The Evidence Gap: Why Self-Assessment Scores Collapse Under DFARS

The Evidence Gap: Why Self-Assessment Scores Collapse Under DFARS

DFARS 7019 and 7020 make self-assessments auditable. Learn how DIBCAC validates SPRS scores and how Deep Fathom’s Agentic AI closes the evidence gap with continuous, verifiable proof.

Deep Fathom Last verified

DFARS 252.204-7019 requires defense contractors to submit a NIST SP 800-171 self-assessment score to the Supplier Performance Risk System using the DoD Assessment Methodology, while DFARS 252.204-7020 authorizes the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to conduct Medium and High Assessments that verify those scores. Validation tests declared implementation against the 320 assessment objectives in NIST SP 800-171A: assessors request the System Security Plan, Plan of Action and Milestones, and supporting artifacts, then sample controls and revise the score downward where evidence is missing, outdated, or inconsistent. A self-reported score unsupported by contemporaneous artifacts carries no assurance value, and a knowingly inflated score submitted to SPRS can create False Claims Act exposure for the certifying official.

The Accountability Era

Under DFARS 252.204-7019, contractors must upload NIST SP 800-171 self-assessment scores to SPRS.

Under 7020, DIBCAC can validate them.

When proof doesn’t align with the score, reductions of 40–60 points are common. Deep Fathom closes that gap by linking every claim to live proof.

The Rules That Matter

  • DFARS 7019 – Requires the official DoD scoring method.
  • DFARS 7020 – Grants DIBCAC authority to audit and verify evidence.
  • DFARS 7021 – Makes CMMC certification a contract requirement.

A score without artifacts is a liability.

An inflated score risks False Claims Act exposure.

How DIBCAC Validates

Validation follows a predictable pattern:

  1. Request: SSP, POA&M, and supporting artifacts.
  2. Sample: Selected controls cross-checked against NIST 171A objectives.
  3. Adjust: Downward revisions when evidence is missing or outdated.

Most validated scores drop 40–60 points on first review.

Where Self-Assessments Break

  • SSPs marked “Implemented” with no artifact.
  • POA&Ms missing owners or closure evidence.
  • Artifacts older than 12 months.
  • Inconsistent documentation between business units.

Each signals a traceability failure.

DIBCAC doesn’t penalize imperfection—it penalizes fiction.

The Prime Contractor Factor

Primes now require evidence-backed SPRS scores from their subs.

If a subcontractor’s score collapses, the prime’s eligibility can be affected.

Evidence has become supply-chain currency.

Closing the Gap with Deep Fathom

Deep Fathom’s Agentic AI keeps self-assessment honest:

  • Links every control to its live artifact.
  • Flags expired or unverifiable proof.
  • Tracks POA&M closure automatically.
  • Updates the SPRS readiness state continuously.

At CS5 East, attendees saw it in real time—scores adjusting as artifacts were verified.

Compliance becomes a living system, not a static document.

Better Together

RPOs and MSPs use Deep Fathom to automate what once took months. Instead of reviewing stale spreadsheets, they review agent-validated evidence. CMMC readiness becomes scalable, repeatable, and defensible across dozens of clients.

Conclusion

DFARS doesn’t demand perfection—it demands proof. Deep Fathom turns every control into a living claim with living evidence. When DIBCAC calls, your declared state already matches your real one.

More Rigor. Radically Less Effort.

Sources

  • DFARS 252.204-7019, 7020, 7021
  • DCMA DIBCAC, Top Assessment Reductions and Findings (2023)
  • CMMC-AB Industry Briefing, SPRS Score Integrity, FY2024 Trends
References · 5 official sources
SourceWhat it coversType
DFARS 252.204-7019 (Notice of NIST SP 800-171 DoD Assessment Requirements)Notice clause that anchors annual NIST 800-171 score submission to SPRS — the auditability hook this article describesRegulation
DFARS 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements)Authorizes DoD-conducted Medium and High Assessments — the verification mechanism that closes the self-attestation gapRegulation
NIST SP 800-171 Rev 2110 security requirements — the underlying baseline whose scoring this article challengesStandard
NIST SP 800-171A (Assessment Procedures)320 assessment objectives — the verification layer DIBCAC actually scores againstStandard
Supplier Performance Risk System (SPRS)Supplier Performance Risk System — destination for self-assessment scores and the comparison point against DIBCAC resultsGuidance