Sum IT Up: CMMC News Roundup

Episode Title: What is DFARS 7020?
Date: July 3, 2025
Host: Summit 7
Focus: An in-depth breakdown of DFARS 252.204-7020 and its role in the Department of Defense (DoD) cybersecurity compliance ecosystem for defense contractors.

Main Theme & Purpose

This episode is part of the “Back to Basics” series, delving into the DFARS (Defense Federal Acquisition Regulation Supplement) Cyber series—specifically, DFARS 252.204-7020, which outlines DoD Assessment Requirements for defense contractors. The hosts clarify how 7020 fits alongside other DFARS clauses, explain how it’s enforced, highlight why it’s critical for contractors in the Defense Industrial Base (DIB), and provide actionable insight into assessment processes and flowdown requirements for subcontractors.

Key Discussion Points & Insights

1. Overview: DFARS Cyber Clauses Structure

DFARS Cyber series includes five main solicitation provisions and contract clauses:
- 7008 (provision): Awareness of requirements
- 7012 (clause): Actual NIST SP 800-171 implementation requirements
- 7019 (provision): Assessment requirements notification
- 7020 (clause): DoD Assessment enforcement—focus of this episode
- 7009 (provision, to be discussed)
- Future additions: 7021 (clause), and a new provision (as part of CMMC 2.0)

“The DFARS clause 252-204-7020 applies to contractor information systems that are subject to NIST SP 800-171 requirements pursuant to DFARS clause 252.204-7012…”
—A, [02:57]

2. Difference Between Awareness and Validation Clauses

7008/7012: Tell you what to do (implement security controls).
7019/7020: Tell you how to prove you’ve done it (assessment and validation).

“…7008 and 7012 are the ones that are telling you to implement things, and 7019 and 7020 are the ways that are going to validate that you have implemented those things, right?”
—B, [02:41]
“Yeah, that’s exactly right. That’s probably the best way to kind of describe them at a high level.”
—A, [02:57]

3. Rationale for DFARS 7020

Historical Context:
- 7008 and 7012 introduced in 2016—stagnant since.
- 7019, 7020, and 7021 introduced in 2020 in response to a need for verification amid large-scale supply chain compromises.
Why 7020?
- 7012 didn’t allow direct DoD verification; massive supply chain breaches forced the DoD’s hand.
- 7020 ensures the DoD can:
  1. Conduct assessments to verify SP 800-171 implementation.
  2. Assure protection of sensitive information at all supply chain levels, especially via flowdown provisions.

“DFARS clause 252-204-7012 does not provide for DoD verification of a contractor’s implementation...prior to contract award. And as we know from the history, the DoD got screwed, right? There were massive compromises…”
—A, [04:54]

4. Assessment Types Defined in 7020

Basic Assessment ("low confidence")
- Contractor self-assessment using NIST SP 800-171A and DoD Assessment Methodology.
- Score submitted to SPRS (Supplier Performance Risk System); required before award.
- No set minimum score, but customers may set their own thresholds.
- “Just self-attestation with more steps.”
Medium Assessment ("medium confidence")
- Conducted by the DoD, reviewing self-assessment & documentation (mainly System Security Plans).
- Results posted in SPRS.
High Assessment ("high confidence"/DIBCAC High)
- Full-scale, in-person DoD assessment using NIST SP 800-171A.
- Rare, but often signals you’re a candidate for CMMC Level 3.

“A basic assessment is you conducting a self-assessment via the methods in SP800 171 Alpha...and you post those scores to the supplier Performance Risk system…”
—A, [12:06]

5. Assessment Triggers & Real-World Experience

No clear signal as to when medium/high assessment will happen; typically, you “get a phone call or an email.”
Assessed entities are often those dealing with “super duper cool stuff… the department is especially interested in.”

“Apparently with the mediums you just get a phone call and with the highs you basically get a phone call…”
—A, [15:00]

6. SPRS Scores, POAMs, and Dates

SPRS: All assessments (basic/med/high) must be recorded here.
POAM Closure Dates: Contractors must input the date by which all gaps will be closed; failure to update or unrealistic dates (e.g., year 2100) can flag you for scrutiny.
Consequences: Not updating scores or closure dates, or “winging it,” may invite DoD attention.

