Does DFARS 7012 apply if my contract is COTS-only?

No. DFARS 252.204-7012 is excluded from contracts solely for the acquisition of commercial off-the-shelf items. The moment you provide a customized service, a non-COTS part, or any deliverable with CUI in it, the clause applies.

Is Microsoft 365 Commercial OK for CUI?

No. Microsoft has stated publicly that M365 Commercial and GCC are not equivalent to FedRAMP Moderate for storing CUI. You need GCC High or M365 Government Community Cloud High to satisfy DFARS 7012 for CUI workloads.

What's the difference between a cyber incident and a breach for the 72-hour rule?

DFARS 7012 uses a broad definition of 'cyber incident' — any actions that result in a compromise or actual or potentially adverse effect on a contractor information system or CDI residing therein. You don't need confirmed data exfiltration; suspected compromise of a CUI-handling system starts the 72-hour clock.

DFARS 252.204-7012: A Plain-English Guide for Small Contractors

DFARS 252.204-7012 is the Department of Defense contract clause that requires contractors handling Covered Defense Information (a subset of CUI) to (1) implement NIST SP 800-171, (2) report cyber incidents to DoD within 72 hours, and (3) use cloud services that meet FedRAMP Moderate Equivalent or higher when CUI is stored, processed, or transmitted there. It's been in effect since December 2017 and it flows down to every subcontractor whose performance involves CUI.

What the clause actually says

Strip out the legalese and DFARS 7012 has four obligations:

Provide "adequate security" — defined as implementing NIST 800-171.
Rapidly report cyber incidents that affect Covered Defense Information to dibnet.dod.mil within 72 hours of discovery.
If you use a cloud service to store/process/transmit CUI, the CSP must meet FedRAMP Moderate (or be authorized as equivalent), and you must require the CSP to cooperate with DoD damage assessments.
Flow the clause down to every subcontractor whose performance will involve CUI.

The 72-hour incident report

The 72 hours starts when you discover the incident, not when it happened. To file you need:

A DoD-approved medium assurance certificate (purchase through IdenTrust or DigiCert; ~$175 and takes 1–2 weeks).
An incident response process that gets a technical lead, a contracting lead, and an executive in the same room fast.
The capacity to preserve images of affected systems for 90 days and submit malicious software to DC3 on request.

The cloud rule (FedRAMP Moderate Equivalent)

In December 2023 DoD's Office of the CIO issued a memo clarifying what "equivalent to FedRAMP Moderate" means. The short version: equivalency requires a complete body of evidence — an SSP, a third-party assessment to the FedRAMP Moderate baseline by a 3PAO, and a customer-responsibility matrix — even if the CSP never formally applies to the FedRAMP PMO. AWS GovCloud (US), Azure Government, and Google Assured Workloads for Government are the usual landing spots; commercial AWS / Azure / GCP are not equivalent.

If you're using Microsoft 365 commercial today and you handle CUI, you are out of compliance. The compliant move is GCC High (not GCC, not commercial).

The flow-down trap

Primes are required to flow 7012 down to any sub whose performance involves CUI — but the flow-down obligation does not reduce the prime's responsibility. That means primes increasingly demand SPRS scores, SSPs, and evidence packages from their subs before awarding a task order. If you're a sub waiting for "the prime to figure it out", you'll lose work to subs who came in with a 110 score in SPRS and a CMMC Level 2 plan.

A short DFARS 7012 checklist

SPRS score posted (and accurate).
SSP and POA&M maintained and current.
Cloud services for CUI are FedRAMP Moderate or FedRAMP Moderate Equivalent (with body of evidence).
DoD medium assurance certificate provisioned for incident reporting.
Incident response plan tested in the last 12 months.
7012 flow-down clause in every subcontract that involves CUI.

Mentioned in this guide

Frequently asked questions

Does DFARS 7012 apply if my contract is COTS-only?: No. DFARS 252.204-7012 is excluded from contracts solely for the acquisition of commercial off-the-shelf items. The moment you provide a customized service, a non-COTS part, or any deliverable with CUI in it, the clause applies.
Is Microsoft 365 Commercial OK for CUI?: No. Microsoft has stated publicly that M365 Commercial and GCC are not equivalent to FedRAMP Moderate for storing CUI. You need GCC High or M365 Government Community Cloud High to satisfy DFARS 7012 for CUI workloads.
What's the difference between a cyber incident and a breach for the 72-hour rule?: DFARS 7012 uses a broad definition of 'cyber incident' — any actions that result in a compromise or actual or potentially adverse effect on a contractor information system or CDI residing therein. You don't need confirmed data exfiltration; suspected compromise of a CUI-handling system starts the 72-hour clock.

Related guides

Responding to a Prime's CMMC Flow-Down Letter (Template Inside)
Flow-Down · 7 min read
DFARS 72-Hour Incident Report: What to File and How (with Template)
Incident Response · 8 min read
CUI Marking Guide: Banners, Portion Marks, and What DoD Actually Checks
CUI · 9 min read
CMMC Level 1 vs Level 2: Which Do You Actually Need?
CMMC Basics · 7 min read