Print-friendly view · use your browser's Save as PDF option (Cmd/Ctrl-P) to attach this article to a brief.
DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting)
DFARS-252-204 · US · binding regulation
Source: https://policywindow.org/wiki/dfars-252-204
Generated 2026-06-04T00:26:38 UTC
Summary
Defense-acquisition-specific information-security regulation. Core clauses: (1) DFARS 252.204-7012 (adopted 2015, current consolidated 2020) — requires contractors handling Covered Defense Information (CDI) on covered contractor information systems to implement NIST SP 800-171 r2 security controls + report cyber incidents to DoD within 72 hours; (2) DFARS 252.204-7019 / -7020 / -7021 (CMMC interim rule Nov 2020) — implements the Cybersecurity Maturity Model Certification framework requiring increasingly stringent third-party attestation of NIST 800-171 implementation by contract tier. AI relevance: (a) AI-system source code, model weights, training data, and architecture documentation produced or stored on contractor systems fall within CDI when the underlying contract is so designated; (b) cyber-incident reporting in 252.204-7012(c) applies equally to AI-system compromise events (training-data exfiltration, model-weight theft, prompt-injection-based credential exposure); (c) supply-chain risk-management linkages with FAR Part 4 Subpart 4.21 + the DoD RAI S&IP supply-chain tenet. Distinct from AI-specific DFARS clauses under consideration as part of DoD Acquisition Innovation initiatives — none of which have been finalised at the catalog-write date.
At a glance
- Adopted
- 2020-11-30
- Effective
- 2020-11-30
- Status
- in force
- Primary source
- Defense Federal Acquisition Regulation Supplement, Subpart 204.73 + clauses 252.204-7012 (Safeguarding Covered Defense Information), 252.204-7019/-7020/-7021 (CMMC) (48 C.F.R. ch. 2). Current consolidated subpart per the DoD Procurement Toolbox + acquisition.gov.
- Source URL
- https://www.acquisition.gov/dfars/subpart-204.73-safeguarding-covered-defense-information-and-cyber-incident-reporting
How to cite this article
APA
Policy Window. (2020). DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting) [Wiki article — Instrument]. https://policywindow.org/wiki/dfars-252-204
Chicago
Policy Window. 2020. "DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting)." Wiki article (Instrument). https://policywindow.org/wiki/dfars-252-204.
Harvard
Policy Window (2020) 'DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting)', Wiki article — Instrument, available at: https://policywindow.org/wiki/dfars-252-204.
OSCOLA
Policy Window, 'DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting)' (Wiki article — Instrument, 2020) <https://policywindow.org/wiki/dfars-252-204> accessed [date].
BibTeX
@misc{policywindow-dfars-252-204,
title = {DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting)},
author = {Policy Window},
year = {2020},
howpublished = {Defense Federal Acquisition Regulation Supplement, Subpart 204.73 + clauses 252.204-7012 (Safeguarding Covered Defense Information), 252.204-7019/-7020/-7021 (CMMC) (48 C.F.R. ch. 2). Current consolidated subpart per the DoD Procurement Toolbox + acquisition.gov.},
url = {https://policywindow.org/wiki/dfars-252-204},
note = {Primary source: https://www.acquisition.gov/dfars/subpart-204.73-safeguarding-covered-defense-information-and-cyber-incident-reporting}
}