“…if you put in a date and you extend past that date and you don’t update the score, it will eventually come back to bite you.”
—A, [15:14] “Poem closure date score went up, that control satisfied, but you didn’t close the poem. Absolutely crazy. You’re just winging it...”
—B, [17:55]

7. 7020’s Paragraph Highlights

Applicability (B): Applies if you have 7012 in your contract.
Requirements (C): Must provide DoD access for DoD-led assessments.
Procedures (D): All assessment results must be posted in SPRS, prior to award and ongoing.
Rebuttals (E): Contractors have 14 business days post-assessment to rebut or provide extra proof.
- “Rebut is a word. Look it up, everybody.” —A, [18:25]
Data Protection (F): Standard “protect others’ data” requirement.
Subcontracts/Flowdown (G): Key for the ecosystem: Primes must ensure all lower-tier subs handling CUI (Controlled Unclassified Information) have assessments and flow clauses down the chain. No subcontract unless the sub has a current basic assessment.

“This is the magic of Flowdown ... as a result they have to use these mechanisms…if you’re going to send our data into the supply chain, we are obligating you to send these requirements with our data into the supply chain.”
—A, [21:24]

8. Supply Chain Realities

The DoD doesn’t control how primes enforce flowdown, but the clauses give them the authority and expectation to do so.
If you’re a downstream supplier and you get CUI, these requirements “flow down” to you.

“They might do it preemptively before they even know if you’re going to get the data. Because they want to mitigate their own risk, which is also up to them and up to you.”
—A, [23:23]

Notable Quotes & Memorable Moments

“DFARS clause 252-204-7020…complements DFARS clause 7012 flowdown requirements by holding contractors responsible for confirming that their subcontractors have SPRS scores on file prior to awarding them contracts. Prior to you awarding a contract to your subs, you need to verify that they have a score in SPRs. Do not send our data down to people who have not implemented these requirements.” —A, [09:25]
“If you put in a date and you extend past that date and you don’t update the score, it will eventually come back to bite you.” —A, [15:14]
“Poem closure date score went up, that control satisfied, but you didn’t close the poem. Absolutely crazy. You’re just winging it in some points. And realistically now, especially now…it’s a terrible idea.” —B, [17:55]
“This is the magic of Flowdown...” —A, [21:24]
“Rebut is a word. Look it up, everybody. I see your face. Rebut is a word.” —A, [18:25]
“If you’re too small to negotiate, that’s also still not the DoD’s problem. Their problem is that their data is involved in this conversation and that’s the part that they care about the most.” —A, [23:23]

Timestamps for Important Segments

[00:02-01:00] – Introduction to DFARS 7020 and recap of prior episodes
[01:00-04:44] – Breakdown of how DFARS cyber clauses interrelate
[04:44-09:25] – Historical context, DoD rationale, and rulemaking insight
[12:06-15:14] – Explaining assessments: Basic, Medium, High; what triggers them
[15:14-18:25] – Mechanics (and pitfalls) of SPRS scoring, POAMs, and real-world contractor mishaps
[18:25-23:23] – Clause paragraph walk-through: applicability, requirements, procedures, rebuttal, flowdown
[23:23-End] – Realities of flowdown and upcoming DFARS/CMMC rule changes

Conclusion & Next Steps

This episode equips DIB contractors with foundational knowledge to understand not just what DFARS 7020 is, but why it matters and how it affects practical compliance efforts, assessment readiness, and supply chain obligations.
Next up: A focus on DFARS 7009, and anticipation of upcoming CMMC 2.0-related clauses.

Feedback and questions welcomed—contact the Summit 7 team via chat or comments.

