What is DFARS 7020? 

The Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7020 is one of the three DFARS 70 series (7012, 7019, 7021) clauses released in 2020. DFARS 7019 is the "Notice of NIST 800-171 DoD Assessment Requirements". The 2020 rule introduced 7019 and 7020 because 7012 lacked a verification mechanism. The DoW needed proof contractors were actually implementing NIST 800-171 after years of reported compromises in the defense supply chain.  

DFARS 7020 consists of assessment, access, and flowdown requirements. All DIB contractors and subcontractors handling CUI must comply with DFARS 7020. A 2025 update aligns this clause more closely with the CMMC 2.0 phased rollout. 

DFARS 7020 requirements and assessment 

DFARS 7020 requires contractors to provide the government with access to their facilities, systems, and personnel any time the Department of War (DoW) is renewing or conducting a Medium or High “NIST SP 800-171 DoD Assessment”, not to be confused with a CMMC assessment. It also leaves room for a Basic (self) assessment that results in a low confidence score. Find more information on the Assessment requirements here. 

The DFARS 7020 clause appears in all DoW solicitations and contracts, task orders, or delivery orders that involve CUI or DFARS 7012. This clause also includes a flowdown requirement that states a contractor is now required to ensure all tiered subcontractors have passing results of a current assessment in SPRS, or Supplier Performance Risk System, in accordance with the DFARS 7019 clause. The contractor must also validate their compliance with 7019 prior to awarding a subcontract or purchase order of any kind and include the contents of DFARS 7019 in the documented subcontract agreement. 

Remediation Period 

One concern many businesses in the Defense Industrial Base (DIB) have is the ability to remediate, adjudicate, or refute a specific finding or less-than-glowing review. DFARS 7020 states that contractors and their subcontractors have a 14-day period to provide additional evidence or information demonstrating their practices and policies meet NIST 800-171 standards. Also, SPRS will only reflect the final assessment results after this period, and rest assured, all results will be made confidential, and High assessment documentation will be classified as Controlled Unclassified Information (CUI). 

What Changes with CMMC Final Rule Implementation? 

Beginning with the CMMC rollout in November 2025, DFARS 7020 will operate alongside DFARS 7021, which includes CMMC certification requirements for certain contracts. DFARS 7020 will still focus on the NIST SP 800-171 DoD Assessments, but the updated rule will strengthen flowdown requirements. As the CMMC rule is phased in over three years, the DoW will have discretion in applying DFARS 7020 requirements to solicitations based on risk and contract type. 
 

Note: Solicitations for the acquisition of Commercial Off The Shelf (COTS) items are exempt from DFARS 7020. 
 

Organizations with DFARS 7012 requirements in their contracts and handling CUI will need to complete a Basic Assessment (self-assessment). It may seem simple, but you need to ensure that your facilities, systems, and personnel are equipped for at least a DoW Basic Assessment and submit that self-assessment. You must also consider future acquisitions and solicitations to determine if a Medium or High assessment is in your near future. Your organization's information systems will need to be configured to the 110 NIST 800-171 controls regardless, because of CMMC 2.0 assessment requirements and the preexisting DFARS 7012 requirements.  

Verify that your suppliers and subcontractors have entered their results into SPRS. Conversely, Lockheed Martin and other large primes are starting the process of distributing questionnaires and data calls to subs. Therefore, prepare your proposal or business development teams to respond appropriately when asked for status. 

If you do not have an account with SPRS, you will need to request access through the Procurement Integrated Enterprise Environment (PIEE).  Keep in mind you will need a certificate from a DoW-approved External Certificate Authority (ECA) vendor to register /authenticate to PIEE / SPRS. 

To ensure you meet DFARS 7020 and other requirements for Department of War suppliers in enough time to remain competitive and future-proof your business, reach out to Summit 7's compliance experts.