When does DFARS 252.204-7020 apply?

Does the contract include or invoke DFARS 252.204-7012? If yes, 252.204-7020 almost always travels with it on DoD awards above the simplified acquisition threshold. Where 7012 applies, expect 7020 to apply. Will the contract require subcontractors to handle Covered Defense Information? If yes, the prime must verify each such subcontractor has a current SPRS score before subcontract award. Document the verification (date, CAGE, score) as part of the subcontract file. Has DCMA DIBCAC requested or scheduled a Medium or High assessment? The clause obligates the contractor to provide access to facilities, systems, and personnel for the assessment. Refusing or delaying access is a contract-compliance failure independent of the assessment outcome.

What are the most common contractor pitfalls under DFARS 252.204-7020?

Subcontract awards with no SPRS verification step: Standard procurement workflows often skip the SPRS lookup. Awarding a CDI-handling subcontract to a sub with no score is a flowdown finding that lands on the prime, not the sub. Build SPRS verification into the subcontract checklist. Assuming the score is "set and forget" between Medium assessments: The clause requires currency for the life of the contract. Material system changes obligate a fresh self-assessment. Letting the score age past three years on a multi-year contract is a clean compliance failure. Confusing the Medium-assessment scope with a routine audit: A DCMA DIBCAC Medium is a structured technical review, not a paper exercise. Contractors that prepare in days rather than weeks generally end up with a worse score than their Basic self-assessment. Treat the trigger seriously. Letting CMMC Level 2 readiness substitute for SPRS posting: CMMC (252.204-7021) and the SPRS score (7019/7020) are related but separate compliance artifacts. A CMMC certificate does not eliminate the need to maintain the SPRS Basic Assessment posting.

What audit-flag patterns are associated with DFARS 252.204-7020?

Auditors and contracting officers commonly flag: Subcontract award files for CDI-handling subs without an SPRS score capture at award; SPRS score that has not been updated despite a documented major system change; DCMA DIBCAC Medium score that diverges sharply (>20 points) from the contractor's posted Basic score; Flowdown clause omitted or modified in subcontracts handling CDI; Assessment basis (SSP, methodology version, assessor identity) inconsistent across CAGE records.

DFARS

DFARS 252.204-7020 — NIST SP 800-171 DoD Assessment Requirements

Contract clause that obligates the contractor to have a current NIST SP 800-171 assessment in SPRS, to provide DoD access for Medium or High assessments when scheduled, and to flow the requirement to subcontractors handling CDI.

Citation: 48 C.F.R. § 252.204-7020 (DFARS) · Live text on acquisition.gov

What this clause does

DFARS 252.204-7020 is the contract-clause counterpart to the 252.204-7019 solicitation provision. Once awarded, the contractor must maintain a current NIST SP 800-171 Basic Assessment in SPRS for the life of the contract and must provide DoD access to facilities, systems, and personnel if a Medium or High assessment is scheduled. The clause flows to subcontractors that will process, store, or transmit CDI, with no commercial-item exemption for CUI handling.

The clause sits in the middle of a layered enforcement model. 252.204-7012 sets the technical baseline (NIST 800-171 controls plus 72-hour incident reporting). 252.204-7019 is the eligibility gate at solicitation. 252.204-7020 is the in-performance maintenance and verification clause. 252.204-7021 (added in 2020) layers on the Cybersecurity Maturity Model Certification (CMMC) requirement for contracts the DoD designates as needing third-party certification.

Flowdown is the operationally hardest part for primes. Before awarding any subcontract that will involve CDI, the prime must confirm that the sub has a current SPRS Basic Assessment. Subcontractor rotation, second-tier flow, and mid-performance scope changes that newly bring CDI into a sub's environment all create flowdown discipline problems. Most subcontract management systems were not designed for this and need either bolt-ons or process redesign.

Does this clause apply to my contract?

Three tests resolve applicability. Read each in order; the first "no" usually means the clause does not flow.

1.Does the contract include or invoke DFARS 252.204-7012?
If yes, 252.204-7020 almost always travels with it on DoD awards above the simplified acquisition threshold. Where 7012 applies, expect 7020 to apply.
2.Will the contract require subcontractors to handle Covered Defense Information?
If yes, the prime must verify each such subcontractor has a current SPRS score before subcontract award. Document the verification (date, CAGE, score) as part of the subcontract file.
3.Has DCMA DIBCAC requested or scheduled a Medium or High assessment?
The clause obligates the contractor to provide access to facilities, systems, and personnel for the assessment. Refusing or delaying access is a contract-compliance failure independent of the assessment outcome.

Common contractor pitfalls

Patterns that produce questioned costs, back-wage liability, or False Claims Act exposure under this clause.

