When does DFARS 252.204-7019 apply?

Is this a DoD solicitation for a contract that will involve Covered Defense Information? If yes, the provision flows. The CO is required to verify the SPRS record before award. If your CAGE has no posted score or a score older than three years, you are not eligible to receive the award. Is the procurement at or below the simplified acquisition threshold, or for COTS items only? The provision is generally not required at or below the SAT and is not required for solicitations solely for COTS items, even within DoD. Confirm the specific solicitation language because contracting officers can include it as a matter of policy. Does your CAGE record in SPRS reflect a Basic Assessment dated within the last three years? If not, run the self-assessment using the DoD Assessment Methodology, document it in your System Security Plan, and post the score to SPRS before responding to the solicitation. Posting takes effect immediately but most contractors plan two to four weeks of internal work to score honestly.

What are the most common contractor pitfalls under DFARS 252.204-7019?

Posting an inflated score to qualify for award: The score is a written certification. A score that does not match the actual SSP and POA&M is False Claims Act exposure when DCMA DIBCAC follows up with a Medium or High assessment. Several FCA settlements since 2022 have centered on overstated SPRS scores. Treating the three-year clock as a fixed renewal date: Material changes to the contractor's information system, network architecture, or scope of CDI handling require a new assessment, not waiting out the three-year window. Holding an old score after a major IT change is a common DCMA finding. CAGE-code mismatches between SPRS and the offer: The score is posted by CAGE. Contractors with multiple CAGEs, joint ventures, or recent reorganizations frequently submit a proposal under a CAGE that has no score even when a sister entity does. The CO sees no score and cannot make award. Skipping the System Security Plan as the score basis: The methodology requires the score to derive from a documented SSP and POA&Ms. Posting a score without an SSP is itself a finding because there is no auditable basis for the number.

What audit-flag patterns are associated with DFARS 252.204-7019?

Auditors and contracting officers commonly flag: SPRS score posted with no corresponding SSP revision in the same fiscal year; Score exactly at 110 (full implementation) for a contractor with active POA&Ms in their own records; Multiple CAGE codes under one parent with materially different scores and unclear scope boundaries; Score date predates a known major system change (cloud migration, M365 GCC adoption, network redesign); No record of the assessor identity or methodology version cited in the SPRS submission.

DFARS

DFARS 252.204-7019 — Notice of NIST SP 800-171 DoD Assessment Requirements

Solicitation provision that puts offerors on notice that, to be considered for a DoD award involving Covered Defense Information, they must have a current NIST SP 800-171 Basic Assessment posted in the Supplier Performance Risk System (SPRS).

Citation: 48 C.F.R. § 252.204-7019 (DFARS) · Live text on acquisition.gov

What this clause does

DFARS 252.204-7019 is the solicitation-side companion to 252.204-7012 and 252.204-7020. It tells offerors that if the procurement involves CDI, they cannot be eligible for award unless their SPRS record reflects a current Basic, Medium, or High NIST SP 800-171 assessment that is no more than three years old. The provision flows on solicitations for DoD procurements above the simplified acquisition threshold that will involve CDI, and it covers commercial-item solicitations the same way.

The Basic Assessment is a contractor self-assessment performed against the 110 NIST SP 800-171 controls using the DoD Assessment Methodology v1.2.x. The methodology assigns weighted point values to each control (1, 3, or 5 points) and starts each contractor at a maximum of 110, deducting points for each control not fully implemented. The result is a numeric score that can range from -203 to 110. The contractor posts the score, the date of the assessment, the included CAGE codes, and the System Security Plan revision date to SPRS.

Medium and High assessments are performed by DoD (DCMA DIBCAC for Highs; government leads for Mediums). Most small contractors live entirely in the Basic-self-assessment world. The provision does not impose new technical requirements beyond 252.204-7012; it is the procedural gate that forces the score to exist and be visible to contracting officers.

Does this clause apply to my contract?

Three tests resolve applicability. Read each in order; the first "no" usually means the clause does not flow.

1.Is this a DoD solicitation for a contract that will involve Covered Defense Information?
If yes, the provision flows. The CO is required to verify the SPRS record before award. If your CAGE has no posted score or a score older than three years, you are not eligible to receive the award.
2.Is the procurement at or below the simplified acquisition threshold, or for COTS items only?
The provision is generally not required at or below the SAT and is not required for solicitations solely for COTS items, even within DoD. Confirm the specific solicitation language because contracting officers can include it as a matter of policy.
3.Does your CAGE record in SPRS reflect a Basic Assessment dated within the last three years?
If not, run the self-assessment using the DoD Assessment Methodology, document it in your System Security Plan, and post the score to SPRS before responding to the solicitation. Posting takes effect immediately but most contractors plan two to four weeks of internal work to score honestly.

Common contractor pitfalls

Patterns that produce questioned costs, back-wage liability, or False Claims Act exposure under this clause.

