What is DFARS 252.204-7012 and how does it affect NDAs?

DFARS 252.204-7012 requires contractors to provide adequate security for CUI, report cyber incidents within 72 hours, and flow down requirements to subcontractors. NDAs must incorporate these requirements when CUI will be shared between defense contractors.

What is NIST SP 800-171 and why is it required for CUI?

NIST SP 800-171 provides security requirements for protecting CUI in nonfederal systems. It contains 110 security controls across 14 families. DFARS requires contractors to implement these controls. NDAs should require recipient compliance with applicable 800-171 controls.

How does CMMC affect CUI handling in NDAs?

The Cybersecurity Maturity Model Certification (CMMC) requires third-party certification of cybersecurity practices. For contracts requiring CMMC, NDAs should verify the recipient's CMMC certification level and prohibit disclosure to entities without appropriate certification.

CUI Protection NDA | Controlled Unclassified Information

📄 What is Controlled Unclassified Information (CUI)?

CUI is unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies. Unlike classified information, CUI is not a classification level but a handling designation.

CUI Basic

Standard safeguarding required
General dissemination controls
Bulk of CUI designations

CUI Specified

Additional controls by law
Export controlled technical data
Privacy Act information

Common Categories

Controlled Technical Information (CTI)
Export Controlled (EXPT)
Privacy/PII (PRVCY)
Proprietary (PROPIN)

⚠️ DFARS 252.204-7012 Requirements

When your prime contract includes DFARS 252.204-7012, you must flow down these requirements to all subcontractors who will access CUI.

🔒 Adequate Security

Implement NIST SP 800-171 security controls on all systems that process, store, or transmit CUI. Document your system security plan and plan of action.

🚨 72-Hour Reporting

Report cyber incidents to DoD within 72 hours of discovery. Preserve images and malware for 90 days. Support damage assessment.

👥 Subcontractor Flow-Down

Include DFARS 252.204-7012 in all subcontracts where CUI will be accessed or generated. Verify subcontractor compliance.

💻 Cloud Requirements

Cloud service providers must meet FedRAMP Moderate or equivalent. Maintain data within the U.S. unless authorized otherwise.

🔒 NIST SP 800-171 Security Families

NIST SP 800-171 contains 110 security requirements across 14 families. Your NDA should require compliance with applicable controls.

Access Control

22 requirements

Awareness & Training

3 requirements

Audit & Accountability

9 requirements

Config Management

9 requirements

Identification & Auth

11 requirements

Incident Response

3 requirements

Maintenance

6 requirements

Media Protection

9 requirements

Personnel Security

2 requirements

Physical Protection

6 requirements

Risk Assessment

3 requirements

Security Assessment

4 requirements

System & Comms

16 requirements

System & Info Integrity

7 requirements

Key CUI NDA Provisions

📄

CUI Definition and Identification

Required

Defines what constitutes CUI for purposes of the agreement and how it will be identified.

"Controlled Unclassified Information" or "CUI" means information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. CUI disclosed hereunder will be marked in accordance with 32 C.F.R. Part 2002 and the CUI Registry.

🔒

NIST 800-171 Compliance Certification

DFARS Required

Requires certification of NIST SP 800-171 implementation for systems handling CUI.

Receiving Party certifies that it has implemented security requirements in NIST Special Publication 800-171, as required by DFARS 252.204-7012, on all covered contractor information systems that will process, store, or transmit CUI. Receiving Party shall maintain a current System Security Plan (SSP) and Plan of Action and Milestones (POA&M) and make these available for review upon request.

🚨

Cyber Incident Reporting

DFARS Required

Mandates cyber incident reporting within 72 hours consistent with DFARS requirements.

Upon discovery of a cyber incident that affects CUI or covered contractor information systems, Receiving Party shall: (i) conduct a review for evidence of compromise; (ii) report the incident to DoD at https://dibnet.dod.mil within 72 hours; (iii) notify Disclosing Party immediately; (iv) preserve and protect images of affected systems for 90 days; and (v) provide access to additional information as requested for damage assessment.

👥

Subcontractor Flow-Down

DFARS Required

Requires flow-down of CUI protection requirements to all subcontractors.

Receiving Party shall include the substance of this clause, including this paragraph, in all subcontracts and other contractual instruments where subcontractors may have access to CUI. Receiving Party shall not provide CUI to any subcontractor until the subcontractor has agreed in writing to protect CUI consistent with the requirements of DFARS 252.204-7012 and this Agreement.

🏷 CUI Marking Requirements

CUI must be marked according to 32 C.F.R. Part 2002 and the CUI Registry. Your NDA should require proper marking.

Controlled by: Department of Defense
POC: [Contact Information]

Banner Marking CUI and applicable category/subcategory indicators at top and bottom of each page

Portion Marking Each portion containing CUI should be marked (CUI) at the beginning

Category Indicators Use registry abbreviations: CTI, EXPT, PRVCY, PROPIN, etc.

Controlling Office Identify the agency and point of contact for questions

🛡 CMMC Certification Requirements

The Cybersecurity Maturity Model Certification (CMMC) requires third-party certification of cybersecurity practices. For contracts requiring CMMC, verify recipient certification.

Level 1

Foundational
Basic safeguarding of FCI
17 practices (FAR 52.204-21)

Level 2

Advanced
Protection of CUI
110 practices (NIST 800-171)

Level 3

Expert
Enhanced CUI protection
110+ practices (NIST 800-172)

NDAs should specify required CMMC level and prohibit disclosure to entities without appropriate certification.

Generate Your CUI Protection NDA

Customize provisions based on your specific CUI categories and DFARS requirements.

Generate CUI NDA →

⚖️ DFARS Compliance Review Required

CUI handling involves complex regulatory requirements that vary by category and contract. This template provides a foundation but must be reviewed by counsel experienced in DFARS and cybersecurity compliance. Non-compliance can result in contract termination, False Claims Act liability, and debarment. Request a consultation.