Last Updated on November 7, 2022
Defense Federal Acquisition Regulation Supplement 252.204-7019 (DFARS 7019) is one of three interrelated clauses that the DoD’s new interim rule adds to the DFARS. These new clauses extend the original DFARS 252.204-7012 clause that has been in force in US Department of Defense (DoD) contracts since 2018 (technically, December 31st, 2017 https://www.acq.osd.mil/dpap/policy/policyvault/USA002829-17-DPAP.pdf).
The purpose of the interim rule, in effect as of November 30, 2020, is to shore up lax cybersecurity across the US defense industrial base (DIB). The problem has been that, under DFARS 7012, many (if not most) suppliers are self-attesting to DFARS compliance without verifiably bringing their systems and processes into compliance.
The DFARS 7019 clause is titled “Notice of NIST SP 800-171 DoD Assessment Requirements.” It describes the requirements that contractors must meet to correctly report and maintain their self-assessments concerning compliance with the NIST 800-171 cybersecurity framework under DFARS 7012. DFARS 7019 also specifies the requirements for contracting officers to make or deny contract awards based on a supplier’s reported assessment results.
Specifically, the interim rule states, “The new DFARS provision 252.204-7019 advises offerors required to implement the NIST SP 800-171 standards of the requirement to have a current (not older than three years) NIST SP 800-171 DoD Assessment on record in order to be considered for award. The provision requires offerors to ensure the results of any applicable current Assessments are posted in SPRS [the Supplier Performance Risk System] and provides offerors with additional information on conducting and submitting an assessment when a current one is not posted in SPRS.”
In other words, the DFARS 7019 clause puts DIB suppliers on notice that they are required to assess and report their own NIST 800-171 compliance in the form of an SPRS score less than three years old (or newer if required). Scores will only be available to the submitter and the DoD, and can be provided to others upon request.
Firms that have a current SPRS Basic, Medium, or High assessment on file, and follow the NIST SP 800-171 DoD Assessment Methodology, along with an up-to-date System Security Plan (SSP) and a Plan of Action & Milestones (POA&M), if required, will likely meet the DFARS 7019 clause requirements. Other DIB suppliers will need to complete this process ASAP.
Why is time of the essence?
Because the new DFARS 7019 clause will appear in “all solicitations” going forward, except those “solely for the acquisition of commercially available off-the-shelf (COTS) items. This includes not only new contracts, but also modifications and extensions to existing contracts.
You can find the full text of the DFARS 7019 clause within the interim rule here.
Next Steps
DFARS 7019 compliance isn’t something you want to mishandle or leave to chance.
To talk with a DFARS expert about ensuring you comply with the DFARS 7019 clause and all the other DFARS cybersecurity guidelines, contact Pivot Point Security.
