What is DFARS 7019? - Sum IT Up: CMMC News Roundup

Summary7 min read

Sum IT Up: CMMC News Roundup
Episode: What is DFARS 7019?
Date: June 5, 2025
Host: Summit 7

Episode Overview

This episode of the Sum IT Up podcast continues the "101 series" on DFARS cybersecurity provisions, focusing on DFARS 252.204-7019, titled "Notice of NIST Special Publication 800-171 DoD Assessment Requirements." The hosts break down the purpose, context, and operational impact of the 7019 provision, describe its relationship to other key DFARS clauses, and explain real-world consequences for defense contractors, especially regarding self-assessments and government validation.

Key Discussion Points & Insights

1. DFARS Clause Landscape & Historical Context

Background: The DFARS (Defense Federal Acquisition Regulation Supplement) “Cyber Series” is a set of clauses and provisions dictating cybersecurity for Defense Industrial Base (DIB) contractors handling Controlled Unclassified Information (CUI).
Main Clauses Discussed:
- 252.204-7008, 7009, 7012, 7019, 7020 (with 7021 pending finalization)
Timeline:
- 7008 and 7012 have existed in their current form since 2016.
- 7019 and 7020 were added in November 2020 via an interim final rule, as a response to repeated failures in the self-attestation model and Congressional pressure.
Purpose of 2020 Rule:
- To introduce verification mechanisms, increase compliance, and enhance security across the DIB.
- “The DFARS clause 252-204-7012 does not provide the DoD verification of a contractor's implementation of basic safeguarding requirements specified in the clause prior to contract award and end of story.” (A, 06:50)

2. Purpose and Mechanisms of DFARS 7019

Provision 7019 is about awareness and acknowledgment: It notifies contractors they are responsible for conducting, documenting, and uploading self-assessment results (scores) to the Supplier Performance Risk System (SPRS).
Main relationship: 7019 → makes you aware of the requirements in 7020, similar to how 7008 alerts to 7012.
Core requirement: Contractors must have a current (not older than 3 years) DoD Assessment score on record in SPRS to be eligible for contract award.
- “Ultimately...[the] 7019 provision puts you on the hook. It is making you aware that you are responsible for conducting and documenting self-assessments against the requirements...and then uploading your assessment results as a score to the supplier performance risk system.” (A, 02:25)

3. The Issue with Self-Assessment Scores

Inaccuracy and Stale Data: Many contractors inputted scores years ago (ex. during the 2020 rush) and haven’t updated them. Some scores are wildly inaccurate when later validated.
- “...scores are wildly inaccurate once they get validated, or some people have just put the scores in, you know, just to meet whatever the provision is, and...sat on the same score for multiple years.” (B, 11:30)
Contract Renewal Risk: At contract renewal, contracting officers now request substantiation (“prove your score”), leading to panic when companies can’t provide documentation or when their POAM (Plan of Action & Milestones) closure date has long passed with no update.
False Claims Act (FCA) Exposure: There’s a notable uptick in FCA lawsuits and settlements tied directly to misrepresentations in 7019 attestations.

4. Assessment Types Under DoD Assessment Methodology

Definitions cross-referenced: 7019 points to definitions and specifications in 7020 and the DoD Assessment Methodology (“DoDAM”).
- Basic (Low Confidence):
  - Self-assessment, based on the contractor’s review of the SSP using NIST SP 800-171A.
  - Most contractors get tripped up here by not using the right process (“if you have uploaded a score and you didn't conduct an assessment via 171A, you can be pretty much guaranteed that your score is wrong...” [A, 21:34])
- Medium (Medium Confidence):
  - Conducted by the government; involves in-depth document review, clarification calls, but not full on-site validation.
- High (High Confidence):
  - Done by DIBCAC; includes document review, verification, live demonstration, and deep dives into the SSP and implementation.
SPRS Score Calculation
- Uses a standard system ranging from -203 to 110, based on points grouped by requirement importance.
- Originally, just having any score—regardless of value—was sufficient for compliance with 7019. Increasingly, contracting officers set de facto minimums.

5. Detailed Walkthrough of 7019 Text and Procedures

Clause Applicability:
- Required in all solicitations except for COTS items if 7012 applies.
Stepwise Requirements:
1. Conduct self-assessment (basic) for each relevant CCIS.
2. Calculate and upload score via SPRS.
3. Be prepared for medium or high assessments by the government.
SPRS System Evolution:
- Originally, scores were submitted via email; now, SPRS has mature, streamlined online submission steps.
- Only the contractor and appropriate DoD personnel can view the scores.
Documentation and POAMs:
- Contractors must be ready to produce supporting evidence for their uploaded scores, including proof of closed POAMs.

