DFARS 252.204-7019 and 7020 Explained (2026): SPRS & CMMC

Provider-matching forms on this site may generate referral or lead-routing compensation. This page does not currently contain named provider rankings, endorsements, or "best provider" awards. If named provider reviews are published later, sponsored, affiliate, partner, or referral relationships will be labeled on the relevant provider card or review. See our Methodology and Editorial & Advertising Policy for details.

By The Defense Compliance Report Editorial Team · Last reviewed: June 2026 · Clauses last verified against primary sources: June 17, 2026

Educational research only — not legal, contractual, or compliance advice. Confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney. The contract clause and your CUI handling set your level, not a checklist. Do not submit CUI, drawings, export-controlled data, or sensitive contract details through any form on this page.

DFARS 252.204-7019 and 7020, explained in one line: they were the provision-and-clause pair that turned NIST SP 800-171 from a paper promise into a scored, government-verifiable requirement. DFARS 252.204-7019 was a solicitation provision: have a current NIST SP 800-171 assessment score in SPRS — the Department of Defense’s Supplier Performance Risk System — before you could win the award. DFARS 252.204-7020 was the contract clause: the government’s right to conduct its own assessments, post the results in SPRS, and require subcontractor flow-down.

Here’s the part almost nobody explains correctly: as of February 1, 2026, a Revolutionary FAR Overhaul class deviation removed 7019 and renumbered 7020 to DFARS 252.240-7997 — but it did it by deviation, not by rulemaking. The official Code of Federal Regulations still shows 7019 and 7020 today, older contracts still cite them, and solicitations issued under the new deviation use the new number. Both are in play right now.

So the honest answer to “are 7019 and 7020 still required?” is: it depends which clause is in your specific document — and that single fact changes what you have to do next.

Start here: the clause you’re looking at, and the first move it triggers

One honest caveat before we go deeper: a clause number alone cannot tell you whether to hire a readiness consultant, a managed security provider, a compliance-software vendor, an enclave provider, or a certified assessor. Your required level, your FCI/CUI scope, your system boundary, your environment, and your timeline decide that — not the clause number.

DFARS 252.204-7019 and 7020 explained in plain English

DFARS — the Defense Federal Acquisition Regulation Supplement — is the set of contract rules that applies on top of the standard Federal Acquisition Regulation for Department of Defense work. DFARS 252.204-7019 was the pre-award notice telling offerors they needed a current NIST SP 800-171 assessment in SPRS when the standard applied. DFARS 252.204-7020 was the contract clause that let the government conduct its own assessments, post the results in SPRS, and require subcontractor flow-down.

The two didn’t appear out of nowhere. They came from the DoD’s November 2020 interim rule (DFARS Case 2019-D041), which created three at once — 7019, 7020, and the CMMC clause 7021 — to fix a problem the government had quietly tolerated for years. DFARS 7012 had required contractors to implement NIST SP 800-171 on covered systems no later than December 31, 2017, but it had no real verification mechanism. Contractors checked a box. Nobody checked the contractors. The 2020 rule added the teeth.

Two terms you’ll see throughout, defined once:

• FCI (Federal Contract Information):information provided by or generated for the government under a contract that isn’t intended for public release. It triggers the lighter, 15-requirement safeguarding baseline.
• CUI (Controlled Unclassified Information): more sensitive government information — controlled technical data, drawings, specifications — that triggers the full 110-requirement NIST SP 800-171 standard. In DFARS 7012, the related term is Covered Defense Information (CDI).

7012 = protect CUI and report incidents. 7019= the pre-award “show me your score” notice. 7020= the government’s assessment-access and flow-down clause. 7021 / 7025 = the CMMC certification and status path. 252.240-7997 = the 2026 deviation number now carrying the assessment-requirements language.

Are DFARS 7019 and 7020 still in effect, or were they replaced by 252.240-7997?

Both answers are true at the same time, and that’s not a dodge — it’s the actual state of the regulations. For solicitations and contracts issued under the 2026 Revolutionary FAR Overhaul class deviation, the NIST SP 800-171 assessment requirements now appear under DFARS 252.240-7997, and the standalone 7019 provision was dropped. But the deviation was issued withoutformal rulemaking, so 7019 and 7020 still sit in the codified Code of Federal Regulations, older contracts still cite them, and prime templates haven’t all been updated.

