September 29, 2021

Last Updated on January 12, 2024

As I have blogged about prior, members of the defense supply chain technically need to be DFARS compliant, not NIST 800-171 or CMMC compliant.  A recent email from a client touches on this issue.

John,

 I interpret the clause below from https://www.acq.osd.mil/dpap/policy/policyvault/USA002524-20-DPC.pdf,  to require all DIB members with the DFARS 7012 clause in a contract as needing a score in SPRS.  Am I reading this correctly?

 “NIST SP 800-171 DoD Assessment: On or after November 30, 2020, the contracting officer shall, prior to awarding a contract, task order, or delivery order to, or exercising an option period or period of performance with, an offeror or contractor that is required to implement NIST SP 800-171 in accordance with the clause at DFARS 252.204-7012, verify that the summary level score of a current NIST SP 800-171 DoD Assessment (i.e., not more than 3 years old, unless a lesser time is specified in the solicitation) is posted in Supplier Performance Risk System (SPRS) for each covered contractor information system that is relevant to an offer, contract, task order, or delivery order.”

 Sincerely,

Very Concerned Customer

The answer is subtle, in that technically DFARS 7012 itself does not require an SPRS score. However, if you are awarded a task order, delivery order, or an option period of performance, your existing contract will now include the DFARS 7019 or DFARS 7020 requirements and require a current score in SPRS.  DFARS 7019 adds the SPRS reporting requirement, while DFARS 7020 adds the requirement for contractors to allow the government full access to their facilities and systems to conduct a DIBCAC assessment.

What’s Next?

Moving forward, this could change with the DFARS 7021 clause, which requires CMMC. The DFARS 7012, 7019 and 7020 clauses are all specific to NIST 800-171. As CMMC evolves, DFARS 7021 will be a requirement for all contracts, but the “requisite Maturity Level” will not be CMMC Level 3 or higher for many. So we can reasonably conclude that DFARS 7021 will not fully replace the other three clauses. There are requirements of DFARS 7012 (e.g., Cyber Incident reporting), DFARS 7019 (e.g., SPRS), and DFARS 7020 (e.g., DIBCAC audit) that DCMA will likely want to maintain.

Pursuing 7012 DFARS Compliance? Check out some more useful content:  You Don’t Need to be CMMC Compliant, You Need to Be DFARS Compliant (A Kardashian Parable) – Pivot Point Security

Looking for some more help thinking about your CMMC strategy? Listen to this podcast with our CMMC experts: EP#55 – DIBCAC & CMMC Audit Prep with George Perezdiaz & Caleb Leidy – Pivot Point Security