Updated May 2026

DFARS 7019 + 7020 Cost: SPRS Posting + DoD Audit Right

7019 puts a published-score gate on contract eligibility. 7020 gives the DoD an audit hammer. Together, they are the enforcement layer that makes 7012 actually bite. Most contractors spend $5K-$60K complying with these two clauses, almost entirely on the evidence work behind a defensible SPRS score.

Two clauses, one enforcement spine

DFARS 252.204-7012 sets the obligation: implement NIST SP 800-171. Without 7019 and 7020, that obligation would live entirely on the honour system. The 2020 interim rule added the two enforcement clauses to give the DoD a verification toolkit. 7019 requires you to have a current self-assessment posted in SPRS before you bid; 7020 lets the DoD assess your implementation itself, at three escalating levels (Basic, Medium, High). The Basic Assessment is the self-assessment under 7019. The Medium Assessment is a DoD-led document review. The High Assessment is the DIBCAC on-site audit. Each level produces a SPRS score on the same -203 to +110 scale, with the higher-level assessments overwriting any prior lower-level score.

The full clause text is published at acquisition.gov for 7019 and the parallel 7020 page. The SPRS portal itself is at sprs.csd.disa.mil and requires PIEE access plus a CAGE code association before you can post a score.

These clauses do not introduce new technical controls. They introduce process obligations: you have to do the self-assessment, you have to post the result, you have to cooperate with DoD audits, and you have to flow the same down to sub-contractors. The compliance cost is therefore not security tooling spend; it is assessment-effort spend.

Cost of a defensible SPRS self-assessment

The SPRS score is calculated by walking the 110 controls in NIST SP 800-171, marking each as implemented or not, and applying the official scoring methodology published in the DoD Assessment Methodology document. Each unimplemented control deducts points (1, 3, or 5 depending on severity). A new contractor with no prior security programme commonly lands in the -100 to -150 region; a mature contractor with a fully-implemented programme lands near +110.

The cost question is not about the calculation; it is about producing defensible evidence that each control is actually implemented. That evidence is the same body of artefacts a C3PAO will eventually request: SSP, policies, technical configuration screenshots, log samples, training records, asset inventories. Producing it once for the SPRS self-assessment makes the eventual C3PAO Level 2 assessment significantly cheaper, which is one reason why doing the SPRS work seriously is worth the spend.

Company size	Internal effort	With RPO support	Full outsource
Under 25 employees	80 - 200 hours	$3K - $8K	$8K - $15K
25 - 50 employees	150 - 300 hours	$5K - $12K	$12K - $22K
50 - 200 employees	300 - 500 hours	$10K - $20K	$20K - $35K
200+ employees	500 - 1000+ hours	$25K - $45K	$45K - $80K

DIBCAC Medium and High Assessments

7020 gives the DoD the right to perform two levels of independent assessment of contractor 800-171 implementation. The Defense Industrial Base Cybersecurity Assessment Centre (DIBCAC) is the DoD organisation that carries out the assessments. A Medium Assessment is desk-based: DIBCAC requests documentation, reviews the SSP and supporting evidence remotely, and posts a Medium-level score to SPRS. A High Assessment is on-site: DIBCAC personnel visit the contractor's facility, perform interviews, examine system configuration, and produce a High-level score. The High Assessment is the closest equivalent to a C3PAO Level 2 assessment in scope and rigour, but it is government-led rather than commercial-assessor-led.

From a cost perspective, DIBCAC does not charge the contractor for the assessment itself (it is government-funded). The contractor's spend is on preparation and on-site cooperation. For a contractor that has already done a defensible self-assessment and has the supporting evidence library in good shape, a Medium Assessment costs $5K-$15K in preparation and response labour. For a High Assessment, expect $15K-$60K depending on company size and the state of the evidence library on arrival. Inadequate preparation can result in a downward score adjustment that has cascading commercial consequences.

