Procurement workflow surface

DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting) — vendor disclosure form

This is a sample disclosure form a procurement team can adapt for vendor RFPs and ITTs evaluating systems against DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting). The provision-specific questions below were derived from the catalog's coverage cells; before issuing, a qualified procurement lawyer should review the adapted version against your jurisdiction's contract law. This form is NOT legal advice (see charter §7.4).

Export:use your browser's Print → Save as PDF to produce a printable copy. Native .docx / .pdf export ships on the roadmap (see /wiki/roadmap); for now, browser print-to-PDF is the supported flow.

1. Vendor identification

Vendor legal name

Jurisdiction of incorporation

Primary contact (name, role)

Primary contact (email, phone)

RFP / ITT reference number

Response submission date

2. AI system identification

System name

Version / build identifier

Underlying model(s) + provider(s)

Intended use(s) within this engagement

Jurisdiction(s) of deployment

Other AI-governance instruments the system claims compliance with

3. Provision-specific questions

Training-Data Rights. Identify the legal basis for training-data sourcing for the offered system (including copyright, consent, and any text-and-data-mining exemptions relied upon) and confirm consistency with DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting) (252.204-7012 — training-data sets stored on covered contractor information systems require NIST SP 800-171 implementation when designated CDI; data-spill / exfiltration events trigger 72-hour cyber-incident reporting under 252.204-7012(c)).
(Cite: 252.204-7012 — training-data sets stored on covered contractor information systems require NIST SP 800-171 implementation when designated CDI; data-spill / exfiltration events trigger 72-hour cyber-incident reporting under 252.204-7012(c))
National Security Carveouts in AI Regulation. Identify whether any component of the offered system or its use case falls within the national-security carveouts of DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting) (252.204-7012 + CMMC clauses (-7019/-7020/-7021) are the operative national-security-overlay framework for defence-acquisition information security; the subpart IS the carveout regime) and the resulting compliance posture.
(Cite: 252.204-7012 + CMMC clauses (-7019/-7020/-7021) are the operative national-security-overlay framework for defence-acquisition information security; the subpart IS the carveout regime)

4. Documentation enclosures expected

Tick each enclosure attached to the vendor response. Missing enclosures should be explained in the “Variances” field below.

Training-data summary / provenance log
Copies of submitted regulatory reports / registrations
Vendor company registration + insurance certificates
Sub-processor / supply-chain list (including model upstream)

Variances (enclosures not attached + reason)

5. Vendor attestation

The undersigned, on behalf of the vendor, attests that the disclosures above are true and complete to the best of their knowledge at the date signed, and undertakes to notify the buyer in writing within 30 days of any material change to those disclosures.

Signatory name

Signatory role / title

Signature

Date

This is a sample form derived from the catalog at /wiki/dfars-252-204. Adapt before issuing. Not legal advice; not jurisdiction-specific. See charter §7.4.

DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting) — vendor disclosure form

3. Provision-specific questions

Training-Data Rights. Identify the legal basis for training-data sourcing for the offered system (including copyright, consent, and any text-and-data-mining exemptions relied upon) and confirm consistency with DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting) (252.204-7012 — training-data sets stored on covered contractor information systems require NIST SP 800-171 implementation when designated CDI; data-spill / exfiltration events trigger 72-hour cyber-incident reporting under 252.204-7012(c)).

(Cite: 252.204-7012 — training-data sets stored on covered contractor information systems require NIST SP 800-171 implementation when designated CDI; data-spill / exfiltration events trigger 72-hour cyber-incident reporting under 252.204-7012(c))

National Security Carveouts in AI Regulation. Identify whether any component of the offered system or its use case falls within the national-security carveouts of DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting) (252.204-7012 + CMMC clauses (-7019/-7020/-7021) are the operative national-security-overlay framework for defence-acquisition information security; the subpart IS the carveout regime) and the resulting compliance posture.

(Cite: 252.204-7012 + CMMC clauses (-7019/-7020/-7021) are the operative national-security-overlay framework for defence-acquisition information security; the subpart IS the carveout regime)

4. Documentation enclosures expected

Tick each enclosure attached to the vendor response. Missing enclosures should be explained in the “Variances” field below.

Training-data summary / provenance log

Copies of submitted regulatory reports / registrations

Vendor company registration + insurance certificates

Sub-processor / supply-chain list (including model upstream)