What is DFARS 7019?

DFARS 252.204-7019 Explained

DFARS 252.204-7019 is one of the three active clauses in the DFARS 70xx series (7012, 7020, and 7021). This clause outlines the requirement for contractors to maintain current assessments of their NIST SP 800-171 implementation and to ensure those assessments are accurately reported. It also establishes how contracting officers will use that information to determine eligibility for award. DFARS 7019 does not require a CMMC assessment or any CMMC-related reporting.

Under DFARS 7019, contractors must maintain an active assessment score within the Supplier Performance Risk System (SPRS). While SPRS is only accessible to authorized DoD acquisition personnel, contractors are responsible for submitting and updating their own assessment information. This responsibility typically falls to a designated individual within the contractor's organization who is authorized to act on behalf of the company. Common roles include the Facility Security Officer (FSO), Chief Information Security Officer (CISO), Director of IT, or compliance lead. The assigned user must have access to the Procurement Integrated Enterprise Environment (PIEE) and be approved to submit scores through the NIST SP 800-171 Assessment Module.

Contractors are required to complete a Basic, Medium, or High assessment and ensure that the results are submitted and maintained in SPRS. Assessments must be updated at least once every three years, although contracting officers may set a shorter interval.

Types of DFARS 7019 Assessments:

• Basic: A self-assessment conducted by the contractor, supported by a current and complete System Security Plan (SSP). This approach has been in place since 2018.
• Medium and High: Government-led assessments conducted by the Defense Contract Management Agency (DCMA) based on formal review of implemented controls.
  

How Can CorpInfoTech Help?

CorpInfoTech supports defense contractors in meeting DFARS 7019 obligations through targeted cybersecurity and compliance services built around our Risk Management Program (RMP). We help organizations evaluate their current security posture, develop and maintain complete and defensible System Security Plans (SSPs), and accurately calculate and submit SPRS scores. Our team works directly with your designated compliance personnel to ensure you understand your role, responsibilities, and reporting requirements.

We offer hands-on support in system boundary definition, inheritance documentation, and SPRS data entry—ensuring your environment is correctly scoped, your controls are supportable, and your score reflects your actual implementation. If you're operating in a shared system scenario, we guide both primes and subcontractors through appropriate separation, dependency mapping, and control alignment so that your documentation can stand up to review.

As an CMMC Level 2 certified Managed Service Provider and a long-term partner to the defense industrial base, we are equipped to help you meet DFARS 7019 requirements with clarity, accuracy, and confidence.