Notable Quotes and Memorable Moments

On 7019 as a "Telling On Yourself" Clause:

“It feels more so...that this probably should be the telling yourself clause...Not until 7019 did you have to tell somebody what that self attestation was. And that was what started triggering...the flags to say hey, come look at this.”
— B, 04:13

On Score Verification Reality:

“Early on people were just putting in perfect scores and then not really worrying about it...But we're seeing more and more normal average companies ... now being asked to prove that that was true. And they're, they're, they're calling us with panic in their voices.”
— A, 18:51

On Challenges with Self-Assessment:

“If you have uploaded a score and you didn't conduct an assessment via 171A, you can be pretty much guaranteed that your score is wrong and it's probably wrong in the wrong direction, meaning ... you probably have overstated your score...”
— A, 21:34

On the Consequence of Inaccurate Attestation:

“You uploaded a score that you were aware of the implications for via 7019. We're here now under the umbrella of 7020. And the math ain't mathing. So you got some hard questions to answer as a result.”
— A, 25:42

On Current FCA Risks:

“We're starting to see more and more of these FCA cases come to fruition. And the root of those FCA cases are what, realistically, attestations in 7019. So, yeah, even though it's old, the second. Same, same stuff, different day, right?”
— B, 35:52

On Real World Pain Points:

“You don't have an ssp, you uploaded a score, which is impossible, and then you uploaded a different score or you found out that your score was different and you didn't upload it. That'll be $4 million, please.”
— A, 36:16

Important Timestamps & Segments

| Timestamp | Topic | |-----------|-----------------------------------------------------------------------------------------------| | 00:02 | Introduction to the episode theme and DFARS 7019 | | 02:25 | Explanation of how 7019 fits within the DFARS cyber clause structure | | 04:13 | The “telling on yourself” effect of 7019; shift from silent self-attestation to public scores | | 05:50 | Origin of the 2020 interim rule (DoD weapon system breaches and Congressional response) | | 11:30 | First-hand observations: inaccurate/stale scores, contract renewal crisis | | 13:58 | Who must insert the provision, and how the FAR/DFARS requirements cascade | | 17:39 | Key requirement: having a current assessment score (no minimum specified in clause text) | | 18:51 | The lack of a minimum score in official policy - practical realities observed | | 21:34 | Deep dive into assessment types and common pitfalls | | 23:13 | Government’s confidence tiers in assessments | | 30:17 | Updating SPRS procedures—from email to online portal | | 33:00 | Data visibility and confidentiality within SPRS | | 35:52 | Reflection on current impact: FCA exposure, contract losses | | 36:16 | Real-world financial consequences for bad attestation |

Summary Takeaways

DFARS 7019 is a pivotal provision that formalizes the process of self-attestation, requiring contractors to put their cybersecurity assessment scores on record in a manner that’s visible to the DoD, increasing both accountability and risk.
Complacency and inaccuracy (old or false scores, poor documentation) are now leading to real legal and contract consequences—especially as scores are reviewed at renewal.
Organizations must not only perform accurate self-assessments leveraging NIST SP 800-171A, but keep records current, and prepare for possible government validation (medium/high assessment).
Contractors should expect increased scrutiny and should update (and be able to justify) their entries in SPRS to avoid FCA exposure and contract disqualification.

For more on related clauses:
Check out the podcast’s prior episodes on DFARS 7008 and 7012, as referenced by the hosts: understanding those is critical, since everything in the DFARS “cyber series” orbits around 7012’s requirements.

End of summary. For specific procedures on uploading scores or conducting assessments, refer to official SPRS guides and DoD documentation as recommended by the hosts.

