The Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7020 is one of the three newly released clauses of the DFARS 70 series (7012, 7019, 7021) in November 2020. DFARS 7019 is the "Notice of NIST 800-171 DoD Assessment Requirements"; whereas, DFARS 7020 consists of the requirements alone. DFARS 7020 requires contractors to provide the Government access to its facilities, systems, and personnel any time the Department of Defense (DoD) is renewing or conducting a Medium or High assessment. For more information on the Assessment methodologies click here.
Much like DFARS 7012, the DFARS 7020 clause will appear in all DoD solicitations and contracts, task orders, or delivery orders. This clause also includes a flowdown requirement that states a contractor is now required to ensure all tiered subcontractors have results of a current assessment in SPRS, or Supplier Performance Risk System, in accordance with the DFARS 7019 clause. The contractor must also validate their compliance with 7019 prior to awarding a subcontract or purchase order of any kind, and include the contents of DFARS 7019 in the documented subcontract agreement.
One concern many businesses in the Defense Industrial Base (DIB) have is the ability to remediate, adjudicate, or refute a specific finding or less than glowing review. DFARS 7020 states that contractors and their subcontractors have a 14 day period to provide additional evidences or information demonstrating their practices and policies meet NIST 800-171 standards. Also, SPRS will only reflect the final assessment results after this period, and rest assured all results will be made confidential and High assessment documentation will be classified as Controlled Unclassified Information (CUI).
Note: Solicitations for the acquisition of Commercial Off The Shelf (COTS) items are exempt from DFARS 7020.
Organizations with DFARS 7012 requirements in their contracts and handling CUI will need to complete a Basic Assessment (self assessment). It may be relatively self explanatory, but you need to ensure that your facilities, systems and personnel are equipped for at least a DoD Basic Assessment and submit that self assessment in 2021. Also, begin to research future acquisitions and solicitations to determine if a Medium or High assessment is in your near future. Your organization's information systems will need to be configured to the 110 NIST 800-171 controls regardless because of CMMC assessment requirements and the preexisting DFARS 7012 requirements.
Be sure that your suppliers and subcontractors have entered their results into SPRS. Conversely, Lockheed Martin and other large primes are starting the process of distributing questionnaires and data calls to subs. Therefore, prepare your proposal or business development teams to respond appropriately when asked for status.
Click here to access the SPRS. If you do not have an account with SPRS, you will need to request access through the Procurement Integrated Enterprise Environment (PIEE). Click here to access the PIEE. Keep in mind you will need a certificate to register /authenticate to PIEE / SPRS.
For assistance in meeting DFARS 7020 and other requirements for Department of Defense suppliers with/in Microsoft 365 and Azure contact the Summit 7 team here.
If you still have questions about the DFARS 70 Series, or you would like to discuss something else, please do not hesitate to reach out to us.
Here are some ways you can stay connected to the Summit 7 team and hear the latest on all things security and compliance: