What is it?
DFARS 7019 is one of three new clauses, including 7020 and 7021 that extends the original DFARS 252.204-7012 clause requiring every organization in this industry to be compliant with NIST 800-171. This newest addition details requirements for reporting your score within SPRS as well as what contracting officers must do when awards or denials based on these results come up–so you can have peace beforehand knowing exactly where those risks lie.
DFARS 7019 states, “The Offeror shall verify that summary level scores of a current NIST SP 800-171 DoD Assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) are posted in SPRS for all covered contractor information systems relevant to the offer.
(2) If the Offeror does not have summary level scores of a current NIST SP 800-171 DoD Assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) posted in SPRS, the Offeror may conduct and submit a Basic Assessment to mail to: firstname.lastname@example.org for posting to SPRS in the format identified in paragraph (d) of this provision.”
An organization’s score is based on the 110 controls from NIST 800-171, with each control having a different number of points assigned to it. Organizations attest to whether they meet, do not meet, or if that control is not applicable to them. For those controls they do not meet, they deduct that number from their total of 110 points. For more an example guide, download our NIST 800-171 questionnaire here.
Organizations are required to report their NIST 800-171 compliance score in SPRS. This report will only be available to DoD personnel and the organization that submitted it. Firms will have to report a Basic, Medium, or High level assessment, depending on the contract requirements. A Basic requirement means that organizations are able to self-attest to their compliance, while Medium or High requirement is assessed by the DoD. Organizations will have to have these scores properly reported in SPRS, and have a new assessment at least every three years.