Loading summary

Transcript41 lines

[00:03]
A
All right folks, it is June of 2025. Fun fact. Did you know that June 2nd was the exact halfway point through 2025? So every day that goes by after that, we are closer to 2050 than we are to 2000. So in order to help contemplate your mortality, we're gonna pick up where we left off with the basic 101 series on DFARs cyber security provisions and clauses that we started at episode 100 and we're going to continue that series today by talking About DFARS provision 252-204-7019.
[00:42]
B
You know what makes me contemplate my morality is the fact that in Washington D.C. you just mentioned to me that we are through half of the year and I've maybe had three good weather golf days in the first six months. The first half of this entire thing. I don't think that I enjoy eight dollar a gallon gas, enough to move out to California so I can golf all year like you. But I am a little disappointed. You know, D.C. helped me out. The weather gods, Mother Nature, help your boy out. The fade's not working right now.
[01:11]
A
Yeah, I don't, I don't know what. I don't know, man. I don't know what to tell you. There's trade offs with everything. That's what I'll say. Anyways, DFARS provision 7019 titled Notice of NIST Special Publication 800171 DoD Assessment Requirements. So if you recall from episode 100 and episode 101 just a few weeks ago, the DFARS Cyber series is a set of five solicitation provisions and contract clauses that govern cybersecurity requirements for defense contractors handling controlled unclassified information. They are DFARS 7008-7009-7012-7019, 7020. Eventually, the CMMC program will add two more items to this list for a total of seven things. Ironically, they will be DFARS clause 7021 and a provision that we don't have the final number for until the 48 CFR CMMC final rule comes out. So sometime later in 2025 as of this conversation. So like we talked about, we previously talked about DFARS provision 252-204-708 and DFARS clause 252-204-7012. Just briefly, the provision 7008 makes you aware of the requirements in the clause 7012. And just like that relationship, when we look at 7019, the provision DFARS 2522047019 makes you aware of your requirements in clause 252-204-7020. But the way that they're written isn't quite as clear cut as 7008 and 7012. But that's the general relationship between the two of them. Ultimately, just like 7008 puts people on the hook for self attesting their compliance with the terms outlined in the 7012 clause, the 7019 provision puts you on the hook. It is making you aware that you are responsible for conducting and documenting self assessments against the requirements pursuant to dfars clause 7012 and then uploading your assessment results as a score to the supplier performance risk system. And as of this conversation, halfway, just over halfway through 2025, a ton of people are getting caught up in this situation with DFARS provision 7019 either through false Claims act lawsuits and settlements, contract non renewals because they uploaded scores that weren't correct and then their contract comes up for renewal and they can't prove why that score was real, or they haven't closed out their poem. All this stuff that people are getting hemmed up on stems from this provision 7019 and this clause 7020. And so that's what we're going to talk about today.
[04:14]
B
Yeah, so I understand the reasoning behind the naming conventions that they use for these clause but it feels more so the more that we learn about 7019 that this probably should be the telling yourself clause.
[04:27]
A
Right.
[04:27]
B
Because this was the true first clause in which organizations. Yeah, obviously 7008 makes you self attest but not until 7019 did you have to tell somebody what that self attestation was. And that was what started triggering like the flags to say hey, come look at this. And once people started coming looking at it, it got really ugly really quick. So it was kind of like I understand why you were keeping it a secret up until now. Right.
[04:50]
A
So some quick background context, big picture information for everybody to get on the same page. Since this is the basic series covering all of these clauses. So DFARS 7008 and 7012, be sure to check out those episodes linked below. They're very important to know. Were revised in 2016 via rulemaking. They go all the way back to 2013, but they have existed in their current form unchanged since 2016. However, DFARS 7019, 7020 and 7021 are were created in November of 2020 when the DoD issued an interim final rule called Assessing Contractor Implementation of Cybersecurity Requirements. So we went for like four years where there were no regulatory updates. We went from a system of self attested compliance and then suddenly we've got these new provisions and clauses talking about assessing contractor implementation of.
[05:47]
B
Do you think that was by force or by design?
[05:50]
A
Yes. So as a lot of people know, a bunch of bad stuff happened. A bunch of DoD weapon systems were compromised as a result of controlled unclassified information on contractor networks that had allegedly been implementing their cyber security requirements, but it turned out did not got stolen by adversarial nations and then all hell broke loose. Congress got pissed, put a provision into the FY20 NDAA that said come up with a framework for holding people accountable and then wham, bam, we got a rule at the end of 2020. So ultimately, why did they issue this rule in 2020? Is summed up in the rule itself. And they say The DFARS clause 252-204-7012 does not provide the DoD verification of a contractor's implementation of basic safeguarding requirements specified in the clause prior to contract award and end of story. Right. With 7008 and 7012 they're just taking your word for it that you have implemented these requirements. They know that that's not true and so they need a mechanism to have some assurance that those requirements are being implemented. So they need new clauses to stack on top of 