Updated May 2026

DFARS 252.204-7012 Compliance Cost: $50K to $300K

The foundational clause that obligates defense contractors to implement NIST SP 800-171, report cyber incidents to the DoD within 72 hours, and use cloud services that meet a FedRAMP-equivalent bar. 7012 has been in DoD contracts since 2017 and underpins everything CMMC verifies.

What 7012 actually obligates you to do

The full text of DFARS 252.204-7012 is published at acquisition.gov. Strip away the legal language and the clause does five things. It defines covered defense information (CDI), which is essentially CUI plus operationally critical support information. It mandates implementation of the 110 security controls in NIST SP 800-171 to safeguard CDI on contractor information systems. It requires reporting of cyber incidents to the DoD via DIBNET within 72 hours of discovery. It imposes cloud-service requirements for any cloud used to handle CDI. And it flows all of the above down to sub-contractors via paragraph (m).

Two of those obligations are about prevention (controls implementation, cloud bar) and two are about response (incident reporting, evidence preservation). The cost picture follows that split: roughly two-thirds of the budget goes to the preventive side (security tooling and policies), and roughly one-third goes to the response side (24/7 monitoring, incident playbooks, evidence retention, retainer with a forensic provider). The flow-down obligation is essentially zero direct cost to you, but creates supply-chain administrative overhead because you have to confirm your sub-contractors have implemented 7012 too.

CMMC sits on top of 7012, not next to it. The DFARS 252.204-7021 clause (the CMMC requirement clause) only adds the third-party verification layer for contractors at the level the contract specifies. Even contracts that do not yet require a CMMC certification still require 7012 implementation if they contain that clause. This is why some contractors have spent five years on 7012 work and still have a CMMC budget ahead of them: 7012 is the controls baseline; CMMC is the assessment to verify the controls.

Cost build-up for 7012 compliance

Workstream	Small (under 50)	Mid (50-200)	Large (200+)
NIST 800-171 gap assessment	$5K - $15K	$15K - $30K	$25K - $60K
SSP authoring + policies	$8K - $15K	$15K - $25K	$25K - $40K
Remediation: MFA + EDR + SIEM + encryption	$25K - $60K	$60K - $150K	$150K - $300K
24/7 incident response capability	$10K - $20K	$20K - $50K	$50K - $120K
Forensic-retainer + evidence retention	$5K - $10K	$10K - $20K	$20K - $40K
SPRS score self-submission	$1K - $3K	$2K - $5K	$5K - $10K
Year-1 total (excluding tooling)	$54K - $123K	$122K - $280K	$275K - $570K

These numbers cover 7012 implementation only. Add a C3PAO assessment fee on top for CMMC Level 2 verification: see the C3PAO cost page.

The 72-hour reporting clock

The reporting obligation in 7012(c) is one of the most operationally demanding parts of the clause. The 72-hour window starts at "discovery," which the DoD has clarified means when the contractor reasonably believes an incident affecting covered defense information has occurred. That is a low threshold: it is not 72 hours from confirmed exfiltration, it is 72 hours from reasonable suspicion. The report must be submitted via dibnet.dod.mil with the techniques used, sample malware if available, and affected systems list.

Practically, that means every defense contractor needs a documented incident-response playbook with the DIBNET submission step explicitly baked in, a designated person who holds the DIBNET account credentials, and an evidence-preservation procedure that captures and retains images of affected systems for at least 90 days. Most small contractors satisfy this by retaining a digital forensics and incident response (DFIR) provider on a low-monthly retainer ($1K-$5K per month) plus an incident-rate that kicks in if an incident is declared. That structure converts a low-probability, high-impact obligation into a manageable monthly line item.

See the sister site for the wider cost picture of a declared incident: incidentcost.com covers post-incident DFIR engagement costs, and databreachcost.com covers the total economic impact of a CUI breach including legal, regulatory, and lost-contract follow-on costs.

Cloud requirements under 7012(b)(2)(ii)(D)

If you use a cloud service to process or store covered defense information, the cloud must meet security requirements equivalent to the FedRAMP Moderate baseline. The DoD CIO Cloud Computing Security Requirements Guide refines this for DoD contractors and is the document a C3PAO will reference during assessment. For most practical purposes, this means CUI processing happens in Microsoft 365 GCC High, AWS GovCloud (US), or Azure Government, with the right configuration and Customer Responsibility Matrix lines understood.

