Blog

Is non-compliance blocking your Department of Defense (DoD) contract award? Protecting information is more important than ever, especially for the Defense Industrial Base (DIB). Get up to speed with NIST SP 800-171 and Cybersecurity Maturity Model Certification (CMMC) – specifically CMMC 2.0 – and the importance of compliance. This post will help you understand the details of a strong SPRS score and how it plays a crucial role in securing DoD contracts.  

NIST 800-171 Explained  

The National Institute of Standards and Technology (NIST) Special Publication 800-171 – more commonly referred to as NIST 800-171 – provides a set of cybersecurity requirements that must be implemented by nonfederal organizations handling Controlled Unclassified Information (CUI) on behalf of the U.S. federal government.  

The primary objective of NIST 800-171 is to protect CUI, which includes sensitive information such as personally identifiable information, financial data, and other types of sensitive government information. These requirements aim to establish a consistent level of security across nonfederal systems and organizations that interact with CUI.  

NIST 800-171 consists of 14 families of security requirements that cover a range of security controls, including:  

• Access Control: Establishing controls to limit system access to authorized individuals and devices.  
• Awareness and Training: Ensuring that personnel are adequately trained to recognize and respond to security threats.  
• Audit and Accountability: Implementing processes to monitor, record, and analyze system activity to detect security events.  
• Configuration Management: Managing and controlling system configurations to prevent unauthorized changes.  
• Identification and Authentication: Verifying the identity of users and devices accessing the system.  
• Incident Response: Establishing procedures to respond to and mitigate the impact of security incidents.  
• Maintenance: Ensuring that systems are properly maintained and updated to address security vulnerabilities.  
• Media Protection: Protecting and controlling access to media containing CUI, such as hard drives.  
• Personnel Security: Screening individuals with access to CUI to prevent unauthorized disclosure.  
• Physical Protection: Protecting the physical infrastructure that houses systems and information.  
• Risk Assessment: Conducting ongoing assessments of risks to the confidentiality, integrity, and availability of CUI.  
• Security Assessment: Regularly assessing and monitoring the effectiveness of security controls.  
• System and Communications Protection: Protecting the integrity and confidentiality of system communications.  
• System and Information Integrity: Monitoring and protecting systems from unauthorized access or tampering.  

Organizations that handle CUI must ensure that their systems meet the requirements outlined in NIST 800-171. Compliance with these requirements is typically required to enter into contracts or agreements with the DoD that involve handling CUI. A contract may come through a prime or another supplier, but as long as the contract is derived from DoD funding then NIST 800-171 applies. Non-compliance may result in the loss of contracts or legal consequences.  

The NIST-SPRS Connection  

DFARS 7019: Reporting Your Readiness

The Supplier Performance Risk System (SPRS) score is a standardized measure of a contractor’s security risk. You can learn more about how the SPRS scoring works here. The DoD and prime contractors consider SPRS scores when awarding contracts and forming bid teams, with higher scores providing a competitive advantage. Failure to have a SPRS score can sideline companies from current and future contracts. Inaccurate scores leave companies and their executives vulnerable to penalties beyond the loss of current and future contracts to prosecution under the Department of Justice’s False Claims Act.     

DFARS 7019, also known as “Notice of NIST SP 800-171 DoD Assessment Requirements,” requires companies to complete their basic self-assessments for compliance with NIST SP 800-171 controls, calculate their DoD Assessment Methodology score using the scoring guidelines, and report that score to the SPRS.     

DFARS 7024: Make Your SPRS Score Count

According to DFARS 7024, “Notice on the Use of the Supplier Performance Risk System,” contracting officers must consider all information on the SPRS to determine the level of item, price, and supplier risk. This assessment includes considering a company’s SPRS score, calculated by following the Department of Defense Assessment Methodology for compliance with NIST SP 800-171 controls. DFARS 7024 emphasizes the importance of a current and accurate SPRS score.    

DFARS and Exostar’s Ready Suite for CMMC 

Understanding and maintaining an accurate SPRS score is crucial for companies in the DoD supply chain that store, process, or handle CUI. Ensuring adherence to DFARS 252.204-7012, 7019, and 7020, as well as the soon-to-be-implemented CMMC 2.0 related to 7021, necessitates a significant commitment towards satisfying the 110 requirements of NIST 800-171 and maintaining a current SPRS score. By improving your organization’s security and SPRS score, you can increase your chances of securing contracts and safeguarding your business’s future in the defense industry.  

Exostar’s CMMC Ready Suite is the turnkey solution for companies that must work to achieve and maintain NIST SP 800-171 and CMMC 2.0 compliance, enabling them to remain viable and competitive in the defense industry. Exostar’s CMMC Ready Suite includes:    

• Exostar’s Managed Microsoft 365  offers necessary DoD cybersecurity requirements for storing, processing, and transmitting CUI. This tool implements 85 of the 110 NIST SP 800-171 controls required, enabling secure project collaboration.    
• Certification Assistant allows organizations to complete their self-assessment against NIST SP 800-171 controls, auto-calculate your SPRS score, and generate necessary documents like the System Security Plan (SSP) and Plans of Actions and Milestones (POA&Ms).    
• PolicyPro addresses policy creation and management for NIST SP 800-171 and CMMC with templates and AI-driven evaluation with guidance for improvements. Ensure your organization has robust and compliant policies in place by addressing the policy aspect of NIST 800-171 for all 110 controls.     
• Basic Assessment Services for NIST 800-171 and CMMC provide third-party assessments and gap analysis, providing your organization with a submission-ready NIST SP 800-171 Basic Assessment, including your SSP, POA&Ms, and SPRS score. 

Are there penalties for CMMC non-compliance?  

 The consequences for CMMC non-compliance may vary depending on the severity of the violations. Penalties include:   

• Loss of DoD Contracts: Non-compliance with CMMC requirements may result in the loss of existing DoD contracts or the inability to bid on new contracts until the compliance issues are resolved.  
• Fines and Monetary Penalties: Organizations found to be non-compliant may face financial penalties, which could be imposed by the government or as part of contractual agreements.  
• Termination of Agreements: Non-compliance can lead to contract termination and affect your organization’s ability to conduct business with the government.  
• Liability for Damages: In case of a cybersecurity breach or incident resulting from non-compliance, your organization may be held liable for damages and costs associated with the breach.  
• Legal Consequences: Serious cases of non-compliance, especially those involving deliberate negligence or intentional actions, may result in legal action.  
• Reputational Damage: Non-compliance can lead to negative publicity and damage to your organization’s reputation, potentially affecting business relationships beyond government contracts.  

Regulations and penalties can be modified over time. It’s important to stay updated and connect with cybersecurity experts to ensure your organization’s compliance and peace of mind. The team at Exostar is here to help. Connect with an expert to learn more.