Home Resources DFARS 7012(m) Flow-Down
Architecture & Scoping · 14-minute read · Written for both primes and subs

DFARS 252.204-7012(m) Flow-Down Obligations

The contract clause every prime must include in qualifying subcontracts — and that every subcontractor handling covered defense information must comply with. This guide covers what actually flows, who's actually covered, and the operational steps both sides need to take.

The Clause Text

DFARS 252.204-7012 — "Safeguarding Covered Defense Information and Cyber Incident Reporting" — has been the operational core of DoD cybersecurity contracting since 2016. Paragraph (m) is the flow-down provision: the rule that requires primes to include the same clause in subcontracts that handle covered defense information.

"(m) Subcontracts. The Contractor shall —

(1) Include this clause, including this paragraph (m), in subcontracts, or similar contractual instruments, for operationally critical support, or for which subcontract performance will involve covered defense information, including subcontracts for commercial products or commercial services, without alteration, except to identify the parties; and

(2) Require subcontractors to —

(i) Notify the prime Contractor (or next higher-tier subcontractor) when submitting a request to vary from a NIST SP 800-171 security requirement to the Contracting Officer, in accordance with paragraph (b)(2)(ii)(D) of this clause; and

(ii) Provide the incident report number, automatically assigned by DoD, to the prime Contractor (or next higher-tier subcontractor) as soon as practicable, when reporting a cyber incident to DoD as required in paragraph (c) of this clause." — DFARS 252.204-7012(m), as amended

Two operative obligations come out of paragraph (m). First, the entire clause must be included without alteration in qualifying subcontracts — primes do not have discretion to negotiate it away or soften it. Second, primes must require subs to communicate two specific things back: any request to deviate from an 800-171 requirement, and the DoD-assigned incident report number when an incident is reported.

252.204-7012 does not stand alone. Three related clauses, all introduced more recently, govern assessment, scoring, and certification:

ClauseWhat It RequiresWhen It Applies
252.204-7012 Safeguarding of covered defense information per NIST SP 800-171; cyber incident reporting within 72 hours; flow-down to subs handling CDI All DoD contracts (and subcontracts) involving covered defense information; in effect since 2016
252.204-7019 Contractor must have a current (within 3 years) NIST SP 800-171 self-assessment posted to SPRS before contract award Solicitations and contracts that include 7012; in effect since November 2020
252.204-7020 Contractor must provide the DoD with access to facilities, systems, and personnel for higher-level (Medium or High) NIST 800-171 assessments when required; flow-down to subs is required Same triggering conditions as 7019; assessments performed by DCMA DIBCAC
252.204-7021 Contractor must hold a current CMMC certification at the level specified in the solicitation, and must flow down the appropriate CMMC level to subcontractors based on the CDI those subs will handle Phased rollout under the CMMC Final Rule; full applicability reached during the program's three-year phased implementation

The four clauses operate as a stack: 7012 establishes the safeguarding obligation, 7019 requires you to have self-assessed, 7020 reserves the government's right to verify, and 7021 layers in third-party certification at the appropriate level. Flow-down obligations attach to 7012, 7020, and 7021 — meaning subs handling CDI inherit safeguarding, assessment-cooperation, and (when 7021 applies) certification obligations from the prime.

Who Flows It Down — and to Whom

The clause flows from the prime to any subcontractor whose work will involve covered defense information, or who will provide operationally critical support. It is not a blanket flow-down to every sub on a contract — it is a data-driven flow-down that depends on whether the sub will actually touch CDI in the course of performance.

Some concrete scenarios:

A prime has a DoD engineering contract. They subcontract with a CAD-services firm that will receive technical drawings (CDI) to perform finite-element analysis.

Flows down. The CAD subcontractor will store, process, and transmit CDI in performance of the subcontract.

The same prime contracts with a janitorial service to clean their office at night. The janitorial staff does not have system access and does not handle any documents marked CUI.

Does not flow down. The janitorial subcontractor performs no work involving CDI. (However, physical access to a CUI-containing facility may trigger separate physical-protection obligations under 800-171 control PE.3.061.)

The prime uses a managed service provider (MSP) to administer their internal IT — including the file server where CUI deliverables are stored.

Flows down. The MSP has privileged access to systems holding CDI; that access constitutes "processing" CDI in the relevant sense even if MSP staff never deliberately read the files.

The CAD subcontractor (above) further subcontracts a portion of the analysis to a second-tier specialty firm, who will also need access to the technical drawings.

Flows down again — to the second-tier sub. Paragraph (m) requires every level of the supply chain that handles CDI to flow the clause down to the next level. The first-tier sub effectively becomes a "prime" for purposes of flow-down to the second-tier sub.

The prime buys office supplies from a national vendor on a separate purchase order. That vendor has no involvement with the DoD contract and no access to CDI.

Does not flow down. The purchase has no nexus to CDI or to performance of the DoD contract.

"Operationally critical support" is a separate trigger. Even if a subcontractor never touches CDI, the clause flows down if the sub provides "operationally critical support" — defined in 7012(a) as supplies or services designated by the government as critical to the airlift, sealift, intermodal transportation, or logistical support of the armed forces. This is rare for most contractors but worth checking in the contract DD-254 or statement of work.

What Flows Down

Paragraph (m)(1) is unambiguous: the clause flows without alteration, except to identify the parties. That means the entire safeguarding and reporting framework lands on the sub:

  • Implementation of NIST SP 800-171 Rev 2. The sub must implement the same 110 security requirements that apply to the prime, scoped to the sub's environment that handles the CDI.
  • 72-hour cyber incident reporting. Discovery of a cyber incident affecting CDI obligates the sub to report to DoD within 72 hours via the DIBNet portal — and to provide the resulting incident report number to the prime.
  • Cyber forensic preservation. The sub must isolate affected systems, preserve images of known-affected systems, and preserve relevant monitoring and packet capture data for at least 90 days from the date of the cyber incident report.
  • Media submission. The sub must submit malicious software identified during the incident to DoD Cyber Crime Center (DC3), and may be required to provide additional media to support the government's analysis.
  • Cooperation with DoD damage assessment. If DoD initiates a damage assessment after a reported incident, the sub must cooperate with that assessment.
  • Cloud service requirements. Any cloud service the sub uses to store, process, or transmit CDI must meet the FedRAMP Moderate baseline or be demonstrably equivalent — the same standard that applies to the prime.
  • Sub-flow-down obligation. The sub must include the clause in its own subcontracts that involve CDI, perpetuating the chain.

What flow-down does not do is consolidate compliance: each entity in the chain is independently responsible for its own implementation of the requirements. A prime cannot satisfy a sub's obligations by having a strong security posture itself, and a sub cannot satisfy its own obligations by relying on the prime's certification.

CDI vs. CUI vs. FCI: Resolving the Terminology

Three overlapping terms appear across DFARS, FAR, and CMMC documents. They are not interchangeable, and confusing them leads to scope errors.

Federal Contract Information (FCI)

Information not intended for public release that is provided by or generated for the government under a contract. FCI is the broadest and least sensitive of the three categories. Contractors handling only FCI fall under FAR 52.204-21 (the "basic safeguarding" rule) and CMMC Level 1 — not under DFARS 252.204-7012.

Controlled Unclassified Information (CUI)

Information that the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that requires safeguarding or dissemination controls under law, regulation, or government-wide policy. CUI categories are enumerated in the NARA CUI Registry and include Defense, Export Control, Privacy, and many other categories.

Covered Defense Information (CDI)

The DFARS-specific term used in 252.204-7012. Defined in 7012(a) as unclassified controlled technical information or other information (as described in the CUI Registry) that requires safeguarding or dissemination controls and is either (1) marked or otherwise identified in the contract and provided to the contractor by or on behalf of DoD, or (2) collected, developed, received, transmitted, used, or stored by the contractor in support of contract performance.