Subcontract awards with no SPRS verification step
Standard procurement workflows often skip the SPRS lookup. Awarding a CDI-handling subcontract to a sub with no score is a flowdown finding that lands on the prime, not the sub. Build SPRS verification into the subcontract checklist.
Assuming the score is "set and forget" between Medium assessments
The clause requires currency for the life of the contract. Material system changes obligate a fresh self-assessment. Letting the score age past three years on a multi-year contract is a clean compliance failure.
Confusing the Medium-assessment scope with a routine audit
A DCMA DIBCAC Medium is a structured technical review, not a paper exercise. Contractors that prepare in days rather than weeks generally end up with a worse score than their Basic self-assessment. Treat the trigger seriously.
Letting CMMC Level 2 readiness substitute for SPRS posting
CMMC (252.204-7021) and the SPRS score (7019/7020) are related but separate compliance artifacts. A CMMC certificate does not eliminate the need to maintain the SPRS Basic Assessment posting.

Audit-flag patterns

Specific signals that contracting officers, DCAA, and agency IGs use to surface noncompliance.

Subcontract award files for CDI-handling subs without an SPRS score capture at award
SPRS score that has not been updated despite a documented major system change
DCMA DIBCAC Medium score that diverges sharply (>20 points) from the contractor's posted Basic score
Flowdown clause omitted or modified in subcontracts handling CDI
Assessment basis (SSP, methodology version, assessor identity) inconsistent across CAGE records

How FieldLedger helps

FieldLedger's cybersecurity readiness add-on logs SPRS verification at subcontract award and tracks assessment currency against the three-year clock for the prime and each CDI-handling sub. The audit trail satisfies DCMA flowdown evidence requests without separate spreadsheet reconciliation.

DCAA compliance →Indirect Rate Engine →DCAA readiness check →

Related clauses

Clauses that flow alongside or interact with DFARS 252.204-7020.

Frequently asked

What does DFARS 252.204-7020 require?: Contract clause that obligates the contractor to have a current NIST SP 800-171 assessment in SPRS, to provide DoD access for Medium or High assessments when scheduled, and to flow the requirement to subcontractors handling CDI.
When does DFARS 252.204-7020 apply?: Does the contract include or invoke DFARS 252.204-7012? If yes, 252.204-7020 almost always travels with it on DoD awards above the simplified acquisition threshold. Where 7012 applies, expect 7020 to apply. Will the contract require subcontractors to handle Covered Defense Information? If yes, the prime must verify each such subcontractor has a current SPRS score before subcontract award. Document the verification (date, CAGE, score) as part of the subcontract file. Has DCMA DIBCAC requested or scheduled a Medium or High assessment? The clause obligates the contractor to provide access to facilities, systems, and personnel for the assessment. Refusing or delaying access is a contract-compliance failure independent of the assessment outcome.
What are the most common contractor pitfalls under DFARS 252.204-7020?: Subcontract awards with no SPRS verification step: Standard procurement workflows often skip the SPRS lookup. Awarding a CDI-handling subcontract to a sub with no score is a flowdown finding that lands on the prime, not the sub. Build SPRS verification into the subcontract checklist. Assuming the score is "set and forget" between Medium assessments: The clause requires currency for the life of the contract. Material system changes obligate a fresh self-assessment. Letting the score age past three years on a multi-year contract is a clean compliance failure. Confusing the Medium-assessment scope with a routine audit: A DCMA DIBCAC Medium is a structured technical review, not a paper exercise. Contractors that prepare in days rather than weeks generally end up with a worse score than their Basic self-assessment. Treat the trigger seriously. Letting CMMC Level 2 readiness substitute for SPRS posting: CMMC (252.204-7021) and the SPRS score (7019/7020) are related but separate compliance artifacts. A CMMC certificate does not eliminate the need to maintain the SPRS Basic Assessment posting.
What audit-flag patterns are associated with DFARS 252.204-7020?: Auditors and contracting officers commonly flag: Subcontract award files for CDI-handling subs without an SPRS score capture at award; SPRS score that has not been updated despite a documented major system change; DCMA DIBCAC Medium score that diverges sharply (>20 points) from the contractor's posted Basic score; Flowdown clause omitted or modified in subcontracts handling CDI; Assessment basis (SSP, methodology version, assessor identity) inconsistent across CAGE records.
How does FieldLedger help with DFARS 252.204-7020?: FieldLedger's cybersecurity readiness add-on logs SPRS verification at subcontract award and tracks assessment currency against the three-year clock for the prime and each CDI-handling sub. The audit trail satisfies DCMA flowdown evidence requests without separate spreadsheet reconciliation.

Sources

DFARS clause text — acquisition.gov/dfars/252.204-7020
DCAA Contract Audit Manual — dcaa.mil/Guidance/CAM
Plain-English methodology — FieldLedger methodology

Snapshot date: 2026-05-08. Clause text is binding only as of the version incorporated into your specific contract — check acquisition.gov for the live regulatory text.