CybersecurityFlows Down to Subs

DFARS 252.204-7020NIST SP 800-171 DoD Assessment Requirements

Overview

This clause establishes the three-tier assessment methodology for NIST SP 800-171 compliance: Basic (self-assessment), Medium (government-conducted), and High (government-conducted with on-site validation). Contractors must cooperate with government assessors and provide documentation demonstrating implementation of security controls.

When Does This Apply?

Contracts where the government requires a Medium or High confidence NIST 800-171 assessment, typically for contracts involving high-value CUI.

Key Requirements

1Cooperate with government assessment teams
2Provide documentation of NIST 800-171 implementation
3Allow assessors access to systems and facilities
4Implement the 110-point scoring methodology
5Address findings within the specified remediation timeline

Flowdown to Subcontractors

Yes — DFARS 252.204-7020 flows down to subcontractors. All subcontractors in the supply chain must comply with this clause when applicable.

Related NIST 800-171 Controls

3.12.1 3.12.2 3.12.4

Frequently Asked Questions

What is DFARS 252.204-7020?

DFARS 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements) This clause establishes the three-tier assessment methodology for NIST SP 800-171 compliance: Basic (self-assessment), Medium (government-conducted), and High (government-conducted with on-site valida

Does DFARS 252.204-7020 flow down to subcontractors?

Yes, DFARS 252.204-7020 flows down to subcontractors. All applicable subcontractors must comply with this clause.

When does DFARS 252.204-7020 apply?

Contracts where the government requires a Medium or High confidence NIST 800-171 assessment, typically for contracts involving high-value CUI.

Related Guides

CMMC Compliance Guide→

Free Compliance Tools

🛡

CUI Auditor

Audit your tech stack for CUI handling gaps across 80+ enterprise tools.

🗺

CUI Flow Mapper

Map how CUI flows through your organization and identify spillage risks.

✅

FedRAMP Finder

Search 80+ FedRAMP-authorized products by category and authorization level.

Is your tech stack DFARS 252.204-7020 compliant?

Run our free CUI Auditor to check if your tools meet this clause's requirements.

Audit Your Tech Stack Free

Track DFARS 252.204-7020 compliance changes with AI-powered intelligence

Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.

Start Free — 90 Days

Discussion

Share your experience implementing this in your organization.

Join the Club to unlock joining discussions

Free membership — access intelligence, save your work, and more.

Create free account

← All DFARS Clauses

DFARS 252.204-7020NIST SP 800-171 DoD Assessment Requirements

Overview

When Does This Apply?

Contracts where the government requires a Medium or High confidence NIST 800-171 assessment, typically for contracts involving high-value CUI.

Key Requirements

1Cooperate with government assessment teams
2Provide documentation of NIST 800-171 implementation
3Allow assessors access to systems and facilities
4Implement the 110-point scoring methodology
5Address findings within the specified remediation timeline

Flowdown to Subcontractors

Yes — DFARS 252.204-7020 flows down to subcontractors. All subcontractors in the supply chain must comply with this clause when applicable.

Related NIST 800-171 Controls

3.12.1 3.12.2 3.12.4

Frequently Asked Questions

What is DFARS 252.204-7020?

Does DFARS 252.204-7020 flow down to subcontractors?

Yes, DFARS 252.204-7020 flows down to subcontractors. All applicable subcontractors must comply with this clause.

When does DFARS 252.204-7020 apply?

Contracts where the government requires a Medium or High confidence NIST 800-171 assessment, typically for contracts involving high-value CUI.

Is your tech stack DFARS 252.204-7020 compliant?

Run our free CUI Auditor to check if your tools meet this clause's requirements.

Audit Your Tech Stack Free

Track DFARS 252.204-7020 compliance changes with AI-powered intelligence

Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.

Start Free — 90 Days

Discussion

Share your experience implementing this in your organization.

Join the Club to unlock joining discussions

Free membership — access intelligence, save your work, and more.

Create free account