CDI is essentially the DoD's contract-specific subset of CUI. All CDI is CUI; not all CUI is CDI (CUI on a non-DoD contract isn't called CDI). For most operational purposes, "CUI" and "CDI" are used interchangeably when discussing DFARS 7012 obligations.

The flow-down trigger in 7012(m) uses the term "covered defense information." For practical compliance work, treat any CUI received in connection with a DoD contract as CDI for flow-down purposes.

The 72-Hour Incident Reporting Flow

The 72-hour cyber incident reporting obligation is the most operationally consequential part of 7012, and the part most likely to fail under pressure when a real incident occurs. The flow runs as follows:

  1. The sub discovers a cyber incident affecting CDI or affecting a system that processes, stores, or transmits CDI.
  2. The sub conducts a review of its information system for evidence of compromise of CDI, and identifies any compromised data, accounts, or systems.
  3. Within 72 hours of discovery, the sub submits a cyber incident report to DoD through the DIBNet portal. This requires a DoD-issued external certificate (medium-assurance certificate from an approved provider) and a DIBNet account, both of which must be obtained before an incident occurs.
  4. DoD assigns an incident report number to the submission.
  5. The sub provides the incident report number to the prime as soon as practicable — this is the explicit obligation under paragraph (m)(2)(ii).
  6. The sub preserves images and monitoring data for at least 90 days from the date of the report, in case DoD requests them for damage assessment.

The DIBNet account is a pre-incident requirement. Obtaining the DoD-issued external certificate for DIBNet access takes weeks. An organization that waits until an incident occurs to apply for DIBNet access will miss the 72-hour reporting window. Every prime and every sub handling CDI should have at least two named individuals with active DIBNet access before any contract performance begins.

Two friction points commonly trip up subs. First, the contractual relationship: a sub may have an NDA with the prime that appears to require notification to the prime before any external disclosure of an incident. The DFARS reporting obligation overrides ordinary NDA constraints — the sub must report to DoD within 72 hours regardless of prime notification timing — but this should be addressed in the subcontract language to avoid ambiguity. Second, dual reporting: many subs do not realize they are required to report to DoD and to the prime; some report only to the prime and rely on the prime to forward upward, which is not what the clause requires.

For Primes: Practical Steps

If you are a prime contractor

Operational implementation steps

  1. Inventory subs that will handle CDI. Maintain a current list of subcontractors performing work that involves CDI. The list should include the contract or PO, the CDI category involved, and the sub's CMMC level (once 7021 applies).
  2. Standardize subcontract templates. Update your subcontract boilerplate to include the full text of 252.204-7012 (and 7019/7020, with 7021 added during the CMMC phased rollout). Have legal review confirm the clause is included without alteration.
  3. Collect and verify SPRS scores. Under 7019, subs handling CDI must have a current self-assessment posted to SPRS. Periodically verify each sub's SPRS score (or contractually require the sub to provide it) and document the verification in your subcontractor file.
  4. Verify CMMC certification at the appropriate level. Once 7021 applies to the contract, confirm each sub holds a current CMMC certification at the level appropriate to the CDI they handle. The CMMC level the sub needs may be lower than yours if the sub handles a narrower CDI scope.
  5. Document oversight in your SSP. Section 8 of your SSP (External System Interconnections) should document each subcontractor relationship that involves CDI flow, including the security expectations and verification mechanisms.
  6. Pre-stage incident reporting coordination. Establish a written incident communication procedure with each CDI-handling sub: who calls whom, on what number, with what information, and what each party reports to DoD. Test the procedure annually.
  7. Monitor sub status changes. A sub's CMMC level can lapse, or a sub can experience a cyber incident affecting your CDI. Build a process for periodic re-verification — at least annually, and before any new CDI flow to the sub.
If you are a subcontractor