Sum IT Up: CMMC News Roundup

Main Theme & Purpose

Key Discussion Points & Insights

1. Overview: DFARS Cyber Clauses Structure

DFARS Cyber series includes five main solicitation provisions and contract clauses:
- 7008 (provision): Awareness of requirements
- 7012 (clause): Actual NIST SP 800-171 implementation requirements
- 7019 (provision): Assessment requirements notification
- 7020 (clause): DoD Assessment enforcement—focus of this episode
- 7009 (provision, to be discussed)
- Future additions: 7021 (clause), and a new provision (as part of CMMC 2.0)

“The DFARS clause 252-204-7020 applies to contractor information systems that are subject to NIST SP 800-171 requirements pursuant to DFARS clause 252.204-7012…”
—A, [02:57]

2. Difference Between Awareness and Validation Clauses

7008/7012: Tell you what to do (implement security controls).
7019/7020: Tell you how to prove you’ve done it (assessment and validation).

“…7008 and 7012 are the ones that are telling you to implement things, and 7019 and 7020 are the ways that are going to validate that you have implemented those things, right?”
—B, [02:41]
“Yeah, that’s exactly right. That’s probably the best way to kind of describe them at a high level.”
—A, [02:57]

3. Rationale for DFARS 7020

Historical Context:
- 7008 and 7012 introduced in 2016—stagnant since.
- 7019, 7020, and 7021 introduced in 2020 in response to a need for verification amid large-scale supply chain compromises.
Why 7020?
- 7012 didn’t allow direct DoD verification; massive supply chain breaches forced the DoD’s hand.
- 7020 ensures the DoD can:
  1. Conduct assessments to verify SP 800-171 implementation.
  2. Assure protection of sensitive information at all supply chain levels, especially via flowdown provisions.

“DFARS clause 252-204-7012 does not provide for DoD verification of a contractor’s implementation...prior to contract award. And as we know from the history, the DoD got screwed, right? There were massive compromises…”
—A, [04:54]

4. Assessment Types Defined in 7020

Basic Assessment ("low confidence")
- Contractor self-assessment using NIST SP 800-171A and DoD Assessment Methodology.
- Score submitted to SPRS (Supplier Performance Risk System); required before award.
- No set minimum score, but customers may set their own thresholds.
- “Just self-attestation with more steps.”
Medium Assessment ("medium confidence")
- Conducted by the DoD, reviewing self-assessment & documentation (mainly System Security Plans).
- Results posted in SPRS.
High Assessment ("high confidence"/DIBCAC High)
- Full-scale, in-person DoD assessment using NIST SP 800-171A.
- Rare, but often signals you’re a candidate for CMMC Level 3.

“A basic assessment is you conducting a self-assessment via the methods in SP800 171 Alpha...and you post those scores to the supplier Performance Risk system…”
—A, [12:06]

5. Assessment Triggers & Real-World Experience

No clear signal as to when medium/high assessment will happen; typically, you “get a phone call or an email.”
Assessed entities are often those dealing with “super duper cool stuff… the department is especially interested in.”

“Apparently with the mediums you just get a phone call and with the highs you basically get a phone call…”
—A, [15:00]

6. SPRS Scores, POAMs, and Dates

SPRS: All assessments (basic/med/high) must be recorded here.
POAM Closure Dates: Contractors must input the date by which all gaps will be closed; failure to update or unrealistic dates (e.g., year 2100) can flag you for scrutiny.
Consequences: Not updating scores or closure dates, or “winging it,” may invite DoD attention.

“…if you put in a date and you extend past that date and you don’t update the score, it will eventually come back to bite you.”
—A, [15:14] “Poem closure date score went up, that control satisfied, but you didn’t close the poem. Absolutely crazy. You’re just winging it...”
—B, [17:55]

7. 7020’s Paragraph Highlights

Applicability (B): Applies if you have 7012 in your contract.
Requirements (C): Must provide DoD access for DoD-led assessments.
Procedures (D): All assessment results must be posted in SPRS, prior to award and ongoing.
Rebuttals (E): Contractors have 14 business days post-assessment to rebut or provide extra proof.
- “Rebut is a word. Look it up, everybody.” —A, [18:25]
Data Protection (F): Standard “protect others’ data” requirement.
Subcontracts/Flowdown (G): Key for the ecosystem: Primes must ensure all lower-tier subs handling CUI (Controlled Unclassified Information) have assessments and flow clauses down the chain. No subcontract unless the sub has a current basic assessment.

