April 19, 2025

Every company that does business with the US government needs to fully understand all the regulations it is subject to before making technology decisions. Otherwise, you could invest significant time and effort and still miss the mark on compliance.

 

A critical case in point for organizations in the US defense industrial base (DIB) is the Defense Federal Acquisition Regulation Supplement 252.204-7019 (DFARS 7019). Titled “Notice of NIST SP 800-171 DoD Assessment Requirements,” DFARS 7019 is one of three interrelated clauses that the US Department of Defense (DoD) November 2020 Interim Rule added to the DFARS. It appears in many current DoD contracts and specifies several key requirements.

 

If your company does business with the DoD, this article tells you what you need to know about DFARS 7019 compliance. 

What is DFARS 7019?

The DFARS 7019 clause describes the requirements that defense contractors must meet to correctly report and maintain their self-assessments of compliance with the NIST 800-171 cybersecurity framework under DFARS 252.204-7012. DFARS 7019 also specifies the guidelines for contracting officers to make or deny contract awards based on a supplier’s reported assessment results. 

 

Note that DFARS 7019 does not specifically mandate CMMC 2.0 compliance and does not apply to commercially available off-the-shelf (COTS) items or micro-purchases.

 

The collective purpose of the Interim Rule’s three clauses is to shore up lax cybersecurity across the DIB. These newer clauses extend the original DFARS 7012 clause, which has been in force in US Department of Defense (DoD) contracts since December 31st, 2017. Under DFARS 7012, many (if not most) suppliers have been self-attesting to DFARS compliance without verifiably bringing their systems and processes into compliance. 

 

DFARS 7019 puts DIB suppliers on notice that they are required to assess and report their NIST 800-171 compliance in the form of a Supplier Performance Risk System (SPRS) score less than three years old. Scores are only available to the submitter and the DoD, and can be provided to others upon request.

What do we need for DFARS 7019 compliance?

The Interim Rule states, “The new DFARS provision 252.204-7019 advises offerors required to implement the NIST SP 800-171 standards of the requirement to have a current (not older than three years) NIST SP 800-171 DoD Assessment on record in order to be considered for award. The provision requires offerors to ensure the results of any applicable current Assessments are posted in SPRS and provides offerors with additional information on conducting and submitting an assessment when a current one is not posted in SPRS.”

 

Firms will likely meet the DFARS 7019 clause requirements if they:

  • Correctly implement/configure the 110 NIST 800-171 Rev. 2 controls.
  • Have a current Basic, Medium, or High assessment on file in SPRS.
  • Are following the NIST SP 800-171 DoD Assessment Methodology.
  • Have an up-to-date system security plan (SSP) on file, along with a Plan of Action & Milestones (POA&M), if required. 
  • Have addressed flowdown obligations by ensuring all their subcontractors also comply with DFARS 7019.


If your business is not meeting these requirements today, you may be out of compliance with your DoD contract(s). DFARS 7019 has appeared in “all solicitations” since November 2020, including modifications and extensions to existing contracts. You can find the full text of the DFARS 7019 clause within the Interim Rule here.

How does DFARS 7019 relate to CMMC 2.0?

DFARS 7019 mandates self-attested NIST 800-171 compliance and does not specifically cover CMMC 2.0. However, CMMC 2.0 builds on DFARS 7019 by defining a three-tiered certification process that replaces self-attestation with a third-party certification audit for almost all companies at CMMC levels 2 and 3. CMMC 2.0 Level 2 control requirements specify the same 110 NIST 800-171 Rev. 2 controls.

In effect, CMMC 2.0 serves to improve the assessment and validation regime for DFARS 7019 compliance. The intent is to create a higher cybersecurity bar and more effective compliance enforcement across the DIB.

What is the DFARS Interim Rule?

Effective as of November 30, 2020, the DFARS Interim Rule amends the DFARS to make CMMC the cybersecurity framework for DIB contractors and suppliers. The rule mandates all DIB orgs that handle CUI to implement the NIST 800-171 controls and set up the transition from NIST 800-171 self-assessment to third-party assessments for most of the DIB.

 

The Interim Rule defines three clauses as noted above: 

  • DFARS 252.204-7019, which covers the implementation of controls to safeguard CUI in non-federal systems and organizations.
  • DFARS 252.204-7020, which focuses on protecting classified information. 
  • DFARS 252.204-7021, which applies to the security of unclassified controlled technical information (UCTI). 

 

DFARS 7012 is a related clause that pertains to controlled defense information (CDI).

The Interim Rule outlines a phased CMMC implementation, starting with pilot programs and gradually encompassing nearly all DoD contracts. It also defines three assessment levels: Basic (self-assessment), Medium, and High, based on the assessment scope and the extent of security controls. To verify compliance, the DoD will conduct a growing number of random audits to evaluate DIB orgs’ NIST 800-171 compliance and the accuracy of their self-assessment scores.

 

In October 2024, the DoD published the CMMC final rule, which is (still) predicted to be published in mid-2025. This rule will contractually implement the CMMC program, so that CMMC requirements can appear in solicitations and contracts. 

How does the DoD evaluate DFARS 7019 compliance?

The Defense Contract Management Agency (DCMA) is charged with ensuring that DIB orgs comply with DFARS 7019. The DCMA conducts random audits to ensure suppliers have implemented sufficient controls and processes to protect UCTI per NIST 800-171 guidelines. DCMA audits likewise validate DIB orgs’ self-assessment scores in SPRS.

 

Additionally, the DCMA offers guidance and training to DIB orgs on how to comply with DFARS 7019 and supports the development and implementation of UCTI protections. The DCMA may also assist defense contractors in the event of a data breach or other cybersecurity incident.

Why should DIB orgs care about DFARS 7019 compliance?

Compliance with DFARS 7019 is mandatory for DIB orgs and critical to protect CUI. With cyberattacks always on the rise, defense contractors need effective cybersecurity for the sake of US national security.

For firms that can demonstrate successful implementation of the NIST 800-171 controls, DFARS 7019 compliance also helps build trust and peace of mind with the DoD and its prime contractors, and can be a competitive differentiator. 

What’s next?

DFARS 7019 compliance isn’t something you want to mishandle or leave to chance. To talk with an expert about ensuring you comply with the DFARS 7019 clause and all the other DoD cybersecurity guidelines, contact CBIZ Pivot Point Security.