-171 implementation on covered contractor information systems, 72-hour cyber incident reporting to DC3 at DIBNet, forensic image preservation, FedRAMP Moderate equivalency for external CSPs handling CDI, and flow-down to subcontractors handling covered defense information.
Incident reporting Assessment CUI
DFARS 252.204-7019
Notice of 800-171 Assessment Requirements Notifies offerors that a current NIST SP 800-171 DoD Assessment (within the prior 3 years for Basic) must be posted in the Supplier Performance Risk System (SPRS) before contract award.
Assessment CUI
DFARS 252.204-7020
NIST 800-171 DoD Assessment Requirements Operational requirement: contractor must conduct a NIST 800-171 DoD Assessment using the DoD methodology, post the resulting score to SPRS, and allow DoD higher-tier assessments (Medium / High) when specified.
Assessment CUI
DFARS 252.204-7021
CMMC Requirements Requires contractors to maintain Cybersecurity Maturity Model Certification at the level specified in the solicitation, throughout the contract period. Phase 2 (November 10, 2026) extends third-party C3PAO assessment requirement to most contracts handling Controlled Unclassified Information.
CMMC Assessment CUI
