Scope and obligations

Defense-acquisition-specific information-security regulation. Core clauses: (1) DFARS 252.204-7012 (adopted 2015, current consolidated 2020) — requires contractors handling Covered Defense Information (CDI) on covered contractor information systems to implement NIST SP 800-171 r2 security controls + report cyber incidents to DoD within 72 hours; (2) DFARS 252.204-7019 / -7020 / -7021 (CMMC interim rule Nov 2020) — implements the Cybersecurity Maturity Model Certification framework requiring increasingly stringent third-party attestation of NIST 800-171 implementation by contract tier. AI relevance: (a) AI-system source code, model weights, training data, and architecture documentation produced or stored on contractor systems fall within CDI when the underlying contract is so designated; (b) cyber-incident reporting in 252.204-7012(c) applies equally to AI-system compromise events (training-data exfiltration, model-weight theft, prompt-injection-based credential exposure); (c) supply-chain risk-management linkages with FAR Part 4 Subpart 4.21 + the DoD RAI S&IP supply-chain tenet. Distinct from AI-specific DFARS clauses under consideration as part of DoD Acquisition Innovation initiatives — none of which have been finalised at the catalog-write date.

DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting) addresses 2 contested AI-governance topics explicitly, 2 via general principles,.

Topics governed

• implicit
  Foundation Models / GPAI— 252.204-7012 — AI-system source code, model weights, training data fall within Covered Defense Information scope when the underlying contract designates these as CDI; foundation-model artefacts are CDI through the standard contract designation pathway
• implicit
  Compute-Threshold Reporting— Cyber-incident reporting under 252.204-7012(c) — 72-hour DoD notification covers AI-system compromise events including model-weight theft + prompt-injection-based credential exposure; broader AI-use disclosure flows through M-24-10 not DFARS
• governs
  Training-Data Rights— 252.204-7012 — training-data sets stored on covered contractor information systems require NIST SP 800-171 implementation when designated CDI; data-spill / exfiltration events trigger 72-hour cyber-incident reporting under 252.204-7012(c)

  §Art. 252.204-7012(c)paraphrase

  When the Contractor discovers a cyber incident that affects a covered contractor information system … the Contractor shall … rapidly report cyber incidents to DoD … within 72 hours of discovery.

  source ↗
• governs
  National Security Carveouts in AI Regulation— 252.204-7012 + CMMC clauses (-7019/-7020/-7021) are the operative national-security-overlay framework for defence-acquisition information security; the subpart IS the carveout regime

  §Art. 252.204-7012(b)paraphrase

  The Contractor shall provide adequate security on all covered contractor information systems … by implementing NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems…

  source ↗

Cross-jurisdiction comparison

How peer instruments treat the topics DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting) governs.

°= industry self-imposed voluntary framework. Comparing a voluntary code's "governs" tint with a binding regulation's "governs" tint flattens the legal-force distinction; use the instrument-page banner for the operative status of each.

How to cite this article

Policy Window. (2020). DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting) [Wiki article — Instrument]. https://policywindow.org/wiki/dfars-252-204

Policy Window. 2020. "DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting)." Wiki article (Instrument). https://policywindow.org/wiki/dfars-252-204.

@misc{policywindow-dfars-252-204,
  title  = {DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting)},
  author = {Policy Window},
  year   = {2020},
  howpublished = {Defense Federal Acquisition Regulation Supplement, Subpart 204.73 + clauses 252.204-7012 (Safeguarding Covered Defense Information), 252.204-7019/-7020/-7021 (CMMC) (48 C.F.R. ch. 2). Current consolidated subpart per the DoD Procurement Toolbox + acquisition.gov.},
  url    = {https://policywindow.org/wiki/dfars-252-204},
  note   = {Primary source: https://www.acquisition.gov/dfars/subpart-204.73-safeguarding-covered-defense-information-and-cyber-incident-reporting}
}

Evidence base

Academic & grey-literature sources on the topics this instrument addresses (not commentary on the instrument itself) — catalogued metadata with a primary link, no LLM summaries (charter §7). Browse the full literature index.