Commercial Microsoft 365, commercial AWS, commercial Azure, Google Workspace, and most popular SaaS tools do not meet the bar without further evidence. This is the single biggest cost-driver in 7012 work: moving CUI workloads off commercial SaaS into a FedRAMP-equivalent cloud is what dominates the $25K-$200K remediation line in the table above. The GCC High migration cost page, AWS GovCloud cost page, and Azure Government cost page all unpack the per-platform numbers in detail.

Flow-down to sub-contractors

DFARS 7012(m) requires primes to flow the substance of the clause down to all sub-contracts that will involve covered defense information. The administrative cost of this flow-down is real but not huge: primes typically spend $20K-$80K per year on the sub-contractor compliance management programme (questionnaires, evidence collection, ongoing monitoring). The bigger story is on the sub-contractor side. A small sub-contractor that wins a $200K task order with a flow-down 7012 clause inherits the full $50K-$150K compliance build, which can wipe out the contract margin. This is one of the largest drivers of consolidation in the DIB.

For sub-contractors, the practical guidance is to negotiate the 7012 obligation as a separable cost line in the bid (not subsumed in overhead), to push back on flow-down where the work does not actually touch CUI, and to consider shared-MSSP arrangements that amortise tooling across multiple sub-contractor engagements. See the dedicated sub-contractor cost page.

Related cost pages

Frequently asked questions

What is DFARS 252.204-7012?

DFARS 252.204-7012, formally titled Safeguarding Covered Defense Information and Cyber Incident Reporting, is the cornerstone contract clause that obligates defense contractors to implement NIST SP 800-171 security controls and to report cyber incidents to the DoD within 72 hours of discovery. It has been in DoD contracts since 2017. CMMC builds on top of 7012; it does not replace it. If your DoD contract contains 7012, you have implementation obligations regardless of whether the contract also requires a CMMC certification.

What is the difference between 7012 and CMMC?

DFARS 7012 mandates that you implement NIST SP 800-171 and self-report your compliance score in SPRS. CMMC adds third-party verification of that implementation, conducted by a Cyber AB authorised C3PAO. 7012 is the underlying obligation; CMMC Level 2 is the verification layer on top. From 2017 to 2025, defense contractors self-attested under 7012. CMMC moves from self-attest to verified-by-assessor for Level 2.

What does 7012 cost to implement?

For most defense contractors, 7012 compliance costs $50K to $300K in first-year effort. The breakdown: NIST SP 800-171 gap assessment ($5K-$30K), remediation of the gaps identified ($25K-$200K, dominated by MFA, EDR, SIEM, encryption, and segmentation), policy and SSP development ($10K-$30K), 24/7 incident response capability ($10K-$40K). Smaller contractors with simpler environments land at the bottom of these ranges. Large primes spend the upper end and beyond.

What does the 72-hour incident reporting rule actually require?

Under 7012(c), the contractor must rapidly report a cyber incident through the DoD's DIBNET portal at dibnet.dod.mil within 72 hours of discovery. The report must include the techniques, sample malware, and affected systems. The contractor must also preserve images of all known affected information systems and CUI data for at least 90 days from the date of submission. This obligation is independent of contract value, scope, or whether CUI was actually exfiltrated. Discovery of a potentially-impactful incident triggers the clock.

Does 7012 require a specific cloud service?

Not specifically, but 7012(b)(2)(ii)(D) requires that any cloud service used to process or store covered defense information meet the security requirements equivalent to FedRAMP Moderate baseline (the DoD CIO has issued additional guidance on this). In practice this means Microsoft 365 GCC High, AWS GovCloud (with the right service configuration), or Azure Government, all configured per the relevant Cloud Computing Security Requirements Guide. Commercial Microsoft 365, commercial AWS, and Google Workspace do not meet the bar for CUI processing.

Does 7012 flow down to sub-contractors?

Yes. 7012(m) requires the prime contractor to include the substance of the 7012 clause in all sub-contracts where covered defense information will be processed. The sub-contractor takes on the same NIST 800-171 implementation obligations and the same 72-hour reporting duty. Practically this is one of the biggest enforcement levers in the DoD ecosystem: primes are increasingly requiring sub-contractors to evidence 800-171 implementation as a condition of award, often by sharing a recent SPRS score before contract execution.