What the Revolutionary FAR Overhaul actually did

In late 2025, the government launched the Revolutionary FAR Overhaul (RFO) — a sweeping effort to rewrite federal acquisition regulations in plainer language and consolidate scattered requirements. On February 1, 2026, a batch of FAR and DFARS class deviations took effect to implement the first phase.

Under DARS Tracking Number 2026-O0025:

• DFARS 252.204-7019 was removed.The standalone “submit a Basic self-assessment score to SPRS to be eligible” provision no longer appears in deviation-based solicitations. Where a contract requires CMMC, the self-assessment, status, and affirmation path now runs through the CMMC rule at 32 CFR Part 170 and DFARS 252.204-7021/7025.
• DFARS 252.204-7020 became DFARS 252.240-7997 — and it was substantively modified, not just renumbered. The new clause drops the “Basic” self-assessment concept and defines only Medium and High assessments, both conducted by the government using NIST SP 800-171A. It points to the assessment methodology codified in the CMMC rule at 32 CFR 170.24.
• FAR 52.204-21 — the 15-requirement FCI safeguarding clause — became FAR 52.240-93, same title and same requirements, under a new FAR Part 40.

What did not change

This is where contractors over-correct. The deviation did not touch:

• DFARS 252.204-7012 — the safeguarding and 72-hour incident-reporting clause is unchanged and in full force.
• DFARS 252.204-7021 and 252.204-7025 — the CMMC contract clause and solicitation provision are unchanged.
• 32 CFR Part 170 — the CMMC Program Rule that governs levels, status, and affirmations is untouched.

Removing 7019 did not remove your obligation to implement NIST SP 800-171, maintain a System Security Plan, report incidents, or hold the CMMC status your contract requires. It reorganized where the assessment lives, not whether you owe one.

Why you’re seeing two different clause numbers

Because the change rides on a class deviation, the legacy clauses remain on the books. When we checked the eCFR on June 17, 2026, Title 48 was current as of June 2, 2026 (last amended May 7, 2026), and both 252.204-7019 and 7020 were still right there in the regulation text. Comply with whichever clause appears in your specific document.

The 2026 DFARS cyber-clause crosswalk

What we actually verified for this table. On June 17, 2026 we confirmed on the eCFR that 48 CFR 252.204-7019 and 252.204-7020 are still codified (Title 48 current as of June 2, 2026; last amended May 7, 2026). We read DoD Class Deviation 2026-O0025 (Revolutionary FAR Overhaul, DFARS Part 240), which directs contracting officers to use DFARS 252.240-7997 and removes the standalone 252.204-7019 provision in deviation-based solicitations.

→ Not sure whether your document is on the legacy path or the deviation path? Find My CMMC Path walks you through the clauses you actually have and maps them to your next step — no CUI required.

What did DFARS 252.204-7019 require before award?

DFARS 252.204-7019 required an offeror that had to implement NIST SP 800-171 to have a current assessment — generally not more than three years old — verifiable in SPRS for each relevant system before it could be considered for award. (DFARS 252.204-7019, Acquisition.gov)

NIST SP 800-171, Revision 2, is the standard at the center of all of this: 110 security requirements organized into 14 control families. The 7019 provision didn’t ask you to attach a full report. It asked you to confirm a summary-level score was in SPRS. Here’s the full field set — what each field actually requires and where contractors go wrong.

That last field matters and is widely misunderstood. 7019 did not require a perfect 110 to win an award. It required you to post your real score and, if you were below 110, to state when your Plan of Action and Milestones (POA&M) would close the gap. The point was honesty about where you stood — not a pass/fail gate at 110. The temptation buried in that design — post a flattering number and sort it out later — is precisely what put one contractor into a multimillion-dollar settlement. We’ll get to that.

What did DFARS 252.204-7020 require — and what does 252.240-7997 require now?

DFARS 252.204-7020 required contractors to give the government access to their facilities, systems, and personnel for a Medium or High NIST SP 800-171 assessment when necessary, to keep summary scores posted in SPRS, and to flow the requirement down to subcontractors. Its 2026 successor, DFARS 252.240-7997, keeps the government Medium and High assessments and drops the “Basic” self-assessment concept entirely. (DFARS 252.204-7020, Acquisition.gov)

Where 7019 was about getting in the door (be eligible), 7020 was about what happens after you’re in (oversight and accountability). Three obligations sat at its core: assessment access, SPRS posting, and subcontractor flow-down.

