Understanding the DFARS 7019 Clause in Detail

The Department of Defense issued its long-awaited DFARS Interim Rule in September 2020, which got implemented on 30, 2020. The primary goals of this rule are to establish CMMC as the innovative cybersecurity model for DoD contracts and tell subcontractors that they should conduct a self-evaluation based on NIST 800-171 and submit their results to the DoD. The Interim Rule aims to solve defense firms’ safety and accountability deficiencies and offer an onramp for the implementation of CMMC, with these twin goals. 

The restrictions outlined in the Interim Ruling will affect any work done by military contractors, including prime and freelancers, that is subject to DFARS 252.204-7012. Defense vendors handling CUI must follow NIST SP 800-171 cybersecurity procedures under the DFARS -7012 clause. Contractors that exclusively manage commercial off-the-shelf materials (COTS) are exempt from the Interim Rule’s obligations. The Interim Rule adds three additional clauses (7019, 7020, and 7021) aimed at bolstering NIST SP 800-171’s self-evaluation mandates while, at the same time, facilitating the migration to CMMC. Since this can be a complicated task, most contractors rely on DFARS consultant Virginia Beach.

The DFARS 7019 is one of three interconnected clauses added to the DFARS by the Department of Defense’s new guideline. These additional provisions supplement the existing DFARS 252.204-7012 clause.

The interim regulation, which takes effect on November 30, 2020, aims to improve cybersecurity throughout the US DIB. The issue has been that, under DFARS 7012, many vendors are self-certifying DFARS cybersecurity adherence without moving their mechanisms into conformity in a verifiable manner.

It outlines the standards that contractors must satisfy in order to correctly submit and retain their self-evaluation of cybersecurity compliance with the NIST 800-171 standard under DFARS 7012. The criteria for contracting officers to grant or refuse contract grants depending on a supplier’s stated evaluation findings are likewise outlined in DFARS 7019.

The DFARS 7019 clause informs DIB providers that they must analyze and report their internal NIST 800-171 adherence in the manner of a less than three-year-old SPRS score. Scores will be exclusively provided to the applicant and the Department of Defense and can be made accessible to others upon demand.

While the DFARS Interim Rule does not define baseline self-evaluation scores, all firms seeking to engage with the Department of Defense should be aware that risk-based analyses will be used to assist in selecting which enterprises will be awarded contracts. If a firm has a low self-evaluation score, it makes sense that the DoD will view it as a larger security threat than a rival with a higher score.

Firms who have a contemporary SPRS Basic, Moderate, or Advanced evaluation on file and employ the NIST SP 800-171 DoD Assessment Methodology, as well as System Security Plan and, if necessary, a POA&M will most likely fulfill the DFARS 7019 clause criteria. This procedure will need to be completed as soon as possible by other DIB vendors.

Why is it so essential to get things done quickly? Since the new DFARS 7019 provision will feature in “all intercessions” in the future, with the exception of those solely for the procurement of COTS items, this covers not only deals but also contract revisions and renewals.