What are the most common pitfalls with DFARS 252.204-7020?

Not verifying subcontractor SPRS scores before award • Skipping flow-down to lower-tier subs • Not updating scores after major IT changes

DFARS ClauseCybersecurity

DFARS 252.204-7020 — NIST SP 800-171 DoD Assessment Requirements

Contract clause version of the SPRS requirement — flows down to subcontractors and requires score updates during performance.

View official clause text on acquisition.gov

When This Clause Applies

Required in all DoD contracts and subcontracts (above SAT for non-commercial; in all CDI-handling commercial item contracts).

What This Means for Contractors

Primes must verify subcontractors have current SPRS scores before awarding subcontracts that involve CDI. Both primes and subs must update SPRS scores throughout performance and after any material change in posture.

Common Pitfalls

1Not verifying subcontractor SPRS scores before award
2Skipping flow-down to lower-tier subs
3Not updating scores after major IT changes

Related Clauses

DFARS 252.204-7012

Safeguarding Covered Defense Information and Cyber Incident Reporting

Requires DoD contractors and subcontractors handling Covered Defense Information (CDI) to implement NIST SP 800-171 security controls and report cyber incidents within 72 hours.

DFARS 252.204-7019

Notice of NIST SP 800-171 DoD Assessment Requirements

Requires offerors on DoD solicitations involving CDI to have a current Basic, Medium, or High self-assessment score posted in the Supplier Performance Risk System (SPRS).

DFARS 252.204-7021

Cybersecurity Maturity Model Certification Requirements

Implements the CMMC program — requires contractors handling FCI or CDI to achieve and maintain a CMMC certification at the level specified in the solicitation.

Continue Your Research

DoD Procurement Guide

Cybersecurity clauses primarily apply to DoD acquisitions. See DoD's vehicles and small business focus.

NAICS 518210 — Data Processing, Hosting, and Related Services

Find federal contracts under NAICS 518210. Common agencies, set-asides, contract values.

NAICS 541330 — Engineering Services

Find federal contracts under NAICS 541330. Common agencies, set-asides, contract values.

Browse Full FAR Clause Library

All FAR and DFARS clauses we've documented with plain-English summaries.

GovCon Compliance Blog

Latest guidance on FAR/DFARS updates, CMMC, NIST 800-171, and capture strategy.

Need help complying with DFARS 252.204-7020?

Aliff helps GovCon firms map clause requirements to deliverables, build compliance evidence, and respond to CO inquiries with confidence.

Schedule a Compliance Review Browse Clause Library