What is DFARS 7020:
DFARS 7020 is one of three new clauses, including 7019 and 7021, that extends the original DFARS 252.204-7012 clause requiring every organization in the DIB to be compliant with NIST 800-171. DFARS 7020 states that contractors must provide access to its facilities, personnel and systems to the Government whenever the Department of Defense (DoD) is conducting or renewing a Medium or High Assessment.
There are three different levels of risk assessments: Basic, Medium, and High. As DFARS 7019 stated, organizations must submit at least a Basic Level Risk Assessment to the Supplier Performance Risk System (SPRS). A Basic Level Assessment means that organizations are able to self attest to their compliance with NIST 800-171.
However, a Medium or High Level Assessment is present in some contracts, depending on the type of data involved. A Medium or High Level Assessment means that the DoD assesses an organization’s DFARS compliance to NIST 800-171 instead of a self assessment.
In the event of a failed audit, the DoD will allow organizations a chance to rebuttal if they disagree with the assessment team’s findings in a Medium or High Assessment. DFARS 7020 allows contractors and their subcontractors 14 business days to show the DoD evidence they meet any security requirements that are in question.
DFARS 7020 also describes the role of subcontractors and the responsibilities that they have in keeping CUI safe. Organizations are not allowed to use subcontractors, unless that subcontractor has at least a Basic NIST SP 800-171 DoD Assessment that is less than 3 years old. This means that not only does your organization need to become NIST 800-171 compliant, but any of your subcontractors that handle CUI must as well.
This flowdown to subcontractors is a common theme seen throughout DoD compliance requirements such as CMMC, DFARS 7012, and DFARS 7021. The reason the Secretary of Defense is putting a heavy emphasis on securing the entire supply chain is because of the increase in supply chain attacks in the United States.
A supply chain attack is where a threat actor targets a smaller company, who presumably doesn’t have adequate security that a larger company has, in order to have easier access to their main target. The threat actor will gain access to the smaller company, who provides goods and services or raw materials, in order to plant malicious code or steal source code from their main target. Global supply chains have been disrupted due to these kinds of attacks.