Journalist briefing pack
DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting)
Deadline-ready summary derived from the Policy Window catalog. Every claim cites a primary source. As of 2026-06-03.
Editor-of-record: Editorial board (in formation) (Policy Window) — last reviewed 2026-05-31
Key finding
DoD information-security regulation; NIST 800-171 + CMMC implementation; AI source/weights/training data fall within Covered Defense Information when contract designates.
Pull quote (operative text)
“Contractor shall provide adequate security on all covered contractor information systems by implementing NIST Special Publication 800-171 (252.204-7012(b)(2)(i)).”
Topics this instrument addresses
- governsTraining-Data Rights— 252.204-7012 — training-data sets stored on covered contractor information systems require NIST SP 800-171 implementation when designated CDI; data-spill / exfiltration events trigger 72-hour cyber-incident reporting under 252.204-7012(c)
- governsNational Security Carveouts in AI Regulation— 252.204-7012 + CMMC clauses (-7019/-7020/-7021) are the operative national-security-overlay framework for defence-acquisition information security; the subpart IS the carveout regime
- implicitFoundation Models / GPAI— 252.204-7012 — AI-system source code, model weights, training data fall within Covered Defense Information scope when the underlying contract designates these as CDI; foundation-model artefacts are CDI through the standard contract designation pathway
- implicitCompute-Threshold Reporting— Cyber-incident reporting under 252.204-7012(c) — 72-hour DoD notification covers AI-system compromise events including model-weight theft + prompt-injection-based credential exposure; broader AI-use disclosure flows through M-24-10 not DFARS
Cite this briefing
MLA (9th edition)
Policy Window. "DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting)." Policy Window AI Governance Catalog, 2026-06-03, http://localhost:3000/wiki/dfars-252-204?asOf=2026-06-03.
AP (current style — newsroom-grade)
Policy Window AI Governance Catalog, "DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting)," accessed 2026-06-03, http://localhost:3000/wiki/dfars-252-204?asOf=2026-06-03.
Chicago (17th edition, notes-bibliography)
Policy Window, "DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting)," Policy Window AI Governance Catalog, accessed 2026-06-03, http://localhost:3000/wiki/dfars-252-204?asOf=2026-06-03.
APA (7th edition, author-date)
Policy Window. (2026). DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting) [Snapshot 2026-06-03]. Policy Window AI Governance Catalog. http://localhost:3000/wiki/dfars-252-204?asOf=2026-06-03
CC BY 4.0 content. Citation conventions documented at /wiki/citing-us.
What this briefing IS: a deadline-shaped slice of the typed catalog at /wiki/dfars-252-204. Key finding + pull quote + crosswalk are editor-curated when present; honest-empty when not. Charter §7.1.a holds: never advocacy framing.
What this briefing is NOT: a substitute for direct verification of primary sources before publication. Not legal advice (charter §7.4). Not real-time (editorial cadence).