What are the most common pitfalls with DFARS 252.204-7019?

Not having a current SPRS score at the time of proposal • Letting a score expire after 3 years • Inflating the self-assessment score (False Claims Act risk) • Confusing the DoD Assessment with CMMC certification (related but distinct)

DFARS ClauseCybersecurity

DFARS 252.204-7019 — Notice of NIST SP 800-171 DoD Assessment Requirements

Requires offerors on DoD solicitations involving CDI to have a current Basic, Medium, or High self-assessment score posted in the Supplier Performance Risk System (SPRS).

View official clause text on acquisition.gov

When This Clause Applies

Included in solicitations expected to involve Covered Defense Information. Offerors without a current SPRS score are ineligible for award.

What This Means for Contractors

Contractors must complete a self-assessment using the NIST SP 800-171 DoD Assessment Methodology and post the score in SPRS prior to award. Scores expire after 3 years and must be refreshed. Medium and High assessments are conducted by DoD personnel and override Basic self-assessments.

Common Pitfalls

1Not having a current SPRS score at the time of proposal
2Letting a score expire after 3 years
3Inflating the self-assessment score (False Claims Act risk)
4Confusing the DoD Assessment with CMMC certification (related but distinct)

Related Clauses

DFARS 252.204-7012

Safeguarding Covered Defense Information and Cyber Incident Reporting

Requires DoD contractors and subcontractors handling Covered Defense Information (CDI) to implement NIST SP 800-171 security controls and report cyber incidents within 72 hours.

DFARS 252.204-7020

NIST SP 800-171 DoD Assessment Requirements

Contract clause version of the SPRS requirement — flows down to subcontractors and requires score updates during performance.

DFARS 252.204-7021

Cybersecurity Maturity Model Certification Requirements

Implements the CMMC program — requires contractors handling FCI or CDI to achieve and maintain a CMMC certification at the level specified in the solicitation.

Continue Your Research

DoD Procurement Guide

Cybersecurity clauses primarily apply to DoD acquisitions. See DoD's vehicles and small business focus.

NAICS 518210 — Data Processing, Hosting, and Related Services

Find federal contracts under NAICS 518210. Common agencies, set-asides, contract values.

NAICS 541330 — Engineering Services

Find federal contracts under NAICS 541330. Common agencies, set-asides, contract values.

Browse Full FAR Clause Library

All FAR and DFARS clauses we've documented with plain-English summaries.

GovCon Compliance Blog

Latest guidance on FAR/DFARS updates, CMMC, NIST 800-171, and capture strategy.

Need help complying with DFARS 252.204-7019?

Aliff helps GovCon firms map clause requirements to deliverables, build compliance evidence, and respond to CO inquiries with confidence.

Schedule a Compliance Review Browse Clause Library