DoD Basic Assessment
1 – Check the solicitation for DFARS clauses 252.204-7019 and 252.204-7020. The presence of these clauses makes it likely that you will need to complete the DoD Basis Assessment and upload the required six pieces of information to the SPRS portal.
2 – DFARS clause 252.204-7020 states “This clause applies to covered contractor information systems that are required to comply with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, in accordance with Defense Federal Acquisition Regulation System (DFARS) clause at 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, of this contract.”
3 – Has your customer – prime or other asked if you have completed the DoD Basic Assessment?
4 – This requirement applies to most every Department of Defense solicitation. The requirement does not apply to procurements below the micro-purchase threshold ($10,000) or for commercial off the shelf items. While the term Commercial Off the Shelf Item sounds straight forward, the definition is detailed and in some instances what may appear to fit the definition may not.
5 – Clause 252.204-7020 is a flow-down clause which requires, “The Contractor shall insert the substance of this clause, including this paragraph (g), in all subcontracts and other contractual instruments, including subcontracts for the acquisition of commercial items (excluding COTS items).”
6 – Additionally, DFARS 252.240-7020 prohibits the award of a subcontract or similar vehicle to a business that has not completed a basic assessment and uploaded the required information. The specific language is, “The Contractor shall not award a subcontract or other contractual instrument, that is subject to the implementation of NIST SP 800-171 security requirements, in accordance with DFARS clause 252.204-7012 of this contract, unless the subcontractor has completed, within the last 3 years, at least a Basic NIST SP 800-171 DoD Assessment, as described in www.acq.osd.mil/dpap/pdi/cyber/strategically_assessing_contractor_implementation_of_NIST_SP_800-171.html for all covered contractor information systems relevant to its offer that are not part of an information technology service or system operated on behalf of the Government.”
For additional information on this topic, please contact Marc Violante at firstname.lastname@example.org or 414-270-3600.