• Model Card ↗PreprintMitchell et al. (2019), 'Model Cards for Model Reporting,' FAccT '19
• Deceptive Alignment ↗PreprintHubinger, E., et al. (2019), 'Risks from Learned Optimization in Advanced Machine Learning Systems.'
• Mesa-Optimization ↗PreprintHubinger, E., et al. (2019), 'Risks from Learned Optimization in Advanced Machine Learning Systems.'
• Scalable Oversight ↗PreprintChristiano, P., Shlegeris, B., Amodei, D. (2018), 'Supervising Strong Learners by Amplifying Weak Experts.'
• Capability Elicitation ↗PreprintQi, X., Zeng, Y., Xie, T., Chen, P.-Y., Jia, R., Mittal, P., Henderson, P. (2023), 'Fine-tuning Aligned Language Models Compromises Safety, Even When Users Do Not Intend To!'
• Dual-Use Research Norms (DURC for AI) ↗PreprintSolaiman, I., et al. (2019), 'Release Strategies and the Social Impacts of Language Models' — the canonical articulation of structured-access norms for foundation models.
• Policy Instrument ↗Peer-reviewedLascoumes, P. & Le Galès, P. (2007). Introduction: Understanding Public Policy through Its Instruments — From the Nature of Instruments to the Sociology of Public Policy Instrumentation. Governance 20(1): 1-21. See also Hood (1983) The Tools of Government, ch. 1-2; Salamon (2002) The Tools of Government: A Guide to the New Governance, pp. 1-47; Howlett (2011) Designing Public Policies, ch. 3-5.
• Training-Data Attribution ↗PreprintGrosse, R., et al. (2023), 'Studying Large Language Model Generalization with Influence Functions' (Anthropic) — the canonical articulation of scalable influence-function-based attribution for foundation models.
• Prompt Injection ↗PreprintGreshake, K., Abdelnabi, S., Mishra, S., Endres, C., Holz, T., Fritz, M. (2023), 'Not what you've signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection.'
• Agentic AI System ↗PreprintYao, S., Zhao, J., Yu, D., Du, N., Shafran, I., Narasimhan, K., Cao, Y. (2022), 'ReAct: Synergizing Reasoning and Acting in Language Models.'
• Tool-Use Safety ↗PreprintWallace, E., et al. (2024), 'The Instruction Hierarchy: Training LLMs to Prioritize Privileged Instructions' (OpenAI) — the canonical industry articulation of instruction-channel hierarchy as a tool-use-safety defence.
• Multi-Turn Evaluation ↗PreprintZheng, L., et al. (2023), 'Judging LLM-as-a-Judge with MT-Bench and Chatbot Arena' — operationalises the multi-turn evaluation protocol for foundation models.
• Data Poisoning ↗PreprintCarlini, N., et al. (2024), 'Poisoning Web-Scale Training Datasets is Practical' — establishes practical feasibility of poisoning frontier-model training corpora.
• Model Distillation Risk ↗PreprintHinton, G., Vinyals, O., Dean, J. (2015), 'Distilling the Knowledge in a Neural Network' — the foundational distillation paper; the governance-relevant adaptation runs through Alpaca/Vicuna (2023) and DeepSeek-R1 (2025).
• Jailbreak Resistance ↗PreprintZou, A., Wang, Z., Kolter, J. Z., Fredrikson, M. (2023), 'Universal and Transferable Adversarial Attacks on Aligned Language Models' — the canonical demonstration that gradient-based suffix attacks transfer across aligned LLMs.
• Model-Merging Risk ↗PreprintBhardwaj, R., et al. (2024), 'Language Models are Homer Simpson! Safety Re-Alignment of Fine-tuned Language Models through Task Arithmetic' — canonical demonstration that safety training is not preserved under task arithmetic / merging.
• Inference-Time Compute ↗PreprintSnell, C., Lee, J., Xu, K., Kumar, A. (2024), 'Scaling LLM Test-Time Compute Optimally can be More Effective than Scaling Model Parameters' — establishes inference-time-compute scaling as a first-class capability lever.
• Sandbagging ↗Preprintvan der Weij, T., Hofstätter, F., Jaffe, O., Brown, S., Ward, F. (2024), 'AI Sandbagging: Language Models can Strategically Underperform on Evaluations.'
