DFARS 252.204-7019

What is it?

DFARS 7019 is one of three new clauses, including 7020 and 7021 that extends the original DFARS 252.204-7012 clause requiring every organization in this industry to be compliant with NIST 800-171 at the time solicitations are posted.

This newest addition details requirements for reporting your score within the Supplier Performance Risk System (SPRS) as well as what contracting officers must do when awards or denials based on these results come up–so you can have peace beforehand knowing exactly where those risks lie.

The assessment methodology is based on the 110 security requirements from NIST 800-171, with each requirement having a different number of points assigned to it. The scope is only covered contractor information systems, so isolated networks are out of scope.

Organizations attest to whether they meet, do not meet, or if that control is not applicable to them. For those controls they do not meet, they deduct that number from their total of 110 points. For an example guide, download our NIST 800-171 questionnaire here.

Organizations are required to report their NIST 800-171 compliance score in SPRS. After posting to SPRS, the report will only be available to DoD personnel and the organization that submitted it. Firms will have to report a Basic, Medium, or High level assessment, depending on the contract requirements.

A Basic self assessment means that organizations are able to conduct and submit a basic assessment themselves to SPRS, while Medium and High assessments are assessed by the Department of Defense. Organizations will have to have these scores properly reported in SPRS, and have a new assessment at least every three years.


If you want to be proactive about your cybersecurity and have a plan in place before any issues arise, contact FirstCall Consulting today. Our team of experts can help walk you through the process for conducting a GAP Analysis with our NIST SP 800-171 questionnaire to determine where your weaknesses lie.

We also help with getting a System Security Plan (SSP) and POA&M Plan in place that is compliant with Cybersecurity Maturity Model Certification (CMMC) regulations, as well as making sure your supply chain is also fully compliant as well.

Contact us now here or send an email inquiry to travis.sands@thefirstcallconsulting.com to get started on this important journey towards 100% compliance!

Share This