How many controls does DFARS 252.204-7012 have?

DFARS 252.204-7012 contains 32 controls organized across 7 domains.

Where does DFARS 252.204-7012 apply?

DFARS 252.204-7012 is applicable in United States (DoD). Organizations operating in or serving customers in this jurisdiction should evaluate its requirements.

What frameworks does DFARS 252.204-7012 map to?

DFARS 252.204-7012 has control-to-control mappings with 593 other compliance frameworks in our database. Use our compliance platform to explore these mappings interactively.

How do I get started with DFARS 252.204-7012 compliance?

Start by understanding the framework's key controls and domains. Our compliance platform provides AI-powered gap analysis and mapping tools to help you assess your current posture and build a remediation plan.

DFARS 252.204-7012 — Safeguarding Covered Defense Information

Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 requires Department of Defense (DoD) contractors and subcontractors to provide adequate security for Covered Defense Information (CDI) and report cyber incidents. Contractors must implement NIST SP 800-171 security requirements, report cyber incidents within 72 hours to the DoD Cyber Crime Center (DC3), and preserve images for 90 days.

Domains

Flow-Down and Subcontractor Requirements

Investigation Support

Cyber Incident Reporting

Adequate Security Requirements

Definitions and Scope

Frequently Asked Questions

Map DFARS 252.204-7012 — Safeguarding Covered Defense Information to any other framework

Use our AI-powered compliance platform to find control overlaps, gaps, and build remediation plans in seconds.

Try Free on Compliance Platform