DFARS 7019 Origin and Context 

The Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7019 is titled “Notice of NIST Special Publication 800-171 DoD Assessment Requirements” and was released in 2020 as part of the DFARS 70 series (7012, 7020, 7021, 7025). These were released in response to several DoW weapon systems compromised as a result of controlled unclassified information on contractor networks. These networks falsely claimed to have implemented cybersecurity requirements. As a result, CUI was stolen by adversarial nations. This rule builds a framework for accountability to ensure contractors are compliant, not just claiming to be.  

What is DFARS 7019? 

This clause holds the requirements for contractors to maintain their DoD NIST 800-171 Assessments and report them properly, as well as the requirements for contracting authorities to award or withhold award based upon properly reported assessment results. This clause requires DoD NIST 800-171 Assessment reporting in the Supplier Performance Risk System (SPRS), but does not require CMMC 2.0 assessment or reporting. 

Each contractor will be required to maintain a current DoW Assessment within the system, which is only accessible to DoW personnel. This means that each contractor will need to have a Basic, Medium, or High assessment (defined below) completed at least every three years and ensure that it is properly reported within SPRS. Contracting authorities hold the right to adjust the recency requirement from three years to two or one. 

• Basic: Similar to the self-assessments and self-attestations that have been taking place since 2018, this assessment requires a System Security Plan (SSP) or Plans to be submitted 

• Medium and High: NIST 800-171 assessments run by DCMA 

Interestingly, DFARS 7019 and many of the reporting mechanisms allow for multiple Commercial and Government Entity (CAGE) codes to apply for a single assessment and SSP if the systems are shared. A smaller partner company could potentially use another company's systems exclusively for performing on a contractor, as long as the SSP submitted and assessed accommodates that arrangement. 

Note: DFARS 7019 currently excludes commercially available off-the-shelf (COTS) items. 

How do I comply with DFARS 7019? 

How DoD NIST 800-171 Assessment scores are reported to SPRS depends on your level. If a contractor has a Basic Assessment, the results are uploaded by the contractor themselves within 14 business days.  

In Medium and High level assessments, the DoW will post scores after they’ve completed the evaluation. Summary level scores will be available within 30 days of assessment.  

If you have completed and submitted an assessment to the level your solicitations require, you should meet the DFARS 7019 requirement.  

If you have not completed an assessment or SSP, you should address both as soon as possible. While your SSP isn’t a requirement of DFARS 7019 itself, it is a foundational document for assessment. Your organization's systems will need to be configured to the 110 NIST 800-171 controls prior to the assessment, and those configurations need to be detailed in your SSP. 

Access the SPRS  and find the NIST 800-171 Quick Reference Guide put together by the DoW for SPRS. If you do not have an account with SPRS, you will need to request access through the Procurement Integrated Enterprise Environment (PIEE), which requires a certificate to register /authenticate. Once you are registered and have access to SPRS, you can submit your assessment as highlighted below. 

For assistance in meeting DFARS 7019 and other requirements for DoW suppliers with Microsoft 365 and Azure, contact Summit 7. 

For assistance in meeting DFARS 7019 and other requirements for DoD suppliers with/in Microsoft 365 and Azure contact Summit 7.