Notice of NIST SP 800-171 DoD Assessment Requirements
Effective: November 30, 2020
DFARS 252.204-7019 requires offerors on DoD solicitations involving CUI to have a current NIST SP 800-171 self-assessment score posted in the Supplier Performance Risk System (SPRS) before they are eligible for award. The score must not be more than three years old at the time of the offer.
Who must comply
Any offeror on a DoD solicitation that includes DFARS 252.204-7012.
What it requires
- 01Conduct a Basic NIST SP 800-171 DoD Assessment of all covered contractor information systems.
- 02Post the resulting score, system security plan summary, plan-of-action completion date, and CAGE codes to SPRS prior to award.
- 03Ensure the posted assessment is no more than three years old when the offer is submitted.
- 04Have a current assessment posted before the contracting officer can consider the offer eligible for award.
Related clauses
- DFARS 252.204-7012Safeguarding Covered Defense Information and Cyber Incident Reporting
DFARS 252.204-7012 requires DoD contractors that handle Covered Defense Information (CDI) to implement the security requirements of NIST SP 800-171, report cyber incidents to DoD within 72 hours via the DIBNet portal, and use FedRAMP Moderate (or equivalent) cloud services for CDI. It has been the contractual basis for NIST 800-171 across the defense industrial base since 2017.
- DFARS 252.204-7020NIST SP 800-171 DoD Assessment Requirements
DFARS 252.204-7020 is the contract clause companion to -7019: once awarded, the contractor must maintain a current NIST SP 800-171 assessment in SPRS, allow DoD access to verify it, and flow the requirement down to subcontractors that will handle CUI. It binds the obligation throughout contract performance, not just at offer.