Operational implementation steps

  1. Confirm the clause is in your subcontract. Read your subcontract terms carefully. If your work involves CDI and 7012 is not flowed down, raise it with the prime — both for your own legal protection and because the prime is required to flow it.
  2. Treat the 110 requirements as your own obligation. You implement NIST SP 800-171 directly — the prime's compliance does not cover you. Your SSP, your POA&M, your SPRS score are all your responsibility.
  3. Submit your own SPRS score. Conduct a NIST 800-171 self-assessment, calculate your SPRS score, and submit it to SPRS under your CAGE code. Most subs do not realize this is their direct obligation, not the prime's.
  4. Obtain CMMC certification at the appropriate level. Once 7021 applies to your subcontract, you must hold a current CMMC certification at the level the prime specifies. The level depends on the CDI you handle — confirm in writing what level is required before pursuing certification.
  5. Establish DIBNet access in advance. Apply for the DoD-issued external certificate and create a DIBNet account before any contract performance begins. Have at least two named individuals with active access.
  6. Know your prime notification path. Understand exactly who at the prime to notify if you experience a cyber incident, and confirm that path is documented in your incident response plan.
  7. Flow down to your own subs. If you further subcontract any CDI-handling work, you are now in the prime's role with respect to that second-tier sub. The clause must flow again.
  8. Use FedRAMP-authorized cloud services for CDI. If you store, process, or transmit CDI in any cloud service, that service must be FedRAMP Moderate authorized or equivalent. Commercial M365, Google Workspace, Dropbox, etc. are not authorized for CDI. See the enclave architecture guide for details.

Common Failure Patterns

Patterns that result in findings, contract action, or false claims exposure

  • Primes that flow the clause but never verify compliance. Including 7012 in the subcontract is the floor, not the ceiling — primes are expected to take reasonable steps to verify subs are actually compliant. Collecting an SPRS score and confirming a CMMC certificate are the minimum viable verification steps.
  • Subs that assume the prime's enclave covers them. If the prime sends CDI to the sub via Kiteworks (or any other secure channel), the sub still has to safeguard the CDI on the sub's own systems once it arrives. The prime's enclave does not extend to the sub's environment.
  • Subs that report incidents only to the prime. The clause requires reporting to DoD within 72 hours. The sub's obligation runs to DoD, not to the prime. Notifying the prime is required in addition to DoD reporting, not instead of.
  • Primes that accept commercial cloud as the sub's environment. A sub running CDI through commercial Microsoft 365, Google Workspace, or any other non-FedRAMP-authorized service is non-compliant. Accepting that posture exposes the prime to flow-down enforcement risk.
  • Subs that obtain CMMC certification at the wrong level. Some subs over-certify (paying for Level 2 when their CDI exposure would qualify for Level 1) and some under-certify (assuming Level 1 is enough when CDI is in scope). The CMMC level required is set by the contract, not by the sub's preference.
  • ITAR or EAR data treated as ordinary CDI. Export-controlled technical data (ITAR Category XV, for example) carries US-person access restrictions in addition to 7012 safeguarding obligations. Subs cannot use offshore developers, foreign-national contractors, or non-US-person cloud administrators on systems handling ITAR data — even if 7012 alone would otherwise permit it.
  • Subs whose cloud admins are outside the United States. Many cloud-managed-service providers have non-US-person administrators with privileged access. For CDI generally, this is a question of FedRAMP authorization. For ITAR/EAR, it is a hard prohibition.
  • Sub-tier subs that never see the clause. First-tier subs frequently fail to flow 7012 to second-tier subs, breaking the chain. Primes have limited visibility past the first tier and must rely on contractual requirements that the chain be maintained.

Sample Subcontract Language

Most prime contracts have lawyer-drafted multi-page versions of the flow-down clause. The version below is a plain-language paragraph suitable for a small business prime's standard subcontract template. It is offered as a starting point, not as legal advice — confirm any contract language with counsel before use.

Section [N]. Cybersecurity Compliance and Flow-Down.