Basic, Medium, and High are not the same thing as “my self-score”

There are three assessment tiers, and they differ by who runs them and how much the government trusts the result.

DCMA is the Defense Contract Management Agency; DIBCAC is its Defense Industrial Base Cybersecurity Assessment Center — the team that conducts government assessments in practice. A High assessment isn’t a paperwork review. It’s a verification, examination, and demonstration that your real-world implementation matches what your SSP claims. A Medium assessment can be escalated to a High at the government’s discretion. The practical takeaway: if the government has assessment authority over your contract, your controls need to be demonstrable, not aspirational.

How the score is actually calculated

The NIST SP 800-171 DoD Assessment Methodology is the scoring system behind every SPRS number. It’s worth understanding, because it explains how a contractor can end up deeply negative.

The rebuttal window and the flow-down

Two operational details survive into 252.240-7997. First, there’s a built-in 14-business-day rebuttal window — contractors get 14 business days to provide additional evidence or challenge questioned findings before the government posts the summary score to SPRS. Second, the flow-down: the contractor must insert the substance of the clause into subcontracts and other contractual instruments, excluding commercially available off-the-shelf items.

If a government Medium or High assessment is a realistic prospect and your evidence isn’t organized, that’s a readiness problem, not an assessment problem. → Compare provider categories with Find My CMMC Path to see what kind of help that calls for.

How do these clauses connect to DFARS 252.204-7012?

DFARS 252.204-7012 is the foundation: it requires you to safeguard Covered Defense Information by implementing NIST SP 800-171 and to report cyber incidents to the DoD within 72 hours. 7019, 7020, and 252.240-7997 are the proof mechanisms layered on top. (DFARS 252.204-7012, Acquisition.gov)

One 7012 detail catches contractors off guard: if you use an external cloud service provider to store, process, or transmit Covered Defense Information, that provider must meet security requirements equivalent to the FedRAMP Moderate baseline.A commercial email or file-sharing service that hasn’t met that bar can quietly put you out of compliance with 7012 no matter what your self-score says. This is exactly what happened in the enforcement case below.

Here’s the information-type trigger map — and what not to assume:

For the full control set, see our NIST 800-171 requirements checklist — the 110 Rev. 2 requirements mapped to the evidence that proves each one.

How do 7019, 7020, and 7997 relate to CMMC (DFARS 252.204-7021 and 7025)?

DFARS 252.204-7021 is the CMMC contract clause that requires you to hold and maintain the CMMC level and status your contracting officer inserts. DFARS 252.204-7025 is the solicitation notice that makes that status a pre-award eligibility issue. A NIST SP 800-171 SPRS score and a CMMC status are related but are not the same thing. (32 CFR Part 170)

CMMC adds a formal status-and-affirmation requirement. Depending on the solicitation, that status is Level 1 (Self), Level 2 (Self), Level 2 (C3PAO certification), or Level 3 (DIBCAC). The CMMC Program Rule at 32 CFR Part 170 became effective December 16, 2024.

SPRS keeps separate areas for NIST SP 800-171 assessments and for CMMC assessments (SPRS Software User’s Guide for Awardees/Contractors). So when a prime says “send me your SPRS score,” the right first question is which one — a NIST assessment record, or a CMMC status with a CMMC UID and affirmation?

• CMMC Level 2 maps to NIST SP 800-171 Revision 2 — the same 110 requirements — under the current 32 CFR Part 170 structure. It does not map to Revision 3 for CMMC purposes unless and until DoD amends the rule.
• CMMC rolls out in phases. Phase 1 runs November 10, 2025 through November 9, 2026, focused largely on Level 1 and Level 2 self-assessments. Phase 2 begins November 10, 2026, bringing broader Level 2 certification requirements where applicable (DoD CIO, About CMMC).

For the level-by-level picture, see our explainer on CMMC Level 2 self-assessment vs. C3PAO, and for the SPRS mechanics, how to verify a company’s CMMC status in SPRS.

Do you still need an SPRS score or a CMMC entry right now?

