Sum IT Up: CMMC News Roundup
Episode: What is DFARS 7019?
Date: June 5, 2025
Host: Summit 7
Episode Overview
This episode of the Sum IT Up podcast continues the "101 series" on DFARS cybersecurity provisions, focusing on DFARS 252.204-7019, titled "Notice of NIST Special Publication 800-171 DoD Assessment Requirements." The hosts break down the purpose, context, and operational impact of the 7019 provision, describe its relationship to other key DFARS clauses, and explain real-world consequences for defense contractors, especially regarding self-assessments and government validation.
Key Discussion Points & Insights
1. DFARS Clause Landscape & Historical Context
- Background: The DFARS (Defense Federal Acquisition Regulation Supplement) “Cyber Series” is a set of clauses and provisions dictating cybersecurity for Defense Industrial Base (DIB) contractors handling Controlled Unclassified Information (CUI).
- Main Clauses Discussed:
- 252.204-7008, 7009, 7012, 7019, 7020 (with 7021 pending finalization)
- Timeline:
- 7008 and 7012 have existed in their current form since 2016.
- 7019 and 7020 were added in November 2020 via an interim final rule, as a response to repeated failures in the self-attestation model and Congressional pressure.
- Purpose of 2020 Rule:
- To introduce verification mechanisms, increase compliance, and enhance security across the DIB.
- “The DFARS clause 252-204-7012 does not provide the DoD verification of a contractor's implementation of basic safeguarding requirements specified in the clause prior to contract award and end of story.” (A, 06:50)
2. Purpose and Mechanisms of DFARS 7019
- Provision 7019 is about awareness and acknowledgment: It notifies contractors they are responsible for conducting, documenting, and uploading self-assessment results (scores) to the Supplier Performance Risk System (SPRS).
- Main relationship: 7019 → makes you aware of the requirements in 7020, similar to how 7008 alerts to 7012.
- Core requirement: Contractors must have a current (not older than 3 years) DoD Assessment score on record in SPRS to be eligible for contract award.
- “Ultimately...[the] 7019 provision puts you on the hook. It is making you aware that you are responsible for conducting and documenting self-assessments against the requirements...and then uploading your assessment results as a score to the supplier performance risk system.” (A, 02:25)
3. The Issue with Self-Assessment Scores
- Inaccuracy and Stale Data: Many contractors inputted scores years ago (ex. during the 2020 rush) and haven’t updated them. Some scores are wildly inaccurate when later validated.
- “...scores are wildly inaccurate once they get validated, or some people have just put the scores in, you know, just to meet whatever the provision is, and...sat on the same score for multiple years.” (B, 11:30)
- Contract Renewal Risk: At contract renewal, contracting officers now request substantiation (“prove your score”), leading to panic when companies can’t provide documentation or when their POAM (Plan of Action & Milestones) closure date has long passed with no update.
- False Claims Act (FCA) Exposure: There’s a notable uptick in FCA lawsuits and settlements tied directly to misrepresentations in 7019 attestations.
4. Assessment Types Under DoD Assessment Methodology
- Definitions cross-referenced: 7019 points to definitions and specifications in 7020 and the DoD Assessment Methodology (“DoDAM”).
- Basic (Low Confidence):
- Self-assessment, based on the contractor’s review of the SSP using NIST SP 800-171A.
- Most contractors get tripped up here by not using the right process (“if you have uploaded a score and you didn't conduct an assessment via 171A, you can be pretty much guaranteed that your score is wrong...” [A, 21:34])
- Medium (Medium Confidence):
- Conducted by the government; involves in-depth document review, clarification calls, but not full on-site validation.
- High (High Confidence):
- Done by DIBCAC; includes document review, verification, live demonstration, and deep dives into the SSP and implementation.
- Basic (Low Confidence):
- SPRS Score Calculation
- Uses a standard system ranging from -203 to 110, based on points grouped by requirement importance.
- Originally, just having any score—regardless of value—was sufficient for compliance with 7019. Increasingly, contracting officers set de facto minimums.
5. Detailed Walkthrough of 7019 Text and Procedures
- Clause Applicability:
- Required in all solicitations except for COTS items if 7012 applies.