(a) Incorporation of DFARS clauses. Subcontractor agrees that the following Defense Federal Acquisition Regulation Supplement ("DFARS") clauses are incorporated into this Subcontract by reference, in full and without alteration except to identify the parties: 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting), 252.204-7019 (Notice of NIST SP 800-171 DoD Assessment Requirements), and 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements). At such time as DFARS 252.204-7021 (Cybersecurity Maturity Model Certification Requirements) becomes applicable to the prime contract, that clause is also incorporated.

(b) NIST SP 800-171 implementation. Subcontractor represents and warrants that it has implemented, and will maintain throughout performance of this Subcontract, the security requirements specified in NIST SP 800-171 Revision 2 in any information system that will store, process, or transmit Covered Defense Information ("CDI") in connection with this Subcontract.

(c) SPRS posting. Subcontractor shall post and maintain a current NIST SP 800-171 self-assessment score in the Supplier Performance Risk System ("SPRS") under its own CAGE code, and shall provide the score to Prime upon request.

(d) CMMC certification. When DFARS 252.204-7021 applies to this Subcontract, Subcontractor shall obtain and maintain a current CMMC certification at the level required by the Prime, which Subcontractor acknowledges may be the same as or lower than the Prime's required CMMC level depending on the scope of CDI handled by Subcontractor.

(e) Cyber incident reporting. In the event of a cyber incident affecting CDI or any system that processes CDI in connection with this Subcontract, Subcontractor shall (i) report the incident to the Department of Defense via the DIBNet portal within 72 hours of discovery, in accordance with DFARS 252.204-7012(c); (ii) notify Prime of the incident as soon as practicable and in no event later than 24 hours after submission of the DIBNet report; and (iii) provide the DoD-assigned incident report number to Prime upon receipt.

(f) Cloud services. Any cloud service used by Subcontractor to store, process, or transmit CDI shall be authorized at the FedRAMP Moderate baseline or be demonstrably equivalent under the Department of Defense Chief Information Officer's December 21, 2023 memorandum on FedRAMP Moderate Equivalency for Cloud Service Provider's Cloud Service Offerings. Equivalency requires assessment by a FedRAMP-recognized 3PAO against 100% of the FedRAMP Moderate baseline with no open POA&Ms; self-attestation is not permitted. Use of commercial (non-FedRAMP-authorized) cloud services to handle CDI is prohibited.

(g) Lower-tier subcontracts. Subcontractor shall include this Section [N] in any lower-tier subcontract or similar instrument under which the lower-tier subcontractor will store, process, or transmit CDI in performance of this Subcontract.

(h) Audit cooperation. Subcontractor shall cooperate with any DoD assessment of compliance with NIST SP 800-171 conducted under DFARS 252.204-7020, and shall provide Prime with reasonable access to evidence of compliance upon request.

This language is intentionally short and specific. Long boilerplate clauses are sometimes signed without being read; concise clauses tend to be both read and understood. Keep the operative obligations explicit and unambiguous.

Authoritative References

DFARS 252.204-7012 — Full Text
The clause itself, including the 7012(m) flow-down paragraph and the 72-hour incident reporting requirements
DFARS 252.204-7019
The notice clause requiring contractors to have a current SPRS posting before contract award
DFARS 252.204-7020
The DoD assessment-cooperation clause, with its own flow-down to subs handling CDI
DFARS 252.204-7021
The CMMC certification clause and the obligation to flow the appropriate CMMC level to subcontractors
DIBNet Portal
The DoD's portal for cyber incident reporting under 7012(c) — accounts and certificates must be obtained in advance
NARA CUI Registry
Authoritative list of CUI categories — use to determine whether information received under a DoD contract qualifies as CDI

Related resources: The cloud-service requirements referenced in 7012 are explored in detail in the enclave architecture guide. The 800-171 control implementations that subs must satisfy are covered in the 110 control deep dives, and the SSP requirements in the SSP writing guide.