See the DFARS 7012 Industry Day Recap


Need Information on DFARS 252.204-7012 or NIST SP 800-171? We’ve got you covered. Take a look through the resources below. If you don’t find what you need, reach out and ask us at info@eresilience.com

DFARS 7012 At A Glance: a concise summary of what DFARS 252.204-7012 is and what you need to do, along with links to the major documents and sites.

DFARS 7012 FAQ: Frequently Asked Questions about DFARS 252.204-7012 and NIST SP 800-171.

Tips For Identifying CDI: Learn how the government determines what is and is not CDI (covered defense information)

DFARS 7012 Glossary: Don’t understand a word or phrase in DFARS 7012 or NIST SP 800-171? That’s a good chance it in the DFARS 7012 Glossary.

DFARS 7012 At A Glance

  • Who: DoD Contractors who have the DFARS 252.204-7012 (DFARS 7012) contract clause and handle Covered Defense InformaDon (CDI)
  • What:
    1. Implement the requirements defined in NIST SP 800-171 by December 31, 2017
    2. Implement DFARS 7012 clauses (b)-(f)
  • Where: Any system where you store, process, or access CDI
  • When: By December 31, 2017
  • Why: DFARS 252.204-7012

DFARS 7012 Links

DFARS 7012 FAQ

What Is DFARS 252.204-7012?

DFARS 252.204-7012, titled “Safeguarding Covered Defense Information and Cyber Incident Reporting”, is a clause in the Defense Federal Acquisition Regulations Supplement (DFARS) that describes how Covered Defense Information (CDI) should be protected inside your system and inside the cloud.

What Is CDI?

CDI, or Covered Defense Information, means unclassified controlled technical information or other information that requires safeguarding or dissemination controls. CDI is either marked (or otherwise identified) or developed/received in support of a contract. The complete definition is in the DFARS 7012 clause.

Who Decides What Is CDI?

The government’s contracting officer has the responsibility for determining what data is and isn’t CDI.

How Do I Protect CDI?

  • Implement NIST SP 800-171 requirements by 12/31/2017
  • Follow DFARS 7012 (b)-(f)

What Is NIST SP 800-171?

NIST SP 800-171 is the National Institute of Standards & Technology (NIST) document providing 110 recommended security requirements for protecting the confidentiality of CUI (Controlled Unclassified Information – a subset of CDI).

The DFARS 7012 clause says that you shall implement NIST SP 800-171 no later than Dec 31, 2017.

What Are DFARS 7012 (b)-(f)

The DFARS 7012 clause also has other requirements, including:

  • Protect your CDI data in the cloud (see 252.204-7012(b)(2)(ii)(D))
    Follow reporting requirements (see 252.204-7012(c))
  • Submit discovered and isolated malicious software (see 252.204-7012(d))
  • Preserve and protect images of all known affected information systems (see 252.204-7012(e))
  • Provide the DoD with access to additional information or equipment that is necessary to conduct a forensic analysis (see 252.204-7012(f))
  • Provide the DoD all damage assessment information on request (see 252.204-7012(g))

These are summaries – you need to read the DFARS 7012 clause for each of these.

Tips For Identifying CDI

Here are some facts to help you understand what might and might not be CDI.

Where is CDI really defined?

DFARS 252.204-7012(a) defines CDI as unclassified controlled technical information or other Controlled Unclassified Information (CUI) that requires safeguarding or dissemination controls. This means you have to understand both controlled unclassified information and CUI.

What is Controlled Unclassified Information (CUI) and where is it defined?

Controlled Unclassified Information, or CUI, is defined by the National Archives as “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.” See the National Archives CUI Registry for more information about what is and is not CUI.

What is controlled technical information and where is it defined?

DFARS 252.204-7012(a) defines controlled technical information as technical information with military or space application that is subject to controls – assuming that it isn’t already lawfully publicly available without restrictions. The DFARS 7012 clause also says controlled technical information meets the criteria for distribution statements B through F in DoD Instruction 5230.24.

What is DoD Instruction 5230.24 and what are distribution statements B through F?

DoD Instruction 5230.24 provides the policies and rules for marking and managing technical documents to denote the extent to which they are available for secondary distribution, release, and dissemination without additional approvals or authorizations. It also establishes a standard framework and markings for managing, sharing, safeguarding, and disseminating technical documents in accordance with policy and law.

Does CDI come from the government, or might I be creating it?

You might be creating it. The DFARS 7012 clause says CDI can be “collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.”

Who determines what is and isn’t CDI?

The government’s contracting officer has the responsibility for determining what data is and isn’t CDI.

DFARS 7012 Glossary

  • CDI: Covered Defense Information – unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is (1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or (2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
  • CTI: Controlled Technical Information – information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.
  • CUI: Controlled Unclassified Information.
  • Cyber Incident: actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.
  • DFARS: The Defense Federal Acquisition Regulation Supplement
  • DoD Instruction 5230.24: Department of Defense Instruction on distribution statements on technical documents
  • FAQ: Frequently Asked Questions
  • FAR: Federal Acquisition Regulations
  • FIPS: Federal Information Processing Standards
  • FISMA: Federal Information Security Modernization Act
  • NARA: National Archives and Records Administration
  • NFO: Nonfederal Organization
  • NIST: National Institute of Standards and Technology
  • OMB: Office of Management and Budget
  • Security Control: A safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements.
  • SP: Special Publication
  • UCTI: Unclassified Controlled Technical Information