7008 and 7012. They go on to say the goal of this rule, the 2020 rule, was to increase compliance with cybersecurity regulations and and improve security throughout the DIB. The rule introduced one new provision, 7019 which we're talking about today, and two new clauses, 7020 and 7021 which we're going to cover in future episodes. So a lot of people refer to this 2020 rule as the CMMC rule. CMMC 1.0 was this rule in 2020, but CMMC was only one part of the rule that came out in 2020. The other part of the rule, actually the first part of the rule that's outlined before they get to CMMC is known as the DoD assessment methodology. So this rule in 2020 directed contracting officers that if the person bidding on the solicitation, if the offeror is required to implement the requirements in NIST Special Publication 800171 pursuant to DFARS clause 7012. So if you need to comply with DFARS 7012 then you must verify contracting officer that the offeror has a current NIST SP 800171 DOD assessment score on record in the supplier performance risk system before you award the contract. Right? So in the past you just accept the terms in 7008 and 7012 and then if you win the contract, you win the contract. Nobody's going to check if you have implemented those requirements.
[08:42]
B
Now everybody was getting off because nobody was checking, nobody was verifying and then nothing luckily was happening. Right? More stuff happened.
[08:50]
A
So then starting in 2020 they said if you find out contracting officer that they are going to be handling this information that would require them to implement it, you have to check and make sure that they have uploaded a self assessment score into this database that we can all see into. And then it goes on to say that the contracting officer is also directed to include the new provision 7019 notice of NIST SP 80171 DoD assessment requirements and the new clause 7020 NIST SP 800171 requirements. So the notice of the requirements, the actual clause that contains those requirements in solicitations and contracts, including solicitations using FAR Part 12 procedures for the acquisition of commercial items except for solicitations solely for the acquisition of COTS items. This is a carve out that goes in almost everything. Commercial items are not the same thing as COTS items. So be sure that you double check what's going on if you're borderline and what's going on. But basically this rule said you need to have them upload a score rather than just taking their word for it. They have to have the score before you give out the award. This applies to commercial items, doesn't apply to COTS items. That's essentially what the rule told them to do. They go on to describe this 7019 clause and they say this or this 7019 provision and they say this new provision advises offerors required to implement the standards of NIST SP 800171 that they have a requirement to have a current, which means not older than 3 years DoD assessment score on record in order to be considered for contract award. The provision requires that offerors ensure the results of any applicable current assessments are posted in the supplier Performance risk system. And it provides offerors with additional information on conducting and submitting an assessment when the current one is not posted in SPRs. We're going to talk about the details of that in a little bit because that's changed slightly as the SPRS system has become more robust over the Years. That's essentially the big picture of how we ended up with 7019 and 7020. They came from the CMMC rule. Ironically, the CMMC rule was not just CMMC. There were various assurance mechanisms that were prescribed by that rule in 2020. So even though CMMC only went into effect in December of 2024, the CMMC rule that came out in 2020 has had 7019 and 7020. But, you know, they're perfectly fine. They've been in black and white as regulations all along, and now people are starting to get stuck on. On what those mean as their contract renewals come up.
[11:30]
B
Yeah, but even as we have 7019, what we're seeing come into play, realistically, not to dig too deep into it, is either one, the scores are wildly inaccurate once they get validated, or some people have just put the scores in, you know, just to meet whatever the provision is. And, and the score hasn't changed since the. The time they put it in since 2019. 20. 20.
[11:50]
A
2021.
[11:51]
B
Whenever they initially put that one in to meet that rush, you know, remember that rush of everybody had to put their SB in I. It just. That was the score that was there. And they've sat on the same score for multiple years. And I think that we've both seen in the wild a lot of conversations happening where that is actually the case.
[12:08]
A
Yeah, I mean, at the self assessment level, which we'll talk about the different assessment levels, but at the self assessment level under 7019, 7020, it's basically just SEL with more steps. Okay, so let's get into the actual text of 7019. It's really not that long, and once you understand the general concept, it's pretty straightforward. So the very first line of 7019, just like the other provisions and clauses that we've talked about, says, as prescribed in 204.7304, paragraph D, use the following provision. What the heck does that mean? Don't panic everybody. Remember the far, the Federal Acquisition Regulation, and agency supplements like Dud's defense FAR supplement. The DFARs are way more than just the text of the provisions and clauses that show up in your paperwork, in your solicitations, your contracts, your purchase orders, whatever, right? Most of the FAR and the DFARs is made up of instructions for contracting officers and their representative. The portion that is just the clauses and the provisions is one tiny part of the overall world of the FAR and the DFARs. So we've looked at 204, 7304 in previous episodes. We'll have it up on the screen. It just lists the clauses and provisions that need to be inserted. And this is because they're all related to cybersecurity. Why we call it the DFARS cyber series of provisions and clauses.
