What is DFARS 7020?

DFARS 252.204-7020 Explained

DFARS 252.204-7020 is one of the three active clauses in the  DFARS 70xx series (7012, 7019, and 7021), first introduced in November 2020. While DFARS 7019 outlines the requirement to maintain and report assessment scores in the Supplier Performance Risk System (SPRS), DFARS 7020 establishes the obligations that contractors must meet when the Department of Defense initiates a Medium or High assessment. These obligations include providing access to systems, facilities, and personnel during the assessment process.

DFARS 7020 appears in nearly all DoD solicitations, contracts, task orders, and delivery orders, with the exception of those limited to commercially available off-the-shelf (COTS) items. It also includes a flow-down requirement. This means that prime contractors must ensure their subcontractors have a current assessment score in SPRS before issuing any subcontracts or purchase orders involving Controlled Unclassified Information (CUI). The prime must also verify and document that DFARS 7019 has been flowed down in writing to each applicable subcontractor.

When the DoD conducts a Medium or High assessment under DFARS 7020, the assessed contractor is given a 14-day window to respond. During that time, the contractor may submit additional documentation or clarification to address identified concerns. The final score is posted to SPRS only after that response period has closed. High-level assessment results are treated as Controlled Unclassified Information, and all submitted documentation remains confidential.

The clause also establishes that contractors must provide assessors with access to relevant systems, locations, and personnel during the course of the evaluation. This includes access to technical and administrative staff, along with system documentation, audit evidence, and physical or logical infrastructure where CUI is processed or stored.

How Can CorpInfoTech Help?

CorpInfoTech helps defense contractors prepare for and comply with DFARS 7020 obligations through our structured Risk Management Program and tailored compliance services. We work directly with clients to validate and document their NIST SP 800-171 control implementation, coordinate system access and evidence for DoD assessors, and ensure internal roles are prepared for evaluation.

Our team also supports flow-down execution by helping clients identify in-scope subcontractors, validate SPRS status, and include proper DFARS clauses in purchase orders and subcontract agreements. Whether you are preparing for a Medium or High assessment or managing tiered compliance obligations, we provide the tools and expertise to support the entire lifecycle of assessment readiness and response.

As a CMMC Level 2 certified Managed Service Provider, CorpInfoTech brings hands-on experience and operational focus to every engagement. We help clients manage the complexity of compliance without compromising performance, production, or mission.