Skip to main content
Security resources
CMMC Readiness2 min read

Differences Between FAR 52.204-21 and DFARS 252.204-7012

FAR 52.204-21 and DFARS 252.204-7012 both deal with safeguarding information, but they apply to different data and different obligations.

Author

Nick DiVito

Published

Review status

Current / Reviewed Jun 6, 2026

FAR 52.204-21DFARSNIST 800-171CMMC

The names are ugly, but the distinction matters.

FAR 52.204-21 and DFARS 252.204-7012 are both contract clauses about protecting government-related information. They are not the same thing, and treating them like they are can lead to bad scoping decisions.

FAR 52.204-21

FAR 52.204-21 is the basic safeguarding clause for Federal Contract Information (FCI). It contains 15 basic safeguarding requirements for covered contractor information systems.

FCI is not meant for public release, but it is not necessarily CUI. Think of this as the baseline level of hygiene for federal contract information.

If this clause applies, the job is not to build a massive compliance program overnight. The job is to make sure basic safeguards are actually in place and not just assumed.

DFARS 252.204-7012

DFARS 252.204-7012 is a defense clause. It is focused on Covered Defense Information and cyber incident reporting, and it points contractors toward NIST SP 800-171 for covered contractor information systems.

It also brings reporting and flowdown obligations that FAR 52.204-21 does not carry in the same way. If you use a cloud provider to store, process, or transmit covered defense information for the contract, that choice can matter too.

In plain language: FAR 52.204-21 is basic safeguarding. DFARS 252.204-7012 is a much heavier defense-contract obligation tied to CUI protection and incident reporting.

Where do DFARS 7019 and 7020 fit?

DFARS 252.204-7019 and DFARS 252.204-7020 added assessment mechanics around NIST SP 800-171. They are the reason many contractors deal with Basic Assessments, scores, and SPRS.

This is where organizations often realize that "we have a policy" is not the same as "we can show how this requirement is implemented in the system security plan."

What about CMMC?

CMMC builds on these existing requirements. Current CMMC Level 1 aligns to the 15 requirements in FAR 52.204-21. Current CMMC Level 2 aligns to the 110 requirements in NIST SP 800-171 Revision 2 for systems handling CUI.

CMMC does not erase the clauses. It gives the Department a way to assess and affirm that contractors and subcontractors are doing the work.

Summary

If you only have FAR 52.204-21, start with basic safeguarding and FCI. If DFARS 252.204-7012 appears, slow down and understand whether CUI is involved, which systems are in scope, what assessment requirements apply, and what evidence you need.

The wrong scope can make a reasonable project feel impossible. The right scope makes the work manageable.

Need a next step?

Turn the article into a practical plan.

Review your contract requirements

References

Sources