[13:39]
B
And then like a, basically within, you know, 7304 it kind of lists. In this case you must insert this. It's not optional for you to insert this. It doesn't. It makes it plain as day if this is happening, this clause has to persist. So it's not so officers just willy nilly just slinging it in there because they want to. It's because it's a condition.
[13:58]
A
Yeah. I mean it's giving them instructions for what to do. And so at the very beginning it says, you know, look at 2047304 and do what it says. And if you go to paragraph D it says use the provision 252-204-719 and all solicitations, including solicitations using FAR Part 12 for commercial products except for COTS items. Right. If you have obligations pursuant to 7012 because you deal with CUI, put 7019 into the contract and into the solicitation because 7020 is going to come along with it. If you have to implement these cybersecurity requirements to protect our data, you have to conduct at least a self assessment and upload that score and then be ready for additional work if we decide that it's relevant in these provisions and clauses. Okay, so if you keep going, in DFARS 7019 we start off with definitions, right? Every one of these things is going to start off with definitions and it seems very tedious and ticky tacky, but it's very, very important to pay attention. Not a lot of definitions going on in this provision. Basic assessment, medium assessment and high assessment have the meaning given in the clause 252-204-7020. So things are getting murkier here because we're now cross referencing clauses and previous things. The only other definition they have listed is covered contractor information system is defined in DFARS 7012. So to find the definitions that are used in this provision, you got to go look at other clauses to go find them. Right? This is a very common theme. We're not going to go into the definitions of basic, medium and high right now because we're going to get into the explanations of what those are in just a second. But just to review a Covered contractor information system is an unclassified information system that is owned by or operated by or for a contractor that possesses, processes, stores, transmits covered defense information. So it's your system, it's not the government system. It's not a system you're operating for the government. It's your system that's handling their data. Right. And so if their covered data is on your system, it is a covered contractor information system, in contrast to a federal information system, which can be operated by contractors. But that's not pretty much anybody who's listening to this podcast. Okay, so we're going to talk about the definitions of these various assessments. Because listing them out at the top would take a lot of time, it makes more sense to cover them in a little bit. So paragraph B is the requirement that you're being made aware of. And it says in order to be considered for contract award, if the offeror is required to implement NIST SP 800171 pursuant to 7012, then the offeror shall have a current assessment for each covered contractor information system that is relevant to the offer contract, task order, or delivery order. A current assessment means an assessment that's not more than three years old unless it's otherwise specified, some sort of time frame. And the basic, medium and high DoD assessments are described in a document called NIST SP 800171 DoD Assessment Methodology. So to be considered for award, if you need to do the things that are in 7012, you must have an assessment score uploaded to SPRS that is current. And there are a couple forms of assessment that could take place that would populate that score in this database. And that's the requirement that you're being notified of.
[17:40]
B
And then just a couple points of clarification. One, the score in which you uploaded into SPRs, it didn't have to have a minimum threshold, it just had to be there.
[17:49]
A
Yeah. Nope. And as far as this says in the requirement, the requirement section of this provision, it doesn't say you have to have a minimum score, that there's a perfect score. It doesn't tell you anything about scores. It's fair to have a score.
[17:59]
B
And, and this may be, you know, knowledge that we're probably not privy to, but like in, in your conversations that you've had with multiple people that have worked in contracts, was there any inclination that a higher SPR score would lead to more favorable results when it came to contract award?
[18:16]
A
Not specified in policy. So there's nothing about the policy and the rule. There's nothing about the language in the provision and the clause itself that says better score, better, worse score, worse. Minimum score is a cutoff. Maximum score is the minimum. None of that, none of that. What we've seen over the years though is that contracting officers and program managers have a lot of discretion where they say we only want people who have a perfect score. We only want people who have above a certain minimum score.
[18:47]
B
Yeah, but a self attested perfect score isn't exactly what it's, what it's chalked up to be, Jacob.
[18:51]
A
For sure. Except now in certain situations that we're seeing where people attested to having a given score and then contract renewals come up and the contract officer says can you please provide me all the documentation that proves that this is true and they can't. And then they got a big problem, right? So early on people were just putting in perfect scores and then not really worrying about it. Maybe they got caught up with dibcac, maybe they got caught up with doj. But we're seeing more and more normal average companies that had any given score in the system now being asked to prove that that was true. And they're, they're, they're calling us with panic in their voices.
[19:31]
B
