top of page

Defense Contractors Beware: DFARS 7019 and 7020 Rules are Now Final

Updated: Oct 3, 2023

As of December 1, 2022, the DFARS 7019 and 7020 regulations have been officially established as final rules by the Department of Defense (DoD). These rules are likely included in contracts that have been awarded or updated since the interim rules were released in December 2021. The new requirements aim to enhance the cybersecurity posture of the DoD's supply chain and ensure the protection of Controlled Unclassified Information (CUI). In addition, the DoD is taking a more rigorous approach to cybersecurity, making it a top priority for defense contractors. As a result, the stakes are high but don't worry; we've got you covered! Join us as we delve into the latest updates and requirements, and discover how you can ensure your organization is in compliance.

Under DFARS 7019, contractors are required to conduct a self-assessment and provide sufficient evidence to support their score, which is filed in the Supplier Performance Risk System (SPRS) and becomes part of the contractor's permanent record. The DoD expects the score to increase over time, with a maximum target score of 110. In addition, DFARS 7020 authorizes the Defense Contract Management Agency (DCMA) to perform Medium and High assessments in accordance with NIST SP 800-171 DoD Assessment Methodology.

Prime contractors or higher-tier contractors can use the same DoD self-assessment methodology score to assess the compliance of their supply chain. Subcontractors must also perform the basic self-assessment and submit their SPRS score. Contracting Officers are currently checking SPRS scores and removing companies from eligibility if they do not meet the requirements.

The evidentiary standard to justify the SPRS score is the same for DFARS 7012, 7019, 7020, and 7021. The pending Cybersecurity Maturity Model Certification (CMMC) program is an enforcement mechanism for the existing 7012 requirements, which have been in place since December 2017. DFARS 7012 requirements also include reporting incidents or malware, and the responsibility of prime contractors to audit the requirements of their subcontractors.

The System Security Plan (SSP) is a cornerstone for all of the contractor's documentation and evidence and should show how the company has progressed toward meeting the NIST SP 800-171 practices. Policies govern the requirements the company must meet based on the type of CUI handled in their environment and other kinds of CUI, such as Controlled Technical Information (CTI) or International Traffic in Arms Regulations (ITAR). Policies should provide oversight authority for implementing, monitoring, and enforcing the requirements.

Incorporating the CMMC definitions into the policies and procedures is crucial. Organizations that process, transmit, or store CUI, such as Enterprise Resource Planning (ERP) or Managed Service Providers (MSP), must meet the DFARS 7012 requirements. The Federal Risk and Authorization Management Program (FedRAMP) Moderate standard applies to any external system connected to the organization that processes, transmits, or stores CUI.

CUI is defined as information developed or received in the performance of a contract and is either marked or otherwise identified in the contract. If information qualifies as CUI, whether it is marked or unmarked, the contractor, as the authorized holder, is responsible for meeting all the requirements.

Recent changes have caused panic among contractors who were not awarded the contracts they were expecting. Contracting Officers informed them that they did not have an SPRS score submitted. A current SPRS score must be submitted within three years of the award or renewal of a reward. The DoD has released an internal memo stating that failure to meet DFARS 7012 is a material breach of contract.

The DoD is taking a strong stance on protecting sensitive information, and contractors must be proactive in meeting the DFARS 7012, 7019, and 7020 requirements. This includes conducting a self-assessment, submitting an SPRS score, and having a comprehensive SSP and policies and procedures in place. Failure to meet the DFARS requirements is considered a material breach of contract, and contractors risk losing eligibility for contracts with the DoD. If you need assistance navigating these changes and ensuring compliance with the new rules, don't hesitate to reach out to the experts at Aspire Cyber. Contact us at for personalized guidance and support. Don't let these updates catch you off guard - take action now to secure your business and stay ahead of the game.


bottom of page