As a company that directly or indirectly serves the Department of Defense (DoD), especially if you’re storing, handling, or processing Controlled Unclassified Information (CUI), you are obligated to complete a security self-assessment against the 110 controls identified in NIST Special Publication 800-171. You also must calculate your compliance score using the DoD’s Assessment Methodology and upload that score to the DoD’s Supplier Performance Risk System (SPRS). The DoD recently upped the ante when it announced that contracting officers must now consult SPRS for supplier risk when evaluating contract bids. This includes the self-assessment results (SPRS score) against the 110 NIST 800-171 controls. This blog will discuss the essential aspects of the SPRS score, how it impacts your business and the likely upcoming changes driven by the forthcoming launch of the Cybersecurity Maturity Model Certification (CMMC).
Understanding Your SPRS Score
Necessity of an Accurate SPRS Score
Under Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7019, defense contractors handling CUI must submit an accurate SPRS score. CUI consists of sensitive information requiring safeguarding or dissemination controls under US federal laws, regulations, or policies, that is not classified but crucial for national security or federal agency functioning. This score must be calculated according to the DoD Assessment Methodology and must be not more than three (3) years old. The accuracy of the SPRS score is crucial as DFARS clause 252.204-7020 allows the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to conduct audits to verify and validate the submitted SPRS score.
The Significance of the SPRS Score
The SPRS score is a standardized measure of the security risk a contractor poses. More details are available The DoD and prime contractors consider SPRS scores when awarding contracts and forming bid teams, with higher scores providing a competitive advantage. Failure to have a SPRS score can sideline companies from current and future contracts. Inaccurate scores leave companies and their executives vulnerable to penalties that extend beyond loss of current and future contracts to prosecution under the Department of Justice’s False Claims Act.
Calculating and Submitting Your SPRS Score
To calculate your SPRS score, conduct a self-assessment for compliance with NIST 800-171 using the DoD’s Assessment Methodology. The SPRS score ranges from a maximum of 110 to a minimum of -203, with deductions from 110 for each control a company does not fully meet. It is essential to develop a System Security Plan (SSP)and Plans of Actions and Milestones (POA&Ms) to address those controls your company does not fully meet today, and submit your score to the DoD’s SPRS. It is essential to maintain an up-to-date and accurate SPRS score.
Improving and Maintaining Your SPRS Score
To strengthen your SPRS score, self-assess your organization against the 110 NIST 800-171 controls and identify any gaps in your security controls. This self-assessment helps you score your organization and understand its shortcomings. Next, create a System Security Plan (SSP) and POA&Ms to address those controls your company does not fully meet today. Remember that identifying gaps alone does not improve your score; instead, remediation of these gaps is necessary to improve your score. It is crucial to address the POA&Ms before submitting your SPRS score, as it is mandatory to have an SSP, and remediation helps to improve your score. Remember that higher SPRS scores can make your organization more attractive for contract opportunities.
CMMC 2.0 and SPRS Scores
The upcoming Cybersecurity Maturity Model Certification 2.0, a cybersecurity certification framework developed by the DoD to better protect sensitive data throughout the Defense Industrial Base (DIB), will require most companies to obtain independent third-party assessments to verify compliance with its requirements and the accuracy of SPRS scores. Company executives will more directly be held accountable for the accuracy of the SPRS score under CMMC 2.0, as they must personally sign off on the reported score.
Tools to Simplify NIST 800-171 Assessment, Compliance, and SPRS Scoring
To streamline your compliance process, consider using Exostar’s CMMC Ready Suite, which includes our Managed Microsoft 365, Certification Assistant, and PolicyPro products. Managed Microsoft 365 fulfills the implementation of 85 of the 110 NIST 800-171 controls out of the box, accelerating the compliance journey. Certification Assistant guides you through the conduct of a self-assessment, calculates your SPRS score, and generates your SSP with just a click of a button. It also allows you to create POA&Ms) for identified gaps. PolicyPro uses Machine Learning technology to evaluate and align your current policies against those required by the NIST 800-171 controls and the upcoming CMMC 2.0 requirements, or to create, review, and maintain compliant new policies from scratch. By leveraging these powerful tools, you can jump-start your compliance efforts, improve your organization’s security posture, and enhance your chances of securing contracts within the defense industry.
Exostar can help you navigate compliance requirements and win DoD contracts
Understanding and maintaining an accurate SPRS score is crucial for companies in the DoD supply chain that store, process, or handle CUI. Compliance with DFARS 252.204-7012, 7019 and 7020, along with the upcoming CMMC 2.0 that will be tied to 7021 requires a strong focus on meeting the 110 NIST 800-171 controls and ensuring an up-to-date SPRS score. By improving your organization’s security and SPRS score, you can increase your chances of securing contracts and safeguarding your business’s future in the defense industry.