NIST SP 800-171 Assessment Checklist
If you are preparing for your NIST 800-171 assessment, this checklist will help you organize your thoughts, understand CMMC scoring, and more. Download it for free today.
.jpg?ext=.jpg)
What Exactly is a SPRS Score?
If your organization handles, stores, or disseminates Controlled Unclassified Information (CUI), understanding SPRS scores could spell the difference between securing defense contracts or being left behind. SPRS, or Supplier Performance Risk System, is a scoring system used by the Department of Defense (DoD) that reflects an organization's compliance with NIST SP 800-171.
There are a few key reasons why you need to understand the SPRS platform and your organization’s score.If you are a prime contractor, meaning you work directly with/for the federal government, you must be compliant with NIST SP 800-171r2.
If you are a sub-contractor, all of the expectations of your prime flow down to you, meaning you also need to be compliant with NIST SP 800-171r2. This is documented in DFARS 252.204-7012. Subcontractors are now expected to have an up-to-date SPRS score (less than three years old).
Finally, many primes are beginning to demand minimum SPRS scores for any sub-contractor they agree to work with. To learn more about SPRS scores as they relate to sub-contractors, DFARS 252.204-7019 is a valuable document to cite and bookmark.
The SPRS score also will play a significant role once CMMC 2.0 becomes a reality.
Navigating Your SPRS Score Calculation
To calculate and submit an SPRS score, your organization needs to:
-
Develop a System Security Plan (SSP). This document is the roadmap showing how you will achieve NIST 800-171 compliance.
-
Conduct a self-assessment using the DoD's NIST SP 800-171 Assessment Methodology. You can score a perfect 100 or you can score as low as -230. Achieving a perfect 100, especially on an initial assessment, is difficult.
-
Submit your self-assessment score to DoD’s SPRS. There are many helpful resources on the SPRS website, including an FAQ, if you run into any problems.
-
Devise a Plan of Action & Milestones (POA&M) if your score is below 110, illustrating how and when security gaps will be filled.
Entering a SPRS score accurately is of the utmost importance. It can be tempting to exaggerate how well you performed, but in this case, honesty is the best path. A dishonest entry can result in heavy fines under the False Claims Act.
How SPRS Paved the Way for CMMC
Beginning in January 2018, companies were mandated to achieve compliance with NIST SP 800-171. Companies were to execute self-assessments and enter the score into SPRS. The expectation is the scores would be entered accurately. The DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) researched how companies were progressing and discovered that many of the 110 scores reported were not legitimate. That realization is what sparked the concept of third-party assessments, which is what CMMC is focused on now.
SPRS and CMMC: Interlinked
To achieve CMMC Level 2 certification, your organization should aim for a SPRS score of at least 88 after your internal preparation and self-assessments. There are a couple of important facts to remember. First, CMMC adds scoring to different NIST 800-171 controls. The 1-point controls must be met and cannot have a POAM (Plan of Actions & Milestones) applied to them. The rest of the controls are scored at either 3 or 5 points. It is also important to remember that if you do submit a POAM for an unmet control, you have to complete your work in 180 days. Companies do not get to take as much time as they may like to reach compliance once they have been assessed.
Questions?
It is important to understand how to enter your SPRS score and how to conduct a self-assessment if that is a route you choose to follow. One benefit of working with Smithers as your NIST 800-171r2 assessor is we will conduct partial assessments between CMMC certification and recertification even though only self-assessments will be required in those middle years. Our assessment will offer validation to your scoring as well as peace of mind.
Would you like to talk to us about NIST 800-171, assessments, and SPRS? Contact us today to learn more.