DFARS 7020

What is DFARS 7020:

DFARS 7020 is one of three new clauses, including 7019 and 7021, that extends the original DFARS 252.204-7012 clause requiring every organization in the DiB to be compliant with NIST 800-171. DFARS 7020 states organizations, “shall provide access to its facilities, systems, and personnel necessary for the Government to conduct a Medium or High NIST SP 800-171 DoD Assessment”. 

As DFARS 7019 stated, organizations must submit at least a Basic Level Assessment to the Supplier Performance Risk System (SPRS). A Basic Level Assessment means that organizations are able to self attest to their compliance with NIST 800-171, but a Medium or High Level Assessment is present in some contracts, depending on the type of data involved. A Medium or High Level Assessment means that the DoD assesses organization’s compliance to NIST 800-171. 

The DoD will also provide organizations a chance to rebuttal if they disagree with the DoD’s findings in a Medium or High Assessment. The DoD states, “The contractor has 14 business days to provide additional information to demonstrate that they meet any security requirements not observed by the assessment team or to rebut the findings that may be of question”.

DFARS 7020 also describes the role of subcontractors and the responsibilities that they have in keeping CUI safe. Organizations are not allowed to use subcontractors, “unless the subcontractor has completed, within the last 3 years, at least a Basic NIST SP 800-171 DoD Assessment”. This means that not only does your organization need to become NIST 800-171 compliant, but any of your subcontractors must as well. 

This flowdown to subcontractors is a common theme seen throughout DoD compliance requirements such as CMMC, DFARS 7012, and DFARS 7021. The reason the DoD is putting a heavy emphasis on securing the entire supply chain is because of the increase in supply chain attacks. A supply chain attack is where a threat actor targets a smaller company, who presumably doesn’t have as robust security as a larger company, in order to have easier access to their main target. 


If you want to be proactive about your cybersecurity and have a plan in place before any issues arise, contact FirstCall Consulting today. Our team of experts can help walk you through the process for conducting a GAP Analysis to determine where your weaknesses lie, getting a System Security Plan (SSP) and POA&M Plan in place that is compliant with NIST 800-171 regulations, as well as making sure your supply chain is also fully compliant as well. Contact us now here or send an email inquiry to travis.sands@thefirstcallconsulting.com to get started on this important journey towards 100% compliance! 

Share This