Print-friendly view · use your browser's Save as PDF option (Cmd/Ctrl-P) to attach this article to a brief.
DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting)
DFARS-252-204 · US · binding regulation
Source: https://policywindow.org/wiki/dfars-252-204
Generated 2026-07-19T05:39:39 UTC
Summary
Defense-acquisition-specific information-security regulation. Core clauses: (1) DFARS 252.204-7012 (adopted 2015, current consolidated 2020) — requires contractors handling Covered Defense Information (CDI) on covered contractor information systems to implement NIST SP 800-171 r2 security controls + report cyber incidents to DoD within 72 hours; (2) DFARS 252.204-7019 / -7020 / -7021 (CMMC interim rule Nov 2020) — implements the Cybersecurity Maturity Model Certification framework requiring increasingly stringent third-party attestation of NIST 800-171 implementation by contract tier. AI relevance: (a) AI-system source code, model weights, training data, and architecture documentation produced or stored on contractor systems fall within CDI when the underlying contract is so designated; (b) cyber-incident reporting in 252.204-7012(c) applies equally to AI-system compromise events (training-data exfiltration, model-weight theft, prompt-injection-based credential exposure); (c) supply-chain risk-management linkages with FAR Part 4 Subpart 4.21 + the DoD RAI S&IP supply-chain tenet. Distinct from AI-specific DFARS clauses under consideration as part of DoD Acquisition Innovation initiatives — none of which have been finalised at the catalog-write date. DRIFT-WATCH CORRECTION (2026-07-17, /wiki/drift.json): status "in_force" AFFIRMED and deliberately UNCHANGED — 252.204-7012 still binds and cyber-incident reporting still applies, so the substance is right. Recording LOCATION drift only: DoD Class Deviation 2026-O0043 (DFARS Part 204), effective 2026-02-17, directs contracting officers to use an attached Part 204 in lieu of the codified 48 CFR ch. 2 text, so the cited acquisition.gov subpart is no longer the operative location. Source: https://www.acq.osd.mil/dpap/dars/classdev/DFARS_RFO/Part-204/2026-O0043_TAB_A_Deviation_Memo_Part_204.pdf
At a glance
- Adopted
- 2020-11-30
- Effective
- 2020-11-30
- Status
- in force
- Primary source
- Defense Federal Acquisition Regulation Supplement, Subpart 204.73 + clauses 252.204-7012 (Safeguarding Covered Defense Information), 252.204-7019/-7020/-7021 (CMMC) (48 C.F.R. ch. 2). Current consolidated subpart per the DoD Procurement Toolbox + acquisition.gov.
- Source URL
- https://www.acquisition.gov/dfars/subpart-204.73-safeguarding-covered-defense-information-and-cyber-incident-reporting
How to cite this article
APA
Policy Window. (2020). DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting) [Wiki article — Instrument]. https://policywindow.org/wiki/dfars-252-204
Chicago
Policy Window. 2020. "DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting)." Wiki article (Instrument). https://policywindow.org/wiki/dfars-252-204.
Harvard
Policy Window (2020) 'DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting)', Wiki article — Instrument, available at: https://policywindow.org/wiki/dfars-252-204.
OSCOLA
Policy Window, 'DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting)' (Wiki article — Instrument, 2020) <https://policywindow.org/wiki/dfars-252-204> accessed [date].
BibTeX
@misc{policywindow-dfars-252-204,
title = {DFARS Subpart 252.204 (Safeguarding Covered Defense Information and Cyber Incident Reporting)},
author = {Policy Window},
year = {2020},
howpublished = {Defense Federal Acquisition Regulation Supplement, Subpart 204.73 + clauses 252.204-7012 (Safeguarding Covered Defense Information), 252.204-7019/-7020/-7021 (CMMC) (48 C.F.R. ch. 2). Current consolidated subpart per the DoD Procurement Toolbox + acquisition.gov.},
url = {https://policywindow.org/wiki/dfars-252-204},
note = {Primary source: https://www.acquisition.gov/dfars/subpart-204.73-safeguarding-covered-defense-information-and-cyber-incident-reporting}
}