“This is the magic of Flowdown ... as a result they have to use these mechanisms…if you’re going to send our data into the supply chain, we are obligating you to send these requirements with our data into the supply chain.”
—A, [21:24]

8. Supply Chain Realities

The DoD doesn’t control how primes enforce flowdown, but the clauses give them the authority and expectation to do so.
If you’re a downstream supplier and you get CUI, these requirements “flow down” to you.

“They might do it preemptively before they even know if you’re going to get the data. Because they want to mitigate their own risk, which is also up to them and up to you.”
—A, [23:23]

Notable Quotes & Memorable Moments

“DFARS clause 252-204-7020…complements DFARS clause 7012 flowdown requirements by holding contractors responsible for confirming that their subcontractors have SPRS scores on file prior to awarding them contracts. Prior to you awarding a contract to your subs, you need to verify that they have a score in SPRs. Do not send our data down to people who have not implemented these requirements.” —A, [09:25]
“If you put in a date and you extend past that date and you don’t update the score, it will eventually come back to bite you.” —A, [15:14]
“Poem closure date score went up, that control satisfied, but you didn’t close the poem. Absolutely crazy. You’re just winging it in some points. And realistically now, especially now…it’s a terrible idea.” —B, [17:55]
“This is the magic of Flowdown...” —A, [21:24]
“Rebut is a word. Look it up, everybody. I see your face. Rebut is a word.” —A, [18:25]
“If you’re too small to negotiate, that’s also still not the DoD’s problem. Their problem is that their data is involved in this conversation and that’s the part that they care about the most.” —A, [23:23]

Timestamps for Important Segments

[00:02-01:00] – Introduction to DFARS 7020 and recap of prior episodes
[01:00-04:44] – Breakdown of how DFARS cyber clauses interrelate
[04:44-09:25] – Historical context, DoD rationale, and rulemaking insight
[12:06-15:14] – Explaining assessments: Basic, Medium, High; what triggers them
[15:14-18:25] – Mechanics (and pitfalls) of SPRS scoring, POAMs, and real-world contractor mishaps
[18:25-23:23] – Clause paragraph walk-through: applicability, requirements, procedures, rebuttal, flowdown
[23:23-End] – Realities of flowdown and upcoming DFARS/CMMC rule changes

Conclusion & Next Steps

This episode equips DIB contractors with foundational knowledge to understand not just what DFARS 7020 is, but why it matters and how it affects practical compliance efforts, assessment readiness, and supply chain obligations.
Next up: A focus on DFARS 7009, and anticipation of upcoming CMMC 2.0-related clauses.

Feedback and questions welcomed—contact the Summit 7 team via chat or comments.

wavePod

What is DFARS 7020?

Powered by Wave AI

Summary

Sum IT Up: CMMC News Roundup

Main Theme & Purpose

Key Discussion Points & Insights

1. Overview: DFARS Cyber Clauses Structure

2. Difference Between Awareness and Validation Clauses

3. Rationale for DFARS 7020

4. Assessment Types Defined in 7020

5. Assessment Triggers & Real-World Experience

6. SPRS Scores, POAMs, and Dates

7. 7020’s Paragraph Highlights

8. Supply Chain Realities

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Conclusion & Next Steps

Summary

Sum IT Up: CMMC News Roundup

Main Theme & Purpose

Key Discussion Points & Insights

1. Overview: DFARS Cyber Clauses Structure

2. Difference Between Awareness and Validation Clauses

3. Rationale for DFARS 7020

4. Assessment Types Defined in 7020

5. Assessment Triggers & Real-World Experience

6. SPRS Scores, POAMs, and Dates

7. 7020’s Paragraph Highlights

8. Supply Chain Realities

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Conclusion & Next Steps