NIST SP 800-171 DoD Assessment Requirements
Effective: November 30, 2020
DFARS 252.204-7020 is the contract clause companion to -7019: once awarded, the contractor must maintain a current NIST SP 800-171 assessment in SPRS, allow DoD access to verify it, and flow the requirement down to subcontractors that will handle CUI. It binds the obligation throughout contract performance, not just at offer.
Who must comply
Any DoD contractor (and subcontractor handling CUI at any tier) under a contract that includes DFARS 252.204-7012.
What it requires
- 01Provide DoD access to facilities, systems, and personnel necessary to conduct a Medium or High NIST SP 800-171 DoD Assessment if requested.
- 02Maintain a current Basic Assessment score in SPRS throughout contract performance.
- 03Before awarding a subcontract that involves CUI, require the subcontractor to have a current assessment posted in SPRS.
- 04Flow the substance of -7019 and -7020 down to subcontractors at all tiers handling CUI.
Related clauses
- DFARS 252.204-7012Safeguarding Covered Defense Information and Cyber Incident Reporting
DFARS 252.204-7012 requires DoD contractors that handle Covered Defense Information (CDI) to implement the security requirements of NIST SP 800-171, report cyber incidents to DoD within 72 hours via the DIBNet portal, and use FedRAMP Moderate (or equivalent) cloud services for CDI. It has been the contractual basis for NIST 800-171 across the defense industrial base since 2017.
- DFARS 252.204-7019Notice of NIST SP 800-171 DoD Assessment Requirements
DFARS 252.204-7019 requires offerors on DoD solicitations involving CUI to have a current NIST SP 800-171 self-assessment score posted in the Supplier Performance Risk System (SPRS) before they are eligible for award. The score must not be more than three years old at the time of the offer.