- Stepwise Requirements:
- Conduct self-assessment (basic) for each relevant CCIS.
- Calculate and upload score via SPRS.
- Be prepared for medium or high assessments by the government.
- SPRS System Evolution:
- Originally, scores were submitted via email; now, SPRS has mature, streamlined online submission steps.
- Only the contractor and appropriate DoD personnel can view the scores.
- Documentation and POAMs:
- Contractors must be ready to produce supporting evidence for their uploaded scores, including proof of closed POAMs.
Notable Quotes and Memorable Moments
On 7019 as a "Telling On Yourself" Clause:
“It feels more so...that this probably should be the telling yourself clause...Not until 7019 did you have to tell somebody what that self attestation was. And that was what started triggering...the flags to say hey, come look at this.”
— B, 04:13
On Score Verification Reality:
“Early on people were just putting in perfect scores and then not really worrying about it...But we're seeing more and more normal average companies ... now being asked to prove that that was true. And they're, they're, they're calling us with panic in their voices.”
— A, 18:51
On Challenges with Self-Assessment:
“If you have uploaded a score and you didn't conduct an assessment via 171A, you can be pretty much guaranteed that your score is wrong and it's probably wrong in the wrong direction, meaning ... you probably have overstated your score...”
— A, 21:34
On the Consequence of Inaccurate Attestation:
“You uploaded a score that you were aware of the implications for via 7019. We're here now under the umbrella of 7020. And the math ain't mathing. So you got some hard questions to answer as a result.”
— A, 25:42
On Current FCA Risks:
“We're starting to see more and more of these FCA cases come to fruition. And the root of those FCA cases are what, realistically, attestations in 7019. So, yeah, even though it's old, the second. Same, same stuff, different day, right?”
— B, 35:52
On Real World Pain Points:
“You don't have an ssp, you uploaded a score, which is impossible, and then you uploaded a different score or you found out that your score was different and you didn't upload it. That'll be $4 million, please.”
— A, 36:16
Important Timestamps & Segments
| Timestamp | Topic | |-----------|-----------------------------------------------------------------------------------------------| | 00:02 | Introduction to the episode theme and DFARS 7019 | | 02:25 | Explanation of how 7019 fits within the DFARS cyber clause structure | | 04:13 | The “telling on yourself” effect of 7019; shift from silent self-attestation to public scores | | 05:50 | Origin of the 2020 interim rule (DoD weapon system breaches and Congressional response) | | 11:30 | First-hand observations: inaccurate/stale scores, contract renewal crisis | | 13:58 | Who must insert the provision, and how the FAR/DFARS requirements cascade | | 17:39 | Key requirement: having a current assessment score (no minimum specified in clause text) | | 18:51 | The lack of a minimum score in official policy - practical realities observed | | 21:34 | Deep dive into assessment types and common pitfalls | | 23:13 | Government’s confidence tiers in assessments | | 30:17 | Updating SPRS procedures—from email to online portal | | 33:00 | Data visibility and confidentiality within SPRS | | 35:52 | Reflection on current impact: FCA exposure, contract losses | | 36:16 | Real-world financial consequences for bad attestation |
Summary Takeaways
- DFARS 7019 is a pivotal provision that formalizes the process of self-attestation, requiring contractors to put their cybersecurity assessment scores on record in a manner that’s visible to the DoD, increasing both accountability and risk.
- Complacency and inaccuracy (old or false scores, poor documentation) are now leading to real legal and contract consequences—especially as scores are reviewed at renewal.
- Organizations must not only perform accurate self-assessments leveraging NIST SP 800-171A, but keep records current, and prepare for possible government validation (medium/high assessment).
- Contractors should expect increased scrutiny and should update (and be able to justify) their entries in SPRS to avoid FCA exposure and contract disqualification.
For more on related clauses:
Check out the podcast’s prior episodes on DFARS 7008 and 7012, as referenced by the hosts: understanding those is critical, since everything in the DFARS “cyber series” orbits around 7012’s requirements.
End of summary. For specific procedures on uploading scores or conducting assessments, refer to official SPRS guides and DoD documentation as recommended by the hosts.
