The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of regulations that governs the procurement of goods and services by the U.S. Department of Defense. DFARS 252.204-7020 is one of three recently released clauses in the DFARS 70 series (7012, 7019, 7021) that were introduced in November 2020.
DFARS 7020 sets out the requirements for contractors to provide the government with access to their facilities, systems, and personnel whenever the Department of Defense (DoD) conducts a Medium or High assessment. The clause also requires contractors to flow down these requirements to their subcontractors, who must validate their compliance with DFARS 7019 before awarding any subcontract or purchase order. For more information on the Assessment methodologies click here.
DFARS 7020 will appear in all DoD solicitations, contracts, task orders, or delivery orders and contractors have 14 days to provide additional evidence or information demonstrating their compliance with NIST 800-171 standards. The results of the assessment will be reflected in the Supplier Performance Risk System (SPRS) and all results will be kept confidential, with High assessment documentation classified as Controlled Unclassified Information (CUI).
It’s important to note that solicitations for Commercial Off The Shelf (COTS) items are exempt from DFARS 7020. If you have concerns about the ability to remediate, adjudicate, or refute a specific finding, be assured that contractors and subcontractors have the opportunity to provide additional evidence and information.
How to Prepare
Organizations with DFARS 7012 obligations in their contracts and handling Controlled Unclassified Information (CUI) must complete a Basic Assessment. This self-assessment will verify that your facilities, systems, and personnel are capable of meeting the requirements for a DoD Basic Assessment, and you should submit it in 2021. Start preparing for future acquisitions and solicitations to determine if you may need to undergo a Medium or High assessment.
Your organization’s information systems must meet the 110 NIST 800-171 controls to comply with CMMC assessment requirements and existing DFARS 7012 regulations. Ensure that your suppliers and subcontractors have entered their assessment results into the Supplier Performance Risk System (SPRS). Major contractors such as Lockheed Martin are starting to distribute questionnaires and data requests to their subcontractors, so be ready to respond when asked.
Access the SPRS by clicking here. If you do not have an account with SPRS, you will need to request access through the Procurement Integrated Enterprise Environment (PIEE) by clicking here. Keep in mind that you will need a certificate to register and authenticate to both PIEE and SPRS.