If you’re a contractor for the Department of Defense (DoD) and have a DFARS 7012 clause in your contract, then the DFARS 7020 clause most likely applies to you.
 
DFARS 7020 is part of a trio of clauses (along with DFARS 7019 and DFARS 7021) released in the November 2020 DFARS Interim Rule and designed to increase compliance with the cybersecurity requirements found in DFARS 7012. At its core, DFARS 7020 requires contractors to:

  • Allow DoD the Government onto the contractor’s premises to conduct an assessment
  • Flow down requirements found in DFARS 7020 to subcontractors


 
The DFARS 7012 requirement went into effect in 2017 and required contractors handling Controlled Unclassified Information (CUI) to meet the 110 cyber controls found in NIST 800-171, ensure incident reporting if a breach occurs and meet FedRAMP Moderate or equivalent standards for storing CUI in the cloud. However, lax enforcement of DFARS 7012 led to weak compliance across the Defense Industrial Base (DIB). DFARS 7020’s goal is to enable increased enforcement through assessments and ensure DFARS 7012 requirements flow down from Prime contractors to their subs.

DFARS 7020 Requirements

Under DFARS 7020 contractors have two main obligations.

  • First, contractors shall – if necessary – provide the Government with access to their facilities and systems to conduct a Medium or High assessment. More on this below
  • Second, contractors will flow down the DFARS 7020 clause in all subcontracts except for those contracts that are for the purchase of Commercial Off-the-shelf (COTS) materials. Moreover, the contractor cannot award a subcontract that requires compliance with NIST 800-171 to an organization that has not completed a self-assessment in the last 3 years against NIST SP 800-171 and posted their score to the SPRS database.

DFARS 7020 Enforcement: Medium vs. High Audits

Audits of Primes and their subcontractors are becoming more common as the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) buckles down on validating self-submitted SPRS scores. In order to assess compliance throughout the Defense Industrial Base (DIB), DIBCAC is randomly selecting contractors for Medium level audits. Several hundred companies have reportedly received calls for audits already and DIBCAC intends to expand the size of its audit staff going forward.
 
There are a number of reasons why a company may be selected for audit by DIBCAC, including the request of a contracting officer or a whistleblower’s tip. Many organizations, however, are being selected purely randomly as a part of DIBCAC’s industry-wide sampling. To avoid the risk of heavy penalties, including substantial fines and the potential loss of contract, all contractors should ensure that they are accurately presenting their SPRS score.
 
Medium and High assessments differ in how comprehensive the audit will be. Medium level audits differ from High level audits in that Medium audits are conducted virtually whereas High level audits are conducted in person. A Medium assessment verifies that the paperwork checks out, while a High assessment goes one step further and verifies that the real world implementation of security measures matches claims in the paperwork.

It is important to note that a Medium assessment can be escalated to a High assessment at the DIBCAC’s discretion. Contractors must ensure that they are prepared to pass either audit format.

A Medium assessment is a paper audit to see if an organization is meeting the 110 NIST 800-171 controls. An assessor will review a contractor’s Basic Assessment through a review of documents. The assessment may also involve discussions with the contractor to obtain additional information or clarification, as needed.
 
A High assessment includes a review of a contractor’s Basic Assessment, a thorough document review, and the verification, examination, and demonstration of a contractor’s system security plan (SSP). This is designed to demonstrate that the real world implementation of NIST 800-171 security requirements matches what is detailed in the contractor’s SSP. The assessment may also involve discussion with the contractor to obtain additional information or clarification, as needed.
 
It is important to note that a Medium assessment can be escalated to a High assessment at the DIBCAC’s discretion. Contractors must ensure that they are prepared to pass either audit format.

Submitting your score to SPRS

Submission of an SPRS score is dictated by DFARS 7019. DFARS 7020 adds on to this requirement by having contractors ensure that their subcontractors have submitted their compliance with the 110 NIST 800-171 requirements into the SPRS database.
 
In order to submit an SPRS score, a contractors to complete two main tasks:

  • Conduct a self-assessment of NIST SP 800-171 compliance according to DoD Assessment Methodology and
  • Report their NIST SP 800-171 self-assessment scores to the DoD via its Supplier Performance Risk System (SPRS) database. SPRS scores must be submitted by the time of contract award and not be more than three years old.

Contract flow downs

DFARS 7020 places the onus of ensuring compliance of subcontractors on Primes. This means that subcontractors should expect to be subject not only to review by DIBCAC, but also by the Prime contractor they are subcontracting with.
 
Now that Primes will be held accountable for the compliance of their subcontractors, they are highly motivated to push their subcontractors to get up to code. Subcontractors should expect calls from their Primes to submit SPRS scores and work towards meeting DFARS 7012 requirements.
 
Without an up-to-date SPRS score and a clear record of working towards closing Plans of Actions and Milestones (POA&Ms) contractors are putting themselves at risk of losing contracts. This applies both at the Prime and the subprime level.

Next steps

Now that you understand your obligations under DFARS 7020, the next step is to work towards meeting DFARS 7012. This means meeting NIST 800-171, DFARS c-g Incident Reporting requirements, FIPS 140-2 encrypted modules, and FedRAMP Moderate Baseline or Equivalent for any Cloud Service Providers (CSPs) used. You’ll also need to create a SSP that’s robust enough to withstand audit.
 
If you need help or have questions about complying with DFARS 7020 or any other topics, please don’t hesitate to reach out and schedule a free 15-minute appointment with our compliance team.
Alternately, you can learn more by reading PreVeil’s briefs: