Last Updated on May 16, 2025
Defense Federal Acquisition Regulation Supplement 252.204-7020 (DFARS 7020), “NIST SP 800-171 DoD Assessment Requirements,” is one of three interdependent clauses (DFARS 7019, 7020, and 7021) added to the DFARS through the US Department of Defense (DoD) Interim Rule. DFARS 7020 appears in many current DoD contracts and will be ubiquitous under the CMMC 2.0 program going forward.
For business and technical leaders in the US defense industrial base (DIB), this article explains what you need to know about DFARS 7020, including how to comply.
What is DFARS 7020?
Per companion clause DFARS 7019, DIB suppliers must have at least a Basic assessment score less than three years old on file in the DoD’s Supplier Performance Risk System (SPRS), as explained below. The follow-on DFARS 7020 clause explicitly informs suppliers that the DoD has the right to access “facilities, systems and personnel” that manage, process, store, or transmit controlled unclassified information (CUI), should the DoD require them to undergo a Medium or High assessment.
As described in the NIST SP 800-171 DoD Assessment Methodology, the DoD reserves the right to conduct Medium and High assessments based on the criticality of the contract or the data involved.
In addition, DFARS 7020 specifies a flowdown requirement. Contractors must “… ensure that applicable subcontractors also have the results of a current Assessment posted in SPRS prior to awarding a subcontract or other contractual instruments.” DFARS 7020 also specifies how subcontractors should conduct and submit their assessments.
What is the DFARS Interim Rule?
The purpose of the DFARS Interim Rule, in effect since November 30, 2020, is to bolster cybersecurity within the US defense supply chain by making CMMC 2.0 the DIB’s cybersecurity framework. The rule defines a phased CMMC implementation that starts with pilot programs and progressively rolls out into almost all DoD contracts over three years.
The Interim Rule requires all DoD contractors that handle CUI to implement the NIST 800-171 Rev. 2 controls, and guides the transition from self-assessment to third-party assessments. It achieves this through three clauses, which modify the longstanding DFARS 7012 clause:
- DFARS 252.204-7019, which concerns the implementation of controls to protect CUI in non-federal organizations and systems.
- DFARS 252.204-7020, which gives the DoD access to DIB orgs’ facilities and “covered contractor information systems.”
- DFARS 252.204-7021, which implements the CMMC 2.0 program.
DFARS 7012 mandates NIST 800-171 compliance for DIB orgs that handle CUI. It has appeared in contracts since 2018. Under DFARS 7012, a high percentage of contractors have been self-attesting to NIST 800-171 compliance as a “check the box” exercise and would not pass an independent audit—hence the need for CMMC and the Interim Rule.
The rule also instantiates three assessment levels: Basic (self-assessment), Medium, and High, referring to the DoD’s level of confidence in the results. To verify compliance, the DoD’s Defense Contract Management Agency (DCMA) will conduct an increasing number of random Medium and High assessments to validate DIB orgs’ NIST 800-171 compliance and confirm their self-assessment scores.
In October 2024, the DoD published the CMMC final rule, which despite potential holdups should be final by mid 2025. This rule contractually implements the CMMC program, enabling CMMC requirements to appear in solicitations and contracts.
Does my DIB SMB need to comply with DFARS 7020?
As you might expect given its connection to DFARS 7019, the DFARS 7020 clause is currently in effect in many DoD contracts, and will eventually appear in “all solicitations” as part of the CMMC 2.0 rollout. This includes both new contracts and modifications and extensions to existing contracts.
If you do business with the DoD, you either already or shortly will need to comply with DFARS 7020. Only solicitations “solely for the acquisition of commercially available off-the-shelf (COTS) products” or micro-purchases are exempt from DFARS 7020 compliance.
What are the DFARS 7020 compliance requirements?
Your business should be DFARS 7020 compliant if you do the following:
- Implement and operate the 110 NIST 800-171 Rev. 2 controls in accordance with the standard.
- Confirm you have a current (less than three years old) Basic, Medium, or High assessment on file in SPRS.
- If needed, determine your current compliance score through a Basic self-assessment, following the NIST SP 800-171 DoD Assessment Methodology, and submit the new score to SPRS.
- If your business has undergone a NIST 800-171 Medium or High assessment with the DCMA and you have received your score, confirm that it has been posted in SPRS.
- Address flowdown requirements by ensuring all your subcontractors that receive CUI also comply with DFARS 7019 and DFARS 7020.
Since DFARS 7020 has appeared in “all solicitations” starting in November 2020, your business may be out of compliance with your DoD contract(s) if you do not meet these requirements today. The full text of the DFARS 7020 clause within the Interim Rule is available here.
How does DFARS 7020 connect with CMMC 2.0?
DFARS 7020 relates to NIST 800-171 compliance assessments and does not specifically address CMMC 2.0. But CMMC 2.0 expands on DFARS 7020 by defining a three-level certification process that replaces self-attestation with a third-party certification audit for almost all companies at CMMC levels 2 and 3.
CMMC 2.0 Level 2 mandates the same 110 controls as NIST 800-171 Rev. 2. Its intent is to strengthen the DoD’s assessment and validation regime for NIST 800-171 compliance under the DFARS.
Why should DIB orgs care about DFARS 7020 compliance?
The DoD requires DFARS 7020 compliance as a prerequisite for contract award. The clause helps verify whether DIB orgs are actually compliant with NIST 800-171.
Contractors that can demonstrate verifiable NIST 800-171 compliance will build trust with primes, the DoD, and other stakeholders, potentially gaining competitive advantage.
DFARS 7020 is also foundational to implementing CMMC, which will enhance the DIB’s overall cybersecurity posture by improving compliance enforcement and transparency. Through CMMC, the DoD hopes to better US national security and economic interests by safeguarding CUI from our adversaries in the current cyber war.
What’s next?
Every US government contractor must understand all contract requirements before selecting new technology. Otherwise, you could still be out of compliance despite substantial investments.
To connect with an expert about DFARS compliance, including your NIST 800-171 self-assessment, contact CBIZ Pivot Point Security.
