top of page

Are You Really Compliant with DFARS 252.204-7012?

Updated: Oct 25, 2023

Common Pitfalls and How to Avoid Them

You've read about DFARS 252.204-7012, you've implemented NIST SP 800-171 as best you can with only a handful of POA&M items, and you're feeling confident about your compliance. But are you truly compliant? This clause has a few gotchas that are easy to overlook but can have significant ramifications. In this article, we delve into the often-missed aspects of DFARS 252.204-7012 compliance, particularly focusing on FedRAMP approved Cloud Service Providers (CSPs), incident reporting, and Supplier Performance Risk System (SPRS) scoring.

The Gotchas of DFARS 252.204-7012:

1. Use of FedRAMP Approved CSPs: While you may be using cloud services for storing Controlled Unclassified Information (CUI), not all Cloud Service Providers meet DFARS standards. The clause mandates the use of FedRAMP approved CSPs for email, cloud storage, and backups when handling CUI. This can mean doing a fair amount of research on your providers, including if you use a managed service provider, as they may be using cloud storage on non-compliant platforms that you are unaware of.

2. Incident Reporting Preparedness: Reporting a cybersecurity incident within 72 hours is required under DFARS 252.204-7012, but to do so, your organization must have a pre-registered.

"Contractors must obtain DoD-approved medium assurance certificates to ensure authentication and identification when reporting cyber incidents to DoD. Medium assurance certificates are individually issued digital identity credentials used to ensure the identity of the user in online environments. Certificates typically cost about $175 each" -Federal Registrar

3. SPRS Scoring: A missing or low SPRS score can be a deal-breaker when it comes to contract renewals or selections. Your SPRS score reflects your cybersecurity posture and can significantly influence your contracting prospects. The Supplier Performance Risk System (SPRS) score is a crucial metric that reflects an organization's cybersecurity posture in compliance with DFARS 252.204-7012 and NIST SP 800-171. Essentially, it's a cybersecurity scorecard that the Department of Defense (DoD) uses to assess the risk level associated with a contractor or subcontractor.

Organizations are required to self-assess their cybersecurity measures, and the resulting score is submitted to the SPRS. This score plays a significant role in contract award decisions, as a low or missing SPRS score can disqualify an organization from being awarded a contract or lead to non-renewal of existing contracts. Maintaining a solid SPRS score is not only beneficial but critical for staying competitive in the DoD contracting landscape.

Navigating the Gotchas:

1. Choose the Right CSP: Always opt for a FedRAMP approved CSP. Check the CSP’s compliance documentation to ensure it meets FedRAMP and DFARS criteria. It is crucial to ensure that ALL in scope services meet the requirement. It is very common for MSP's or other resellers to use cloud services when providing email, storage and backup services, and it is not always clear who the use in the background. It is imperative that any organization do their research so ensure CUI is only stored using approved cloud services.

2. Pre-Register for Incident Reporting: Prioritize obtaining a medium assurance certificate for reporting incidents. It's a prerequisite that organizations often forget until it’s too late.

3. Maintain a Strong SPRS Score: Consistently review and update your SPRS score. A robust score enhances your eligibility for DoD contracts and renewals. But do NOT guess if you don't have experience assessing against the NIST requirements! Organizations can be fined for falsifying or misrepresenting scores, with owners or executives facing personal criminal liability. NIST guidance is often vague and in many cases a control may mean something to an auditor that is completely different than an inexperienced IT admin or business owner. It is highly recommended to partner with a trained provider who has experience implementing compliant solutions and assessing organizations against NIST.

Expert Guidance:

These gotchas can be intricate and costly if ignored. Expert guidance from professionals who are deeply familiar with DFARS compliance can help you navigate these common pitfalls. Internal IT teams may not be well positioned for a self-assessment. Unfortunately, there are often blind spots or misunderstandings of the controls or teams are tempted to score themselves higher than an auditor would. It is best to partner with an experienced expert, preferably a CMMC Registered Practitioner, who has been specifically trained to support organizations through the process.


Compliance with DFARS 252.204-7012 is not just about meeting the most apparent requirements but about understanding the intricacies that can trip you up. By focusing on these often-overlooked aspects—FedRAMP CSPs, incident reporting, and SPRS scoring—you can ensure you’re genuinely in compliance.

Keywords: DFARS 252.204-7012, Compliance, Gotchas, FedRAMP, CSPs, Incident Reporting, SPRS Score, CUI, NIST SP 800-171

An experienced RP or RPO will understand the complexities and nuances of DFARS 252.204-7012 compliance. At NexTier, we have over a decade of experience assessing, implementing and supporting the controls in NIST SP 800-171. If you find yourself uncertain about any aspect of this clause, we offer a free introductory consultation to assess your needs and guide you through the maze of requirements. Reach out today to ensure you’re truly compliant.

11 views0 comments


bottom of page