DFARS 252.204-7019, entitled Notice of NIST SP 800-171 Assessment Requirements, was released along with clauses 7020 and 7021 in the DoD’s November 2020 DFARS Interim Rule. The DFARS 7019 clause requires contractors to complete two main tasks:
The Interim Rule is a key component of the Department of Defense’s campaign to increase compliance with its cybersecurity regulations and improve security throughout the Defense Industrial Base (DIB). DFARS 7019 is a significant step towards achieving that goal because it dramatically strengthens DFARS 7012, which mandates (among other things) that contractors that handle Covered Unclassified Information (CUI) implement the 110 security controls stipulated in NIST SP 800-171. DFARS 7012 went into effect in 2017 but lacked strong enforcement mechanisms. As a result, compliance with NIST SP 800-171 throughout the DIB has been weak. DFARS 7019 changes that dynamic.
Here’s a breakdown of the steps your organization needs to take to comply with DFARS 7019. You can dig deeper and learn more by clicking on the linked resources.
Any new defense contract with a 7012 clause will very likely have a 7019 clause in it as well. In addition, any contract modifications or contract options added to an existing contract can also be cause for adding a 7019 clause. Review your contract to confirm.
Note that your contract may also be with another organization above you in the defense supply chain rather than directly with the DoD
DFARS 7019’s requirements to conduct a NIST SP 800-171 self-assessment and report the results provides the DoD and prime contractors with a single, objective metric—the SPRS score—to assess a contractor’s cybersecurity level. While DoD doesn’t specify minimum SPRS scores that must be achieved, it is reasonable to assume that the DoD will do risk-based assessments to help determine which companies it will award contracts to. If a company has a low self-assessment score, the DoD likely will consider that company to be a higher security risk than an alternative supplier with a better score.
Further, some prime contractors already have begun to formally request relevant cybersecurity information from their subcontractors, including SPRS scores. If you’re a subcontractor, know that primes are increasingly wary of the risk of working with any subcontractor not in compliance with DoD cybersecurity mandates—and will quickly turn to those that are. If you’re a small- to mid-size company aiming to continue to do business in the DIB, you need to avoid being seen as a weak link in the supply chain.
Lack of an SPRS score altogether is a red flag and seriously jeopardizes your organization’s eligibility to keep existing DoD contracts and win new ones, as it signals lack of compliance with NIST SP 800-171.
In a June 2022 memo to its contracting officers, the DoD noted that:
Note too that organizations that misrepresent their cybersecurity levels are subject to penalties levied by the DoD and/or the Department of Justice, which launched a robust Civil Cyber-Fraud Initiative last year.
DFARS 7019 requires organizations to self-assess their compliance with NIST SP 800-171’s 110 security controls (implementation of which is mandated by DFARS 7012) and to report their self-assessment scores to the DoD via SPRS. When CMMC is implemented, CMMC Level 2—the minimum level that must be attained by contractors that handle CUI—will require compliance with the same 110 NIST SP 800-171 security controls.
The key difference between DFARS 7019 and the CMMC Level 2 requirements is that under DFARS 7019, compliance with NIST SP 800-171 is self-assessed. Under CMMC, compliance will be checked by independent third-party assessors certified by DoD.
As Stacy Bostjanik (Chief Defense Industrial Base Cybersecurity, U.S. Department of Defense) said during PreVeil’s Oct. 2022 CMMC Summit:
The key to minimizing your business risks is to get started on a System Security Plan and compliance with NIST SP 800-171. Know that at this point an SPRS score of 110 is rare, but having an active plan for continuing to improve your organization’s cybersecurity is essential.
If you need help or have questions about complying with DFARS 7019 or any other topics, please don’t hesitate to reach out and schedule a free 15-minute appointment with our compliance team.
Or you may wish to learn more by reading PreVeil’s briefs: