If you are a defense contractor, CMMC Level 2 gets most of the attention right now. But CMMC is the assessment of a thing that already exists as a contractual obligation: DFARS clause 252.204-7012, the safeguarding and incident-reporting requirement that has been in your DoD contracts for years. CMMC verifies you do it. DFARS 7012 is the thing you actually have to do.
Most of the conversation about 7012 focuses on the 110 NIST SP 800-171 controls. This post focuses on the part that turns into a live emergency at the worst possible time: the reporting clock, the cloud provider requirement, and the obligations that flow down to whoever runs your infrastructure. If you handle Covered Defense Information, you should know exactly which of these are yours and which belong to your cloud provider, before the clock starts, not during.
What DFARS 252.204-7012 actually requires
The clause has a few distinct obligations bundled together. They are worth separating because they have different owners.
1. Adequate security. You must provide “adequate security” for Covered Defense Information (CDI) on covered contractor information systems, which in practice means implementing the 110 controls of NIST SP 800-171 Rev 2. This is the part CMMC Level 2 assesses.
2. Rapid incident reporting, within 72 hours. When you discover a cyber incident that affects CDI, a covered system, or your ability to perform a contract, you must report it to DoD within 72 hours of discovery. The report goes through DIBNet, and submitting it requires a medium-assurance certificate (you cannot get one in the moment, so this is something to have in place ahead of time).
3. Media preservation, 90 days. You must preserve and protect images of affected systems and relevant monitoring and packet-capture data for at least 90 days from the incident report, so DoD can request it for forensic review.
4. Malicious software submission. If you discover and isolate malicious software in connection with a reported incident, you submit it to the DoD Cyber Crime Center.
5. The cloud provider requirement. This is the one that directly governs your infrastructure choices, and we will spend the most time on it.
6. Flow-down to subcontractors. The clause flows down to subcontractors that handle CDI. You are responsible for ensuring it does.
The cloud paragraph: FedRAMP Moderate Equivalent
DFARS 7012 says that if a contractor uses an external cloud service provider to store, process, or transmit CDI, that provider must meet security requirements equivalent to the FedRAMP Moderate baseline, and must comply with the incident reporting, media preservation, and forensic cooperation requirements of the clause.
Read that twice, because it has two halves and most vendor conversations only address the first.
The first half is the FedRAMP Moderate Equivalent posture: the engineered security baseline. This is the part a credible managed cloud can map for you, control by control. We have written separately about how we map the Open Edge platform to FedRAMP Moderate and how that coverage rolls up to CMMC Level 2.
The second half is the part teams forget: your cloud provider must cooperate with the incident process. Media preservation. Forensic access. Cooperation on the 72-hour report when the incident touches the infrastructure layer they operate. A provider can have a beautiful security posture and still leave you stranded at hour 60 because they have no process to preserve a system image or produce the logs you need to file.
Who owns each obligation
Here is the honest split for a contractor running CDI workloads on a managed cloud. This is the conversation to have with any provider before you sign, not during an incident.
| Obligation | Who owns it |
|---|---|
| 800-171 controls on your applications and data handling | You |
| 800-171 controls on the underlying platform | Shared: provider operates the infrastructure controls, you operate the workload controls |
| Detecting an incident in your application | You |
| Detecting an incident at the infrastructure layer | Provider, who must tell you |
| Filing the 72-hour DIBNet report | You (it is your contract), with inputs from the provider |
| Preserving system images and packet capture for 90 days | Shared: provider must be able to preserve and produce infrastructure-layer evidence |
| Producing logs for forensic review | Shared: provider must produce platform logs on the timeline the clause requires |
| Flow-down to your subcontractors | You |
The pattern is clear: the report is always yours, because it is your contract. But your ability to file it accurately and on time, and to satisfy the preservation and forensic requirements, depends entirely on whether your cloud provider has built the audit, retention, and preservation capabilities ahead of time.
The questions to ask your provider before the clock ever starts
If a provider stores, processes, or transmits your CDI, get specific answers to these before you commit:
- Can you produce a complete audit log of infrastructure-layer activity, on demand, for the retention period the clause requires? Ask what retention horizon they hold, where the logs live, and how fast they can hand them over. “We have logging” is not an answer. “We retain a full audit trail in immutable encrypted storage for at least a year and can export it on request” is.
- Can you preserve a system image and associated forensic data for 90 days on request? This is a concrete capability, not a checkbox. Snapshots, image preservation, packet capture retention. Ask them to describe the actual procedure.
- What is your process for notifying me of an infrastructure-layer incident, and on what timeline? Your 72-hour clock starts at discovery. If the incident is at the infrastructure layer, your discovery depends on their notification. Get the notification commitment in writing.
- Will you cooperate with a DoD forensic review, and is that cooperation contractual? Cooperation that depends on goodwill is not cooperation. It should be a term.
- Where does my data physically live, and who can touch it? US datacenters and US-person operators are not strictly a 7012 requirement, but they make the entire forensic and jurisdictional picture vastly simpler, and they are increasingly an expectation in DoD-adjacent work.
- Can you show me your FedRAMP Moderate Equivalent mapping? Not a logo. The control-by-control posture, ideally as structured artifacts you can walk under NDA.
How Open Edge is built for this
We are not a FedRAMP-authorized cloud and we do not claim to be. We are a managed cloud engineered to the FedRAMP Moderate baseline, with the platform-side capabilities the 7012 cloud paragraph actually requires:
- A complete infrastructure-layer audit trail, retained in immutable encrypted storage on a multi-year horizon that exceeds the FedRAMP Moderate baseline, exportable on request. When you need to reconstruct what happened for a report, the record exists.
- Image and evidence preservation as an operational capability. Application-consistent snapshots and preservation procedures that map to the 90-day media-preservation requirement.
- An incident process that includes you. We maintain an outage and incident record, and infrastructure-layer events are something we surface to affected customers, not something you discover after your clock has already started.
- US-sovereign datacenters and US-person operators, which keep the jurisdictional and forensic picture clean.
- A FedRAMP Moderate control mapping in structured OSCAL artifacts, walkable under NDA, with the CMMC Level 2 coverage that falls out of it.
What stays yours, always: the 72-hour report itself, the 800-171 controls on your own applications and data handling, your medium-assurance certificate for DIBNet, and the flow-down to your subcontractors. We can give you the evidence, the preservation, and the cooperation. We cannot file your report for you, and any provider who implies they can is selling something that does not exist.
The point
DFARS 7012 is not really about a security posture you achieve once. It is about whether, on the day something goes wrong, you can report accurately within 72 hours, preserve what needs preserving for 90 days, and cooperate with a forensic review. Those are operational capabilities, and a meaningful share of them live at the infrastructure layer your cloud provider operates.
The time to find out whether your provider can meet them is now, in a procurement conversation, not at hour 60 of a real incident.
If you handle CDI and want to walk our platform-side 7012 capabilities and FedRAMP Moderate mapping control by control, reach out at https://open-edge.io/contact. Bring your obligations list. We will show you which columns we fill.