The requirements in DFARS clause 252.204-7012 must be implemented when covered defense information is processed, stored, or transits through an information system that is owned, or operated by or for, the contractor, or when performance of the contract involves operationally critical support. The solicitation/contract shall indicate when performance of the contract will involve, or is expected to involve, covered defense information or operationally critical support. All covered defense information provided to the contractor by the Government will be marked or otherwise identified in the contract, task order, or delivery order.
If performance of the contract does not involve covered defense information or operationally critical support, then the clause does not apply and compliance is not required. If the contract does involve covered defense information, but the information is not processed, stored or transmitted on the contractor’s unclassified information system, the requirements related to covered defense information do not apply and compliance is not required.
You only have to implement the security requirements in NIST SP 800-171 if your contract includes DFARS clause 252.204-7012 AND you are provided covered defense information by DoD (or are developing covered defense information for DoD) AND you are processing, storing or transmitting that covered defense information on your information system/network.
DFARS clause 252.204-7012 does apply to contracts for commercial items, but not to contracts solely for the acquisition of commercial-of-the-shelf (COTS) items. If you are primarily selling commercial items and not modifying them for DoD (i.e., COTS), DFARS clause 252.204-7012 (even if included) and NIST SP 800-171 would not apply. If you are modifying a commercial item for DoD, and that modification involves covered defense information/DoD CUI that you process on your information system, DFARS 252.205-7012 and NIST SP 800-171 do apply. If in doubt, consult with the appropriate Contracting Officer.