Year-by-year cost picture under 7019 + 7020

Activity	Frequency	Typical cost
Initial NIST 800-171 Basic Assessment + SPRS post	Once	$5K - $35K
SPRS score refresh after material change	As needed	$3K - $15K
Triennial Basic Assessment renewal	Every 3 yrs	$3K - $25K
DIBCAC Medium Assessment preparation	Probabilistic	$5K - $20K
DIBCAC High Assessment preparation	Probabilistic	$15K - $60K
Sub-contractor flow-down management	Annual	$10K - $40K

SPRS score thresholds primes are using

The 32 CFR Part 170 final rule does not specify a minimum SPRS score for contract award, but in practice primes are setting their own thresholds for sub-contractor flow-down. Common thresholds observed in 2025-2026: large defense primes (Lockheed, RTX, Northrop, General Dynamics, L3Harris) require a SPRS score of +88 or higher for sub-contracts touching CUI, with deficits documented in a Plan of Action and Milestones. Some primes require +110 (full compliance) for sub-contracts in higher-classification programmes.

For sub-contractors, this means a low SPRS score is functionally equivalent to opting out of the DIB. The economics: invest $5K-$25K in producing a defensible score that gets you over the +88 line, or accept that you cannot bid on flow-down work. For most sub-contractors, the math heavily favours the assessment spend. See the SPRS score page for the calculation methodology and the sub-contractor cost page for the broader sub-contractor compliance picture.

Related cost pages

Frequently asked questions

What is DFARS 252.204-7019?

DFARS 252.204-7019, titled Notice of NIST SP 800-171 DoD Assessment Requirements, requires offerors on DoD solicitations to have a current (within the last three years) NIST SP 800-171 Basic Assessment posted in the Supplier Performance Risk System (SPRS) before being eligible for contract award. It does not, by itself, mandate any new security control implementation. It just requires that you have done your self-assessment and posted the score. The score range is -203 to +110, where +110 is full compliance.

What is DFARS 252.204-7020?

DFARS 252.204-7020, titled NIST SP 800-171 DoD Assessment Requirements, gives the DoD the contractual right to perform Medium or High Assessments of contractor NIST 800-171 compliance, requires contractor cooperation with those assessments, and obligates the contractor to flow the substance of the clause down to sub-contractors. Where 7019 is about self-reporting, 7020 is about DoD-led verification. The Medium Assessment is documentation-led and conducted remotely; the High Assessment is on-site, conducted by the Defense Industrial Base Cybersecurity Assessment Centre (DIBCAC), and is the most thorough audit short of a C3PAO Level 2 assessment.

How much does a SPRS self-assessment cost?

Posting the score is free; producing a defensible score is not. For a typical small contractor (under 50 employees), the self-assessment work runs $3K-$15K when done internally or with a Registered Practitioner Organisation (RPO). For mid-size (50-200 employees), $10K-$25K. For large primes with complex enclaves, $25K-$60K. Most of the cost is in evidence collection across the 110 controls, not the scoring spreadsheet itself. The score is then posted to SPRS by an authorised company representative.

Will DIBCAC actually audit a small contractor?

DIBCAC has historically focused its Medium and High Assessment workload on prime contractors and high-risk sub-contractors, not on small contractors with low total contract value. That balance is shifting under CMMC Phase 2 because the DoD wants assurance across the supply chain. Small contractors should plan for some probability of a Medium Assessment over a five-year horizon, even if a High Assessment is unlikely. Practitioner experience suggests the cost of preparing for a Medium Assessment, given you have already done a defensible self-assessment, is in the $5K-$20K range.

What is the penalty for posting a low SPRS score?

There is no direct DoD penalty for posting a low score; the score is informational to the contracting officer. The practical penalty is contract eligibility: primes increasingly require sub-contractors to have a SPRS score above a threshold (commonly +88 or higher) before awarding a task order. Posting a low score is therefore the same as walking away from contracts. The 32 CFR Part 170 final rule and the DoD CIO have both emphasised that contracting officers will use SPRS scores as an input to award decisions even before Phase 2 of CMMC takes effect.

Does 7019 + 7020 still apply if I have a CMMC Level 2 certification?

Yes. The clauses are independent of CMMC. A current CMMC Level 2 certification satisfies the substantive evidence of NIST 800-171 implementation but does not relieve you of the SPRS posting obligation under 7019. You should refresh your SPRS score whenever the underlying assessment is more than three years old or when material changes affect the control implementation. 7020 audit rights also remain in force; CMMC certification is a contract-eligibility signal, not a substitute for the DoD's right to verify.