If you’re a small business working with the Department of Defense (DoD), DFARS 252.204-7012 is a clause you cannot afford to ignore. As of 2025, the stakes are higher—and non-compliance can mean lost contracts or even legal liability.
What Is DFARS 252.204-7012?
DFARS 252.204-7012 is a Defense Federal Acquisition Regulation Supplement clause that mandates DoD contractors and subcontractors to safeguard Controlled Unclassified Information (CUI) on their networks.
It also requires you to:
-
Implement NIST SP 800-171 controls.
-
Report cyber incidents within 72 hours to the DoD via the DIBNet portal.
-
Support damage assessments in the event of a breach.
-
Preserve incident data for at least 90 days.
Why It Matters in 2025
With the rollout of CMMC 2.0, DFARS compliance is under tighter scrutiny. The DoD is actively verifying that contractors are not just claiming compliance—they are demonstrating it.
Failing to meet these standards could result in:
-
Contract loss or delays
-
Financial penalties
-
Suspension from federal opportunities
-
Damage to reputation
Small Business, Big Responsibility
Many small DoD contractors assume DFARS doesn’t apply to them or that cybersecurity is “too expensive.” But the truth is, compliance can be scalable. Frameworks like NIST 800-171 and resources like FedComply Group LLC exist to help small businesses meet their obligations affordably and effectively.
What You Should Do Now
-
Conduct a NIST 800-171 gap assessment
-
Develop an incident response plan
-
Train your staff on cyber hygiene and compliance
-
Partner with a compliance expert to guide your strategy
Final Thought
DFARS 252.204-7012 isn’t going away—and in 2025, it’s more enforceable than ever. Small contractors that act now to comply will be positioned to thrive in a more secure and competitive federal contracting space.