DFARS 252.204-7020
Also known as: NIST SP 800-171 DoD Assessment Requirements
DFARS 252.204-7020 requires DoD contractors to maintain a current NIST SP 800-171 assessment in SPRS, allow DoD personnel to verify it, and flow the requirement down to subcontractors handling CUI. It is the companion clause to -7019 that binds the obligation through performance, not just the offer.
Related terms
- Supplier Performance Risk System
The Supplier Performance Risk System (SPRS) is the Department of Defense system of record where contractors post their NIST SP 800-171 assessment scores and CMMC affirmations. Contracting officers verify SPRS entries before award on solicitations that include DFARS 252.204-7019, -7020, or -7021.
- DFARS 252.204-7019
DFARS 252.204-7019 requires offerors on DoD solicitations involving CUI to post a current NIST SP 800-171 self-assessment score in the Supplier Performance Risk System (SPRS) before they are eligible for award. The score must not be more than three years old at the time of the offer.
- NIST SP 800-171
NIST SP 800-171 is the National Institute of Standards and Technology publication that defines 110 security controls for protecting Controlled Unclassified Information (CUI) on non-federal systems. It is the controls catalog used at CMMC Level 2 — but is not used at Level 1, which is based on the 15 safeguarding requirements in FAR 52.204-21.