Posting an inflated score to qualify for award
The score is a written certification. A score that does not match the actual SSP and POA&M is False Claims Act exposure when DCMA DIBCAC follows up with a Medium or High assessment. Several FCA settlements since 2022 have centered on overstated SPRS scores.
Treating the three-year clock as a fixed renewal date
Material changes to the contractor's information system, network architecture, or scope of CDI handling require a new assessment, not waiting out the three-year window. Holding an old score after a major IT change is a common DCMA finding.
CAGE-code mismatches between SPRS and the offer
The score is posted by CAGE. Contractors with multiple CAGEs, joint ventures, or recent reorganizations frequently submit a proposal under a CAGE that has no score even when a sister entity does. The CO sees no score and cannot make award.
Skipping the System Security Plan as the score basis
The methodology requires the score to derive from a documented SSP and POA&Ms. Posting a score without an SSP is itself a finding because there is no auditable basis for the number.

Audit-flag patterns

Specific signals that contracting officers, DCAA, and agency IGs use to surface noncompliance.

SPRS score posted with no corresponding SSP revision in the same fiscal year
Score exactly at 110 (full implementation) for a contractor with active POA&Ms in their own records
Multiple CAGE codes under one parent with materially different scores and unclear scope boundaries
Score date predates a known major system change (cloud migration, M365 GCC adoption, network redesign)
No record of the assessor identity or methodology version cited in the SPRS submission

How FieldLedger helps

FieldLedger's cybersecurity readiness add-on tracks SSP revisions, POA&M status, and assessment dates against the three-year SPRS clock. Score-supporting evidence (access reviews, audit logs, training completion) is generated as a byproduct of normal platform use.

DCAA compliance →Indirect Rate Engine →DCAA readiness check →

Related clauses

Clauses that flow alongside or interact with DFARS 252.204-7019.

Frequently asked

What does DFARS 252.204-7019 require?: Solicitation provision that puts offerors on notice that, to be considered for a DoD award involving Covered Defense Information, they must have a current NIST SP 800-171 Basic Assessment posted in the Supplier Performance Risk System (SPRS).
When does DFARS 252.204-7019 apply?: Is this a DoD solicitation for a contract that will involve Covered Defense Information? If yes, the provision flows. The CO is required to verify the SPRS record before award. If your CAGE has no posted score or a score older than three years, you are not eligible to receive the award. Is the procurement at or below the simplified acquisition threshold, or for COTS items only? The provision is generally not required at or below the SAT and is not required for solicitations solely for COTS items, even within DoD. Confirm the specific solicitation language because contracting officers can include it as a matter of policy. Does your CAGE record in SPRS reflect a Basic Assessment dated within the last three years? If not, run the self-assessment using the DoD Assessment Methodology, document it in your System Security Plan, and post the score to SPRS before responding to the solicitation. Posting takes effect immediately but most contractors plan two to four weeks of internal work to score honestly.
What are the most common contractor pitfalls under DFARS 252.204-7019?: Posting an inflated score to qualify for award: The score is a written certification. A score that does not match the actual SSP and POA&M is False Claims Act exposure when DCMA DIBCAC follows up with a Medium or High assessment. Several FCA settlements since 2022 have centered on overstated SPRS scores. Treating the three-year clock as a fixed renewal date: Material changes to the contractor's information system, network architecture, or scope of CDI handling require a new assessment, not waiting out the three-year window. Holding an old score after a major IT change is a common DCMA finding. CAGE-code mismatches between SPRS and the offer: The score is posted by CAGE. Contractors with multiple CAGEs, joint ventures, or recent reorganizations frequently submit a proposal under a CAGE that has no score even when a sister entity does. The CO sees no score and cannot make award. Skipping the System Security Plan as the score basis: The methodology requires the score to derive from a documented SSP and POA&Ms. Posting a score without an SSP is itself a finding because there is no auditable basis for the number.
What audit-flag patterns are associated with DFARS 252.204-7019?: Auditors and contracting officers commonly flag: SPRS score posted with no corresponding SSP revision in the same fiscal year; Score exactly at 110 (full implementation) for a contractor with active POA&Ms in their own records; Multiple CAGE codes under one parent with materially different scores and unclear scope boundaries; Score date predates a known major system change (cloud migration, M365 GCC adoption, network redesign); No record of the assessor identity or methodology version cited in the SPRS submission.
How does FieldLedger help with DFARS 252.204-7019?: FieldLedger's cybersecurity readiness add-on tracks SSP revisions, POA&M status, and assessment dates against the three-year SPRS clock. Score-supporting evidence (access reviews, audit logs, training completion) is generated as a byproduct of normal platform use.

Sources

DFARS clause text — acquisition.gov/dfars/252.204-7019
DCAA Contract Audit Manual — dcaa.mil/Guidance/CAM
Plain-English methodology — FieldLedger methodology

Snapshot date: 2026-05-08. Clause text is binding only as of the version incorporated into your specific contract — check acquisition.gov for the live regulatory text.