DFARS 252.204-7019, entitled Notice of NIST SP 800-171 Assessment Requirements, was released along with clauses 7020 and 7021 in the DoD’s November 2020 DFARS Interim Rule. The DFARS 7019 clause requires contractors to complete two main tasks:

  • Conduct a self-assessment of NIST SP 800-171 compliance according to DoD Assessment Methodology, and
  • Report their NIST SP 800-171 self-assessment scores to the DoD via its Supplier Performance Risk System (SPRS). SPRS scores must be submitted by the time of contract award and not be more than three years old.

The Interim Rule is a key component of the Department of Defense’s campaign to increase compliance with its cybersecurity regulations and improve security throughout the Defense Industrial Base (DIB). DFARS 7019 is a significant step towards achieving that goal because it dramatically strengthens DFARS 7012, which mandates (among other things) that contractors that handle Covered Unclassified Information (CUI) implement the 110 security controls stipulated in NIST SP 800-171. DFARS 7012 went into effect in 2017 but lacked strong enforcement mechanisms. As a result, compliance with NIST SP 800-171 throughout the DIB has been weak. DFARS 7019 changes that dynamic.
 

What does my organization need to do to meet DFARS 7019 requirements?

Here’s a breakdown of the steps your organization needs to take to comply with DFARS 7019. You can dig deeper and learn more by clicking on the linked resources.

  • First, all defense contractors need to develop a System Security Plan (SSP) that details the policies and procedures their organization has in place to comply with NIST SP 800-171. The SSP serves as a foundational document for an NIST SP 800-171 self-assessment and is a prerequisite for consideration for any DoD contract.
  • The self-assessment must be conducted according to the DoD’s NIST SP 800-171 Assessment Methodology. All contractors that handle CUI must perform at least a Basic level self-assessment, as described in the methodology.
  • DoD methodology assigns each of the 110 NIST SP 800-171 controls a weight of one, three, or five points. Scoring starts at the lowest possible score of -203. One, three, or five points are earned for each control met, all the way up to the maximum of 110. Negative self-assessment scores are possible, as they can range from -203 to +110, a spread of 313 points. The DoD requires that scores be reported at this summary level, not rather than broken down by each NIST SP 800-171 control.
  • Self-assessment scores must be filed in the DoD’s Supplier Performance Risk System (SPRS) by the time of contract award, and the self-assessment must be maintained for the duration of the contract. This DoD document, SPRS Access for NIST SP 800-171, offers step-by-step instructions for submitting scores via the DoD’s Procurement Integrated Enterprise Environment (PIEE).
  • If your organization’s self-assessment score falls below 110, you are required to create a POA&M (Plans of Actions and Milestones) for security controls not met, and indicate by what date those security gaps will be remediated and a score of 110 will be achieved.

Does DFARS 7019 apply to my organization?

Any new defense contract with a 7012 clause will very likely have a 7019 clause in it as well. In addition, any contract modifications or contract options added to an existing contract can also be cause for adding a 7019 clause. Review your contract to confirm.
 
Note that your contract may also be with another organization above you in the defense supply chain rather than directly with the DoD

Significant business risks for defense contractors failing to meet DFARS 7019 requirements

DFARS 7019’s requirements to conduct a NIST SP 800-171 self-assessment and report the results provides the DoD and prime contractors with a single, objective metric—the SPRS score—to assess a contractor’s cybersecurity level. While DoD doesn’t specify minimum SPRS scores that must be achieved, it is reasonable to assume that the DoD will do risk-based assessments to help determine which companies it will award contracts to. If a company has a low self-assessment score, the DoD likely will consider that company to be a higher security risk than an alternative supplier with a better score.
 
Further, some prime contractors already have begun to formally request relevant cybersecurity information from their subcontractors, including SPRS scores. If you’re a subcontractor, know that primes are increasingly wary of the risk of working with any subcontractor not in compliance with DoD cybersecurity mandates—and will quickly turn to those that are. If you’re a small- to mid-size company aiming to continue to do business in the DIB, you need to avoid being seen as a weak link in the supply chain.
 
Lack of an SPRS score altogether is a red flag and seriously jeopardizes your organization’s eligibility to keep existing DoD contracts and win new ones, as it signals lack of compliance with NIST SP 800-171.
 
In a June 2022 memo to its contracting officers, the DoD noted that:
 

“Failure to have or to make progress on a plan to implement NIST SP 800-171 requirements may be considered a material breach of contract requirements (emphasis added). Remedies for such a breach may include: withholding progress payments; foregoing remaining contract options; and potentially terminating the contract in part or in whole.”

 
Note too that organizations that misrepresent their cybersecurity levels are subject to penalties levied by the DoD and/or the Department of Justice, which launched a robust Civil Cyber-Fraud Initiative last year.

How do DFARS 7019 and CMMC overlap?

DFARS 7019 requires organizations to self-assess their compliance with NIST SP 800-171’s 110 security controls (implementation of which is mandated by DFARS 7012) and to report their self-assessment scores to the DoD via SPRS. When CMMC is implemented, CMMC Level 2—the minimum level that must be attained by contractors that handle CUI—will require compliance with the same 110 NIST SP 800-171 security controls.
 
The key difference between DFARS 7019 and the CMMC Level 2 requirements is that under DFARS 7019, compliance with NIST SP 800-171 is self-assessed. Under CMMC, compliance will be checked by independent third-party assessors certified by DoD.
 
As Stacy Bostjanik (Chief Defense Industrial Base Cybersecurity, U.S. Department of Defense) said during PreVeil’s Oct. 2022 CMMC Summit:
 

 

“CMMC is just the validation program that people have done what they already agreed to do in complying and establishing the requirements of NIST 800-171 in their current networks.”

Next steps

The key to minimizing your business risks is to get started on a System Security Plan and compliance with NIST SP 800-171. Know that at this point an SPRS score of 110 is rare, but having an active plan for continuing to improve your organization’s cybersecurity is essential.
 
If you need help or have questions about complying with DFARS 7019 or any other topics, please don’t hesitate to reach out and schedule a free 15-minute appointment with our compliance team.
 
Or you may wish to learn more by reading PreVeil’s briefs:

  • NIST SP 800-171 Self-Assessment: Improving Your Cybersecurity and Raising Your SPRS Score
  • Case Study: Defense Contractor Achieves 110/110 Score in NIST SP 800-171 DoD Audit
  • The DFARS Interim Rule: What you need to know
  • Complying with the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC 2.0)
  • [Video] What Is DFARS 7019 and What Does It Require?