The dip variance was like a hundred points off, right? 100 points worse than what it actually was. So could you imagine being one of those bougie suppliers and you're like, yeah, I only want 110s and they're like yeah, we got a 110. And then they go. And then all of a sudden it gets verified and they're like negative.
[19:44]
A
Yeah, it's a big, big problem. So, so they keep, they keep referencing these, these assessments and this, this assessment breakdown in what's known as the DoD assessment methodology. So there's this is, we're not going to go into all the details of what's known as the DoDAM, the DoD Assessment Methodology. That's probably for a future episode. What you need to know is that the DoDAM has two major parts. There are the assessment methods, basic assessments, medium assessments, high assessments, and then there's the scoring methodology which people are very familiar with. This has how you end up with what's known as your SPRs score, which goes from negative 203 to a perfect 110 and everything in between. This is the one that breaks down the individual requirements in NIST SP 800171 as either 1 point requirements, 3 point requirements or 5 point requirements. So that is contained in the DoD assessment methodology that was created in 2020. Nowadays the CMMC program has adopted that scoring methodology and they have minimum requirements and only certain things can be on poams. But none of that is outlined in the dodam. It doesn't say certain things can be on POAMS or not. It just says here's how you calculate the score. If you have things implemented or if you don't have them implemented. And the only real thing to know about the assessment methods is who's doing them. Basic assessments are self assessments. Medium assessments are conducted by the government. And that's, that's basically it. As far as what the DODAM says at a high level, be sure to read it if you haven't read it, especially if you've been uploading scores into SPRs. But we'll go into more details of how that works probably in a future episode.
[21:25]
B
And not everybody does basic, medium and high. Everybody does basic, right? Everybody's required to do basic and then medium higher at the discretion of the cac, whether they choose to go after the duty.
[21:35]
A
Yes, exactly. So this is why we waited to talk about what the basic, medium and high assessments are defined as. Because now that we're talking about the dodam, there's some extra information that's helpful in that document to flesh out the definitions that are in the 7019 clause. So a basic assessment means a contractor's self assessment of their implementation of NIST SP800 171. It's based on the contractor's review of their system security plan for the associated covered contractor information systems, and it's conducted in accordance with the NIST SP 800171 assessment methodology, which when you crack open the DODAM document, it says that assessments are conducted in accordance with NIST SP 800 171A171 Alpha. So if you have uploaded a score and you didn't conduct an assessment via 171A, you can be pretty much guaranteed that your score is wrong and it's probably wrong in the wrong direction, meaning you probably have overstated your score, when in reality your score is going to be much, much lower. Lower. Which is why, as you said, We've heard DOD's DIBCAC audit team come out and say when they show up to verify a contractor self assessment, the scores are like a hundred points worse because most people don't use 171A in order to calculate the scores for what's going on when they're doing their self assessment.
[23:03]
B
And that was one of the caveats. Right? They said that a majority of the organizations where they ran into problems with the scoring variance was the fact that they didn't consider the assessment objectives and just the controls and it was a lot harder.
[23:13]
A
Absolutely. And they go on to say that they refer to these basic assessments as low confidence assessments because the scores are self generated. The government just doesn't have a lot of confidence that you've done them correctly because it's like I said, it's basically just self attestation with more steps. Now they call it a basic assessment even though it's a low confidence assessment. The other assessments are called medium and high because they have medium and high confidence. So to me a basic assessment should be a low assessment, but you know, whatever. I don't make the rules, I just read them anyways. A medium assessment means an assessment that's conducted by the government and in this consists of a review of the contractor's basic assessment, a thorough document review. So they're going to be looking through the SSP and things like that, discussions with the contractor to obtain additional information, clarification. From what we've gathered from the folks at dibcac, these are often done over the phone. You get a phone call from DIBCAC that's like, hey, explain this to us, can you tell us more about this? And it results in a medium confidence score. So they're not going through a full blown on site assessment, but they are digging a little bit deeper into what you claimed was actually true. So that's the medium assessment. This is done by the government and it may or may not happen. Right. This is not a thing that you absolutely will experience, but 7019 is making you aware that you are agreeing to the fact that you could experience it if the DOD wants to. Right.
[24:40]
B
And that's what this entails is basically if we want to go that far, but we don't want to actually test the implementations, this is the way that.
[24:47]
A