Probably — but what kind depends entirely on which clauses are in your document. A legacy 7019/7020 path points to a NIST SP 800-171 assessment record in SPRS. A CMMC 7021/7025 path points to a CMMC status, CMMC UID, and annual affirmation in SPRS. Many contractors now have reasons to maintain both, and a prime email alone tells you neither.

1. Does your document include DFARS 252.204-7025?If yes, find the required CMMC level and assessment type — and remember it’s a pre-awardeligibility requirement, so don’t plan to solve it after award.
2. Does it include DFARS 252.204-7021? If yes, current CMMC status and a current annual affirmation are contract obligations you must maintain.
3. Does it include DFARS 252.240-7997?If yes, you’re on the deviation path — prepare for the possibility of a government Medium or High NIST SP 800-171 assessment.
4. Does it include legacy 7019 or 7020? If yes, confirm whether the document is older, codified, or a stale prime template — then verify the right NIST assessment record is current in SPRS.
5. Does it include only 7012? If yes, your first job is implementing NIST SP 800-171 and meeting any contract-specific proof requirement.
6. Is it just a prime’s email or a PO note? Then your first move isn’t to post anything — it’s to ask for the exact clause, level, scope, and deadline.

What exactly should you verify in SPRS before you respond?

Before you answer a prime or contracting officer, confirm whether the request points to the NIST SP 800-171 assessment area or the CMMC assessment area of SPRS — they’re different records. For a NIST record, check the assessment date, score, scope, CAGE codes, SSP name and version, confidence level, and POA&M completion date where applicable. For a CMMC record, check the level, status, CMMC UID, scope, and the annual affirmation date.

The single most common avoidable mistake: a stale or expired annual affirmation on a CMMC record. Your status can be real and still read as non-current if the affirmation has lapsed — so calendar it. For the SPRS mechanics, see our guide to SPRS scores and CMMC affirmations.

Is DFARS 7020 the same as CMMC?

No. DFARS 252.204-7020 (now 252.240-7997) governs NIST SP 800-171 assessmentmechanics — especially the government’s right to conduct Medium and High assessments. CMMC governs certification status, through DFARS 252.204-7021 and 252.204-7025 and the program rule at 32 CFR Part 170. They overlap on NIST SP 800-171 and on SPRS, but they answer different questions.

7020 / 7997 asks: Can the government assess your NIST SP 800-171 implementation, and is your score posted?

7021 / 7025 asks: Do you hold the CMMC status and affirmation your contract requires to be eligible and to perform?

A contractor can be perfectly fine on one and exposed on the other. Treating a NIST SPRS score as a CMMC certificate — or assuming a 7020/7997 clause means you need a third-party assessment when your scope only involves FCI — is a common and expensive misread. See our CMMC levels explainer for the full level-by-level picture.

What should a subcontractor verify when a prime flows down 7019, 7020, 7997, or CMMC?

Don’t treat a prime’s email as the full requirement. Ask for the actual clause text and the specifics around it, because the wrong assumption here can cost you a subcontract or push you into spending you didn’t need.

Before you respond to a prime, a contracting officer, or an assessor, get answers to these:

• The exact clause number and where it appears (solicitation, contract, purchase order, or a terms-and-conditions attachment).
• The contract or subcontract date — which tells you legacy-number vs. deviation-number.
• Whether FCI only or CUI is being flowed down.
• The required CMMC level, if any.
• The assessment path: self-assessment, C3PAO, or DIBCAC.
• The system boundary the requirement applies to.
• The CAGE code(s) involved.
• Exactly what evidence is being requested — a NIST SPRS score, a CMMC status, a CMMC UID, an affirmation, or screenshots.
• The deadline.
• Whether any CUI is being requested through an insecure channel (it shouldn’t be).

For the full picture, see our guide to CMMC flow-down requirements for primes and subcontractors.

The $4.6 million lesson: why an inaccurate SPRS score is now a legal liability

The biggest mistake contractors make with 7019/7020 isn’t misunderstanding the clauses — it’s posting a score that doesn’t reflect reality. In March 2025, that exact mistake led to a $4.6 million False Claims Act settlement.

