DFARS 252.204-7019: Notice of NIST SP 800-171 DoD Assessment Requirements

What is DFARS 7019?

The Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7019 is one of the three newly released clauses in the DFARS 70 series (7012, 7020, 7021). This particular clause holds the requirements for contractors to maintain their assessments and report them properly, as well as the requirements for contracting authorities to award or withhold award based upon properly reported assessment results. This clause does not require CMMC 2.0 assessment or reporting.

The DFARS 7019 clause notifies the contractor that they are required to maintain a record of their NIST 800-171 compliance within the Supplier Performance Risk System (SPRS). Each contractor will be required to maintain a current DoD Assessment within the system, which is only accessible for DoD personnel. This means that each contractor will need to have a Basic, Medium, or High assessment (defined below) completed at least every three years and ensure that it is properly reported within SPRS. Contracting authorities hold the right to adjust the recency requirement from three years to two or one.

  • Basic: Similar to the self assessments / self attestations that have been taking place since 2018, this assessment requires a System Security Plan (SSP) or Plans to be submitted
  • Medium and High: NIST 800-171 assessments run by DCMA

Interestingly, DFARS 7019 and many of the reporting mechanisms allow for multiple CAGE codes to apply for a single assessment and SSP if the systems are shared. A smaller partner company could potentially then use another company's systems exclusively for performing on a contractor so as long as the SSP submitted and assessed accommodates for that arrangement.

Note: DFARS 7019 currently excludes commercially available off-the-shelf (COTS) items.

Next Steps

If you have completed and submitted an assessment to the level in which your RFPs require, you should meet the DFARS 7019 requirement. However, if you have not completed an assessment or an SSP, you should address both as soon as possible. Your organization's systems will need to be configured to the 110 NIST 800-171 controls prior to assessment and those configurations need to be detailed in your SSP.

Click here to access the SPRS, and you can also find the NIST 800-171 Quick Reference Guide put together by the DoD for SPRS. If you do not have an account with SPRS, you will need to request access through the Procurement Integrated Enterprise Environment (PIEE), which requires a certificate to register /authenticate. Once you are registered and have access to SPRS, you can submit your assessment as highlighted below.

For assistance in meeting DFARS 7019 and other requirements for DoD suppliers with/in Microsoft 365 and Azure contact us here.

Still have questions?

If you still have questions about the DFARS 70 Series, or you would like to discuss a path forward, please do not hesitate to reach out to us.

Here are some ways you can stay connected and hear the latest on security and compliance topics impacting the Defense Industrial Base: