252.240-7997 NIST SP 800-171 DoD Assessment Requirements

This clause was introduced by the Revolutionary FAR Overhaul (EO 14275) and does not appear in the codified eCFR. It applies to contracts using the RFO model.

RFO Prescription

(d) Insert the clause at 252.240-7997, NIST SP 800-171 DoD Assessment
Requirements, in all solicitations and contracts, task orders, or delivery orders,
including those using FAR part 12 procedures for the acquisition of commercial
products and commercial services, except for those that are solely for the acquisition
of COTS items.

Current Text (RFO)

NIST SP 800-171 DOD ASSESSMENT REQUIREMENTS
(DEVIATION 2026-O0025)(FEB 2026)

(a) Definitions.

Covered contractor information system has the meaning given in the clause
252.204-7012, Safeguarding Covered Defense Information and Cyber Incident
Reporting, of this contract.

High Assessment means an assessment that is conducted by Government
personnel, trained in accordance with DoD policy and procedures, using NIST SP
800-171A, Assessing Security Requirements for Controlled Unclassified Information
that—

(1) Consists of—

(i) A review of a contractor's previous assessment(s), as applicable;

(ii) A thorough document review;

(iii) Verification, examination, and demonstration of a Contractor's
system security plan to validate that NIST SP 800-171 security requirements have
been implemented as described in the contractor's system security plan; and

(iv) Discussions with the contractor to obtain additional information
or clarification, as needed; and

(2) Results in a confidence level of "High" in the resulting score.

Medium Assessment means an assessment conducted by Government personnel,
trained in accordance with DoD policy and procedures, using NIST SP 800-171A,
Assessing Security Requirements for Controlled Unclassified Information that—

(1) Consists of—

(i) A review of a contractor's previous assessment(s), as applicable;

(ii) A thorough document review; and

(iii) Discussions with the contractor to obtain additional information or
clarification, as needed; and

(2) Results in a confidence level of "Medium" in the resulting score.

(b) Applicability. This clause applies to covered contractor information systems
that are required to comply with the National Institute of Standards and
Technology (NIST) Special Publication (SP) 800-171, in accordance with Defense
Federal Acquisition Regulation System (DFARS) clause at 252.204-7012,
Safeguarding Covered Defense Information and Cyber Incident Reporting, of this
contract.

(c) Requirements. The Contractor shall provide access to its facilities, systems,
and personnel necessary for the Government to conduct a Medium or High NIST SP
800-171 DoD Assessment, using the methodology described at 32 CFR 170.24, if
necessary. The results of Medium or High NIST SP 800-171 DoD Assessments,
when conducted by DCMA, will take precedence over any other assessment, in
accordance with 32 CFR 170.16(a)(1)(iv), 32 CFR 170.17(a)(1)(iv), and 32 CFR
170.18(a)(1)(iv).

(d) Procedures. Summary level scores for all assessments will be posted in the
Supplier Performance Risk System (SPRS) (https://www.sprs.csd.disa.mil/) to
provide DoD Components visibility into the summary level scores of strategic
assessments.

Medium and High Assessments. DoD will post the following Medium and/or
High Assessment summary level scores to SPRS for each system security plan
assessed:

(i) The standard assessed (e.g., NIST SP 800-171 Rev 1).

(ii) Organization conducting the assessment, i.e., DCMA.

(iii) All industry CAGE code(s) associated with the information
system(s) addressed by the system security plan.

(iv) Date and level of the assessment, i.e., medium or high.

(v) Summary level score (overall numerical score, not the individual
value assigned for each requirement).

(vi) Date that all requirements are expected to be implemented based on
information gathered from associated plan(s) of action developed in accordance with
NIST SP 800-171.

(e) Rebuttals. (1) DoD will provide Medium and High Assessment summary
level scores to the Contractor and offer the opportunity for rebuttal and
adjudication of assessment summary level scores prior to posting the summary level
scores to SPRS (see SPRS User's Guide
https://www.sprs.csd.disa.mil/pdf/SPRS_Awardee.pdf).

(2) Upon completion of each assessment, the contractor has 14 business
days to provide additional information to demonstrate that they meet any security
requirements not observed by the assessment team or to rebut the findings that
may be of question.

(f) Accessibility. (1) Assessment summary level scores posted in SPRS are
available to DoD personnel, and are protected, in accordance with the standards set
forth in DoD Instruction 5000.79, Defense-wide Sharing and Use of Supplier and
Product Performance Information (PI).

(2) Authorized representatives of the Contractor for which the assessment
was conducted may access SPRS to view their own summary level scores, in
accordance with the SPRS Software User's Guide for Awardees/Contractors
available at https://www.sprs.csd.disa.mil/pdf/SPRS_Awardee.pdf.

(3) A High NIST SP 800-171 DoD Assessment may result in documentation
in addition to that listed in this clause. DoD will retain and protect any such
documentation as "Controlled Unclassified Information (CUI)" and intended for
internal DoD use only. The information will be protected against unauthorized use
and release, including through the exercise of applicable exemptions under the
Freedom of Information Act (e.g., Exemption 4 covers trade secrets and commercial
or financial information obtained from a contractor that is privileged or
confidential).

(g) Subcontracts. The Contractor shall insert the substance of this clause,
including this paragraph (g), in all subcontracts and other contractual instruments,
including subcontracts for the acquisition of commercial products or commercial
services (excluding commercially available off-the-shelf items).

(End of clause)