Contractual Remedies to Ensure Contractor Compliance with Defense Federal
Acquisition Regulation Supplement Clause 252.204-7012

From the Office of Mr. John M. Tenaglia, Principal Director, Defense Pricing and Contracting (DPC) within the Office of the Secretary of Defense (OSD), U.S. Department of Defense (DoD)

On November 30, 2020, interim DFARS rule 2019-D041 took effect and required use of
DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements, in all future
DoD solicitations and contracts, task orders, or delivery orders, except those solely for the
acquisition of commercial off the shelf items. If included in the contract and applicable, the
clause requires contractors to post summary level scores of all NIST SP 800-171 DoD
Assessments, including the Basic self-assessment, in the Supplier Performance Risk System
(SPRS) and provide access to its facilities, systems, and personnel necessary for the Government
to conduct a High or Medium NIST SP 800-171 DoD Assessment.

A High or Medium assessment is a tool that allows DoD personnel to validate the results
of a Basic NIST SP 800-171 self-assessment to assess if the contractor has, in fact, properly
implemented the NIST SP 800-171 security requirements. DFARS clause 252.204-7020 was not
promulgated or prescribed for use in DoD contracts until November 30, 2020; therefore, not all
contractors are contractually obligated to comply with the assessment and access requirements
set forth in the clause. Contracting Officers are reminded, however, that where applicable,
DFARS 252.204-7012 requires contractor to implement the security requirements of NIST SP
800-171, and alternative remedies and tools are available for use to ensure compliance. To read the complete article, please click here.