• Hallucination ↗PreprintJi, Z., et al. (2023), 'Survey of Hallucination in Natural Language Generation,' ACM Computing Surveys 55(12): 1-38.
• In-Context Learning ↗PreprintBrown, T., et al. (2020), 'Language Models are Few-Shot Learners' (GPT-3 paper) — the canonical articulation of in-context learning as an emergent capability.
• Retrieval-Augmented Generation (RAG) ↗PreprintLewis, P., et al. (2020), 'Retrieval-Augmented Generation for Knowledge-Intensive NLP Tasks,' NeurIPS — the canonical articulation of RAG.
• AI Risk Management Framework | NIST ↗Standards body✦ AIUS voluntary AI risk-management framework (Govern/Map/Measure/Manage).
• ISO/IEC JTC 1/SC 42 - Artificial intelligence ↗Standards body✦ AIInternational committee developing AI standards.
• ISO - Security, safety and risk ↗Standards body✦ AIISO security, safety & risk standards portal.
• OECD AI Incidents Monitor, an evidence base for trustworthy AI - OECD.AI ↗Incident database✦ AIOECD tracker of real-world AI incidents and hazards.
• AI Index | Stanford HAI ↗Research institute✦ AIStanford HAI's annual data report on the state of AI.
• Regulation, Policy, Governance | Stanford HAI ↗Research institute✦ AIStanford HAI's regulation & governance research hub.
• Papers & Reports | Epoch AI ↗Research institute✦ AIEpoch AI research on compute, scaling trends & frontier models.
• Artificial Intelligence ↗Research institute✦ AIUS National Academies' AI consensus-study hub.
• Capturing the Potential of Generative AI’s Use in Health and Medicine Requires Collaboration and Oversight, Consideration of Risks, Says NAM Special Publication ↗Research institute✦ AINAM special publication on generative AI in health & medicine.
• One Hundred Year Study on Artificial Intelligence (AI100) ↗Research institute✦ AIStanford's standing century-long study of AI's societal impact.
• National Bureau of Economic Research | NBER ↗Working paper✦ AIUS National Bureau of Economic Research.
• Featured Working Papers Archive | NBER ↗Working paper✦ AINBER featured economics working papers (incl. AI & labor).
• Measuring up | Ada Lovelace Institute ↗Civil society✦ AIAda Lovelace Institute policy briefing.
• Publications - AlgorithmWatch ↗Civil society✦ AIReports on automated decision-making and its societal impact.
• Anthropomorphic AI terms create gaps in accountability | Brookings ↗Think tank✦ AICommentary on how anthropomorphic AI language obscures accountability.

References

1. Defense Federal Acquisition Regulation Supplement, Subpart 204.73 + clauses 252.204-7012 (Safeguarding Covered Defense Information), 252.204-7019/-7020/-7021 (CMMC) (48 C.F.R. ch. 2). Current consolidated subpart per the DoD Procurement Toolbox + acquisition.gov.
2. 252.204-7012 — AI-system source code, model weights, training data fall within Covered Defense Information scope when the underlying contract designates these as CDI; foundation-model artefacts are CDI through the standard contract designation pathway
3. Cyber-incident reporting under 252.204-7012(c) — 72-hour DoD notification covers AI-system compromise events including model-weight theft + prompt-injection-based credential exposure; broader AI-use disclosure flows through M-24-10 not DFARS
4. 252.204-7012 — training-data sets stored on covered contractor information systems require NIST SP 800-171 implementation when designated CDI; data-spill / exfiltration events trigger 72-hour cyber-incident reporting under 252.204-7012(c)
5. 252.204-7012 + CMMC clauses (-7019/-7020/-7021) are the operative national-security-overlay framework for defence-acquisition information security; the subpart IS the carveout regime