We'Re going to go. Yeah, we got some questions about what you put in here and we're allowed to ask them because you agreed that we're allowed to ask you. Please read 7019 and 7020. Okay, so then the final form of assessment under this DoD assessment methodology is a high assessment. Sometimes people refer to this as a DIBCAC High High because DIBCAC are the ones that run these assessments. And this means an assessment that is conducted by the government, I. E. DIBCAC using NIST SP 800 171A that consists of a review of the contractor's basic assessment, a thorough document review, verification, examination and demonstration of a contractor system security plan to validate that NIST SP 800171 security requirements have been implemented as described in the contractor's SSP and discussions with the contractor to obtain additional information clarification as needed. This results in a high confidence score. The DoD is very confident at what score is going to come out of this assessment because just listen to what's involved. The key thing to know here though is that not only are they running through an assessment of 171A, it involves a review of your basic assessment. The medium assessment involves a review of your basic assessment. Right. So this isn't replacing or standing in lieu of your basic assessment. This is also looking at how you assess yourself. Which is why people are getting caught up with some sticky issues because they're like you told us you were going to do this with 7008 and 7012. You uploaded a score that you were aware of the implications for via 7019. We're here now under the umbrella of 7020. And the math ain't mathing. So you got some hard questions to answer as a result.
[26:40]
B
Yeah, it's just for a variance of reasons like we got, like I had mentioned previously, it's some people are just putting the score in there to get that competitive advantage and then the documentation that they have to have to accompany it carries with them forever what level of confidence that the DIP CAC wants to have in their information system. And realistically, it's not until they get in there and they've got their hands on and they're asking you to prove things that they really truly are confident in what you've done, which makes total sense.
[27:08]
A
Yeah.
[27:09]
B
So I can talk through documentation like that's the other thing. You can be a good talker and talk through an SSP and if the person on the other phone end of the phone believes it, you're in good shape. You just got a medium confidence 110. But until you get to the high. Yeah, that's where we separate the men from the boys.
[27:24]
A
Yeah, the insurance adjusters got to show up and look at the wreck themselves sometimes. So we talked about the definitions, we talked about the high level concepts. Right. 7012 doesn't have verification. We need verification. We got the rule in 2020. This is one of those mechanisms. In addition to CMMC, we've got the DoD assessment methodology which has basic medium and high assessments. Basic assessments, you conduct. Medium and high, they conduct. And these evaluations to calculate a score are done via standard scoring system 1, 3 and 5 points assigned to the various requirements in 171. So we're getting to the end here to talk about the procedures that you are being made aware of. And they say the offeror shall verify that the scores of a current NIST SP 800171 assessment are posted in the Supplier Performance Risk System for all covered contractor information systems relevant to the offer. Exactly. We talked about before. You're going to do this assessment, you're going to calculate a score according to the methods that we tell you, and then you're going to upload that score into this database so we can see it. They say if the offeror does not have a current DoD assessment score in SPRs, they may conduct and submit a basic assessment. Here's where it gets a little weird. If you read closely in the text of the rule, you're like, why are words missing here? This doesn't make any sense. It says you may submit a basic assessment to blank for posting to SPRS in the format identified in paragraph D of this provision. What are you talking about? Why is there a blank? What is paragraph D talking about? This is an artifact of the provision as it was written in 2020. Because back in the day. Gather round, kids. Back in the day, SPRS was not built to handle people uploading their cybersecurity scores. People didn't have pie accounts, SPRs didn't have a mechanism for uploading these things. They just made it happen. So props to the DoD for tapping some random Navy program office that was in charge of this SPRS database these days. And we'll link to it below, we'll have some images on the screen. We're not going to go into all the details right now. There's quick start guides on SPRs. There's troubleshooting guides, there's an FAQ, how to set up an account. There's well defined forms for how you fill in all the information. It is much, much smoother than it was back in the day. So the original form of 7019 had an email address in it, like SPRS program office at Navy Mil. And it said, if you don't have a score, just email us now. They went through and they removed that part because that's not how the process works anymore. The SPRS database works just fine now. But for those of you that were around back then, you remember that it was very, very troublesome to get the account set up and get the score uploaded. It was horrible.
[30:17]
B
You're going to start somewhere. Jacob.
[30:19]
A
Yeah. These Days it's much simpler. But that's why if you read this closely it doesn't, it feels like you're like why? Why does this look so weird? It's because they went through and chopped it up and took that email address out so it doesn't read as smoothly as it should. So that's why it says that Anyways. Summary level scores, what they refer to as assessment scores, they call them summary level scores. Summary level scores for all assessments will be posted 30 days post assessment in SPRs to provide DoD components visibility into the summary level scores of these strategic assessments as they often call them under the basic assessment portion of these of these requirements they say the offeror may follow the procedures in this previous paragraph for posting assessments to SPRs. That previous paragraph is a chopped up artifact. So go to the SPRS website and follow the instructions on the website for how to upload these scores because you know, times are a changing and all the information isn't necessarily in 7019 like it used to be. Okay. For the medium assessments and the high assessments conducted by the government, you don't upload anything. They're the ones that upload and update your record. In SPRs they say that the DoD will post the following medium and or high assessment summary level scores to SPRs for each system assessed. This involves the standard that is assessed, which revision of NIST SP 800 171, the organization conducting the assessment, whether this is DCMA or dod, AAC or any of the other various acronyms that could possibly show up on your doorstep. All the industry cage codes associated with the information systems addressed by your system. Security plan. A brief description of the security plan architecture. The date and the level of the assessment. The actual score itself. The date that all requirements are expected to be implemented. So if you have less than a 110, they're going to ask you what is your poem? Closeout date. That is a thing that people are on the hook for right now because just this week, as of, as of the time of this conversation, there's big conversation on LinkedIn because a lot of people uploaded their score, never paid attention to what it was. They said, yeah, we'll be done with our POAM by the end of the year. Couple years go by, they come up for contract renewal and the contracting officers are going, hey, you never changed your score, but you told us that you were going to close out your poem like a couple months after you uploaded it. So could you go ahead and upload that updated score and send us the documentation that proves that you did what you told us you were going to do because we paid you for it and we'd really love to renew your contract, but you know, we got I's to dot and T's to cross and. Yeah, and it doesn't usually go well at that point. So, you know, that's, that's basically the, the set of requirements is if you got to implement these requirements pursuant to 7012, then you got to conduct at least a self assessment and upload that score. You got to make yourself available for the government to conduct an assessment to verify what you said and upload their verified score for you. At the very end of the provision, they basically say that your assessment scores that get posted in SPS are only available to the DoD personnel who are relevant that need to see it, and to you. You can see your own entries into SPRs, but nobody else can. They say that authorized representatives from your company can log in and see your entry. You can change it, you can do whatever you need to do. They also go on to say that the high assessments, so the ones that are conducted by DIBCAG on site, these would be equivalent to something like a CMMC assessment. They're going through 171A for every assessment objective. They may result in documentation that is in addition to what they outline in this provision. And they'll retain and protect any of that information as if it were controlled, unclassified information. They'll protect it on par as if it were cui. It is not cui. Don't panic. But the government says they're going to protect it like it were cui. And they, you know, prevent it from unauthorized use, reuse publication, standard boilerplate stuff that says you're going to give us sensitive info, we're not going to publicize it in any way. And that's the 7019 provision. I mean, at this point, at this point, 7019 and 7020 have been around for five years. For five years. So a lot of people don't like it when they get told 7012 has been around since 2016. These, you've already had these requirements. They don't really like that part. But at this point, 7019 and 7020 are old news too. So you can't really be surprised by them anymore. Concept's very simple. There's no verification mechanism in the center of gravity. DFAR7012. So in 2020 they came up with a mechanism. They came up with two mechanisms, actually. They came up with the DoDAM and with CMMC. CMMC, as we know, went off on its own saga that took way longer than the government intended. So in the meantime, we had 7019 and 70, 20. A lot of people uploaded scores, a lot of people did their thing and then forgot about it. And now as contracts coming up for renewal, they're getting. They're getting caught, if you will, with. With their pants down, whatever metaphor you want to pick right around the time that CMMC is also spinning up in addition to that. So that's DFAR719 in nutshell.
[35:53]
B
Yeah, I. I think that you said that. You said that 7019 and 7020 are old news. But realistically, the dust that 7019 kicked up, it makes it very much so relevant, even right now, because we're starting to see more and more of these FCA cases come to fruition. And the root of those FCA cases are what, realistically, attestations in 7019. So, yeah, even though it's old, the second. Same, same stuff, different day, right?
[36:16]
A
Yep. It. It's. You don't have an ssp, you uploaded a score, which is impossible, and then you uploaded a different score or you found out that your score was different and you didn't upload it. That'll be $4 million, please. Is essentially how that plays out. And that has nothing to do with cmmc. It has everything to do with the other provisions and clauses in the DFARS Cyber series. So we will talk about DFARS 7020, 7009, which nobody ever talks about, as well as 7021. And what we know about the provision for 7021 in future episodes. We will link below to the episodes on DFAR 7008 and 7012. If you haven't watched them, you should, because everything that comes after 7012 and all these other clauses orbits around the requirements in 7012, which is why we got to talk about them first. So there you go. Let us know. Is this series helpful? Do you want more 101 information? Do you have suggestions for other, other 101 topics? We can go into 171A, we go into SPRs, we go into Dodam, we go to all the other things that sort of flesh out the information in these clauses and provisions. But we're chipping our way through the DFARS Cyber series. And we'll see you next week.
[37:31]
B
See you next week.
[37:47]
A
It.