Cybersecurity Requirements

DFARS 252.204 7012 Explained: What Primes and Subs Must Do Before Accepting CUI

by

Illustration showing DFARS 252.204 7012 concepts with simple icons: a U.S. shield, a drone and naval vessel, a lock over documents, a NIST SP 800 171 badge, and a 72 hour incident reporting stopwatch.

DFARS 252.204‑7012 Explained (2026 Update): What Primes and Subs Must Do Before Accepting CUI

Bottom line: before a contractor accepts Controlled Unclassified Information (CUI) from DoD or a prime, DFARS 252.204‑7012 imposes concrete security, reporting, and cloud-handling duties—on both primes and subs—that must be in place first, not “as you go.” Non‑compliance risks contractual violations, bid ineligibility as CMMC phases in, and even False Claims Act exposure.

What DFARS 252.204‑7012 Actually Requires

DFARS 252.204‑7012 requires contractors to:

(1) Provide adequate security for Covered Defense Information (CDI/CUI);

(2) Implement NIST SP 800‑171;

(3) Report cyber incidents within 72 hours;

(4) Submit malware to DC3 if discovered;

(5) Preserve images/logs/data for forensic review;

(6) Flow down the entire clause to applicable subcontractors; and

(7) Use FedRAMP Moderate‑equivalent cloud services when CUI touches the cloud.

CDI/CUI defined. DFARS cross‑references the CUI Registry and includes Controlled Technical Information (CTI) and other protected categories provided by DoD or generated in performance and not intended for public release.

Read more

Share

FAR 52.204-21 Explained: What Actually Counts as FCI

by

A cybersecurity themed infographic showing four labeled panels—Emails & Tickets, Systems & Devices, FCI Identification, and CMMC Compliance—surrounding a central shield icon representing protection under FAR 52.204 21.

FAR 52.204‑21 Explained: What Actually Counts as FCI (With Real Contractor Examples)

If you’ve ever thought “we don’t have Controlled Unclassified Information (CUI), so we’re off the hook,” this article is for you. FAR 52.204‑21 sets baseline safeguards for contractor systems that process Federal Contract Information (FCI)—and FCI shows up in more places than you might expect. [acquisition.gov]

Why contractors keep misclassifying FCI

The most common mistake we see: teams assume that if CUI isn’t in scope, no cyber obligations apply. But FCI alone triggers the Basic Safeguarding of Covered Contractor Information Systems clause—FAR 52.204‑21—whenever your systems process, store, or transmit it.

Bottom line: If FCI touches your email, ticketing, endpoints, file shares, or cloud tools, those systems inherit baseline safeguarding requirements.

Read more

Share
Share
Share