DFARS252.204-7012,7019,7020,7021:WhatEachClauseDemands

Defense contracts pull in DFARS cyber clauses like parts off a shelf, and the clauses are often lumped together by contractors as "the cyber stuff." They are not the same. Each of the four principal cyber clauses - 7012, 7019, 7020, 7021 - does distinct contractual work and triggers distinct obligations. Confusing them causes compliance failures that are specific and expensive.

DFARS 252.204-7012: the substantive cybersecurity clause

7012 is the oldest and most substantive. It has two core requirements:

Adequate security per NIST 800-171

Contractors processing, storing, or transmitting covered defense information (CDI - the DFARS term functionally overlapping with CUI) must implement the security requirements of NIST SP 800-171 "as soon as practical but not later than December 31, 2017." That date is long past; implementation is now expected at contract award. The clause explicitly permits a contractor to develop a System Security Plan and Plan of Action and Milestones, and acknowledges that full implementation at any point in time may not be achieved, but the plan must exist and be executable.

The "adequate security" language has been the foundation of cyber compliance audit and enforcement actions. A contractor who has not documented an SSP or cannot produce it on request is in default regardless of whether the underlying controls are in place.

72-hour cyber incident reporting

When a contractor discovers a cyber incident affecting covered defense information, the contractor system, or the contractor's ability to perform on the contract, the incident must be reported to DoD within 72 hours via the DIBNet portal. The report requires:

• Contractor and reporter identification
• Affected system identification
• Description of the incident
• Impacted CDI
• Reporter contact information

After initial report, the contractor must conduct a review, preserve affected images for 90 days, and cooperate with any DoD damage assessment, including providing access to affected systems and data.

The 72-hour clock is the most commonly missed requirement in the DFARS cyber regime. It starts at discovery, not at incident occurrence, but "discovery" is interpreted narrowly - a security team seeing anomalous traffic is discovery; waiting for a formal triage verdict is not.

DFARS 252.204-7019: the NIST SP 800-171 score requirement

7019 is the scoring and visibility clause. It requires contractors to have a current (within three years) NIST SP 800-171 DoD Assessment score on file in the Supplier Performance Risk System (SPRS) before award.

The scoring methodology: start at 110 points, deduct the assigned point value for each unimplemented control. A fully implemented environment scores 110. A single unimplemented 5-point control drops the score to 105. An environment with many gaps can score below zero (negative scores are common during initial posture).

Three assessment types are recognized:

• Basic (self-assessment): contractor self-scores and uploads
• Medium (DoD-conducted): DoD Defense Contract Management Agency or similar reviews the contractor's SSP remotely
• High (DoD-conducted): DoD conducts an on-site review

For most contractors at award time, a Basic self-assessment is what appears in SPRS. The contracting officer checks SPRS before award and, if no current score is present, the contract cannot be awarded under 7019 constraints.

DFARS 252.204-7020: the government access and flow-down clause

7020 is the verification clause. It has two primary provisions:

Government access for Medium and High assessments

Contractors must afford DoD access as necessary to conduct a Medium or High NIST SP 800-171 assessment. This access includes facilities, systems, personnel, and documentation. A contractor who refuses or slow-rolls access is in breach.

Flow-down

7020 must flow down to subcontractors at all tiers when the subcontractor's performance involves covered defense information. The prime has contractual responsibility to verify that subs have a current SPRS score and to collect flow-down compliance commitments. This is the mechanism by which the DIB supply chain is forced into compliance from the top down.

7020 is the clause that turns a prime into a de facto compliance auditor of its supply chain. Primes vary enormously in how rigorously they enforce flow-down - the most demanding primes require subs to provide SSPs, score documentation, and periodic certifications; the least demanding primes accept a checkbox.

DFARS 252.204-7021: the CMMC clause

7021 is the forward-looking CMMC clause. Under the final CMMC rule, 7021 is phased into contracts over time. When present, it requires:

• The contractor to have achieved the CMMC level specified in the solicitation
• The contractor to maintain that level throughout the contract period
• The contractor to flow down CMMC requirements to subcontractors at the level appropriate for the sub's scope
• Contractor affirmation of ongoing CMMC status at contract award and annually thereafter

7021 is where CMMC transitions from "industry readiness program" to "contractual obligation." Once a contract carries 7021, a lapse in CMMC status is a contractual default, not just a cyber incident.

How the clauses interact

The clauses build on each other:

• 7012 establishes the substantive security requirement (NIST 800-171 implementation and incident reporting)
• 7019 requires contractors to self-score and post in SPRS
• 7020 gives DoD the right to verify that score and forces flow-down
• 7021 binds the contractor to a specific CMMC level, verified by C3PAO or self-assessment per the rule, and requires ongoing affirmation

Older contracts may have only 7012. Newer contracts typically carry 7012, 7019, and 7020. Contracts affected by CMMC rollout carry all four.

Common contractor mistakes

• Scoring SPRS without a current SSP: a score not backed by a documented SSP is indefensible. A DoD Medium or High assessment will dismantle it.
• Ignoring the 72-hour clock: building an incident response plan that targets 7-day reporting rather than 72-hour reporting. Under 7012, the clock is hard.
• Weak flow-down enforcement: primes who treat flow-down as a form-filling exercise end up exposed when a sub-tier incident triggers contractual review.
• Affirmation drift: under 7021 and the CMMC rule, the senior official affirming CMMC status carries personal False Claims Act exposure if the affirmation is materially inaccurate.

Practical posture

Every DIB contract should be reviewed at award for the specific cyber clauses present. Build a clause-to-obligation matrix that maps each DFARS clause to the specific operational requirement - SPRS scoring, SSP maintenance, incident response readiness, flow-down collection. Keep the matrix current as contracts are modified.

Techvera's compliance practice builds DFARS clause inventories and operational compliance mappings for DIB contractors. See our defense and government compliance practice or book a contracts review to audit your current DFARS posture.