On March 26, 2025, the Department of Justice announced a $4.6 million settlement with MORSECORP, Inc. (MORSE), a Cambridge, Massachusetts contractor serving the Army and Air Force. The case came from a qui tamwhistleblower complaint filed by MORSE’s own Head of Security and Facility Security Officer — alleging the company failed to satisfy DFARS 252.204-7008, 7012, 7019, and 7020. The whistleblower received roughly $851,000 of the settlement. (U.S. Department of Justice, Office of Public Affairs)

The numbers are what make it stick. MORSE posted a NIST SP 800-171 self-assessment summary score of 104 in SPRS in January 2021. After a third-party gap analysis, the real picture emerged: it had implemented roughly 22% of the controls, and its actual summary score was −142. MORSE did not update its score until June 2023 — months after the government had served it with a subpoena.

The settlement resolved allegations; the whistleblower complaint alleged violations of DFARS 252.204-7008, 7012, 7019, and 7020. The facts above are drawn from the DOJ announcement and settlement agreement.

We’re not citing this to scare you — we’re citing it because it’s the most concrete public proof of a point that’s easy to wave away: a SPRS score is a representation to the federal government, and an inflated one is a legal exposure, not just a technical gap. The gap between 104 and −142 is the gap between “we think we’re basically there” and “we’ve implemented about a fifth of this.”

If this produced a small knot in your stomach about your own score, that instinct is worth acting on. If you’re not ready to talk to anyone yet, work through the NIST 800-171 requirements checklist and compare your evidence against the 110 Rev. 2 requirements before you touch SPRS. When you are ready: → Get matched to the provider category that fits your situation — and keep readiness work and formal assessment separate, which the C3PAO independence rules require.

What provider category fits this problem?

The right category depends on what you actually need: implementation and readiness, managed security operations, evidence and workflow software, a scoped CUI enclave, or a formal assessment. The clause in your contract, your FCI/CUI scope, your environment, and your timeline decide it.

Vocabulary, defined once:

• RPO / RP (Registered Provider Organization / Registered Practitioner):advisors registered with the CMMC ecosystem who help you get ready — scoping, SSP, POA&M, implementation guidance.
• MSSP (Managed Security Service Provider): runs security operations and managed compliance, often including Microsoft Government Cloud or GCC High environments.
• GRC platform: governance, risk, and compliance software that organizes your evidence, control mapping, policies, and affirmation workflow.
• CUI enclave: a scoped, hardened environment that confines where CUI lives so you can shrink your assessment boundary.
• C3PAO (Certified Third-Party Assessment Organization): the organization authorized to conduct a CMMC Level 2 certification assessment.

On that last one, a rule worth stating plainly: a C3PAO cannot both prepare you and certify you. Under the CMMC Assessment Process and the Cyber AB Code of Professional Conduct, a C3PAO is barred from conducting your Level 2 certification assessment if it provided you CMMC consulting or implementation services, generally within the prior three years. Treat any assessor who offers to remediate and then certify the same work as a red flag.

The table below is editorial routing guidance from The CMMC Path Framework — it maps your situation to a provider category, not a named provider, and it is not a regulatory requirement, a certification guarantee, or a ranking.

For the full provider-category picture, see our guide to which CMMC provider category to hire first.

Frequently asked questions

What we verified for this article

We treat regulatory facts as the kind of claims that have to be right. Here’s what we checked and when.

How we report this. Every regulatory claim on this page links to a primary source — Acquisition.gov, the eCFR, the DoD class-deviation memo, 32 CFR Part 170, the DoD CIO, SPRS, and the Department of Justice — and we re-verify these items on a monthly cadence during the FAR Overhaul transition. See our editorial standards and corrections policy.

Limitations, stated plainly. We are not your contracting officer, and this is not legal advice. The exact clause in your specific solicitation, contract, or flow-down controls — older contracts and prime terms may still carry the legacy numbers, and the class deviation remains in effect until it is rescinded or folded into formal rulemaking. The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance, and is not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, SPRS, or any U.S. government agency.

Related from The Defense Compliance Report

• NIST 800-171 requirements checklist: 110 Rev. 2 controls + evidence
• How to verify a company’s CMMC status in SPRS
• CMMC Level 2 self-assessment vs. C3PAO
• CMMC flow-down requirements for primes and subcontractors
• CMMC vs NIST 800-171: same controls, different job

Next decision pages

Or keep going at your own pace: CMMC levels explained · what CMMC Level 2 actually costs · which CMMC provider category to hire first · Find My CMMC Path.

The Defense Compliance Report is the independent CMMC decision layer for defense contractors. Clause first, provider second. Last reviewed: June 2026.