Defense Federal Acquisition Regulation Supplement 252.204–7020 (DFARS 7020) is one of three interrelated clauses that the DoD’s new interim rule adds to the DFARS. These new clauses modify the original DFARS 252.204–7012 regulation that has appeared in US Department of Defense (DoD) contracts since 2018.
The purpose of the interim rule, in effect as of November 30, 2020, is to shore up lax cybersecurity across the US defense industrial base (DIB). The challenge has been that, under DFARS 7012, a high percentage of suppliers have been self-attesting to DFARS compliance without verifiably bringing their systems and processes into compliance.
DFARS 7020, titled “NIST SP 800–171 DoD Assessment Requirements,” is a follow-on clause to DFARS 7019, Notice of NIST SP 800–171 DoD Assessment Requirements. The DFARS 7020 clause informs suppliers that the DoD has the right to access “facilities, systems and personnel” that manage, process, store, or transmit controlled unclassified information, in the event the DoD deems it necessary to perform a Medium or High Assessment on them.
Per DFARS 7019, DIB suppliers by default must have at a minimum a Basic Assessment score less than three years old on file in the DoD’s Supplier Performance Risk System (SPRS), per the NIST SP 800–171 DoD Assessment Methodology. The DoD reserves the right to conduct Medium and High Assessments based on the criticality of the contract or the data involved.
But the DFARS 7020 clause doesn’t stop there. It also specifies that contractors must “… ensure that applicable subcontractors also have the results of a current Assessment posted in SPRS prior to awarding a subcontract or other contractual instruments.” DFARS 7020 further defines how subcontractors should conduct and submit their Assessments.
What happens if you disagree with a Medium or High Assessment result? Contractors and their subcontractors have 14 days to offer additional evidence as to how they comply with NIST 800–171 requirements. Fortunately, SPRS scores and documentation are confidential and available only to the company and the DoD. Other organizations can request that you share your own scores directly, however, as part of the contract award process.
As you might expect given its relationship to DFARS 7019, the DFARS 7020 clause will likewise appear in “all solicitations” going forward, other than those “solely for the acquisition of commercially available off-the-shelf (COTS) products. This pertains both to new contracts and to modifications and extensions to current contracts.
Your business will shortly (probably sometime in 2021) need to comply with the DFARS 7020 clause to participate in DoD contracts. That means submitting a DoD Basic Assessment to SPRS if you don’t already have a current one in the system. If you have subcontractors, you are also required to confirm that they have assessed their systems and entered the results into SPRS as well.
To connect with a DFARS expert about your DFARS compliance goals and concerns, including help with a NIST 800–171 self-assessment per the new DFARS interim rule, contact Pivot Point Security.