Can the Government show up unannounced to assess our systems under 252.204-7020?

No. The clause requires a written request and provides a 30-day response window. However, in cases of suspected cyber incidents or fraud, DoD may seek access through other legal mechanisms on shorter timelines.

What documents must we provide during a DoD NIST assessment?

Your System Security Plan (SSP), Plan of Action and Milestones (POA&M), network diagrams showing system boundaries, and access to the actual systems. Personnel with knowledge of your security implementation may be interviewed.

What is the difference between 252.204-7019 and 252.204-7020?

7019 is the solicitation provision — it covers what offerors must have before award (the SPRS score). 7020 is the contract clause — it governs the ongoing right of the Government to verify your assessment during performance.

Does 252.204-7020 apply to cloud systems?

Yes, including cloud systems. If your information system boundary includes commercial cloud infrastructure processing CDI, you must be able to provide the Government access to documentation and, where possible, to the environment itself.

Critical RiskDFARSCybersecurity

252.204-7020 — NIST SP 800-171 DoD Assessment Requirements

Last updated: 2026-04-09

Researched by the BidStride Research Team

What This Clause Requires

Requires contractors to provide the Government access to facilities, systems, and personnel to conduct or verify NIST SP 800-171 assessments.

Official Regulation Text

See 48 CFR 252.204-7020 for the full regulatory text. This clause gives the Government the right to conduct or verify NIST SP 800-171 assessments of contractor information systems. Contractors must provide access within 30 days of a Government request.
Source: eCFR, 48 CFR 252.204-7020

Compliance Checklist

Provide Government access for assessment verification within 30 days of request
Allow DoD to conduct or oversee NIST SP 800-171 assessments
Make SSP and POA&M available to contracting officer
Flow down to all subcontractors processing CDI

Flow-Down to Subcontractors

Flow-down required

This clause must be included in subcontracts with all subcontractors at all tiers where the subcontractor will perform work covered by this clause. Typically appears in contract Sections H, I.

Frequently Asked Questions

BidStride automatically scans your RFPs for 252.204-7020

Stop hunting through solicitations manually. BidStride identifies every FAR and DFARS clause in your RFP, flags risk level, and surfaces compliance requirements before you submit your bid.

This summary is for informational purposes only and reflects the BidStride Research Team's plain-English interpretation of the regulation. It is not legal advice and does not constitute an attorney-client relationship. Always consult the official Federal Acquisition Regulation (FAR) or Defense Federal Acquisition Regulation Supplement (DFARS) text and qualified legal counsel for compliance decisions.