Posting an accurate self-assessment of your Supplier Performance Risk System (SPRS) score is the new DFARS requirement as the DoD reviews CMMC compliance standards.
Ever since NIST SP 800-171r2 requirements were published, businesses across the country who want to continue filling DoD contracts have been steadily updating their security controls in order to meet the regulations.
The rollout of regulations has been gradual. Businesses were first asked to self-assess and demonstrate that they had a plan in place for achieving the rest of the milestones. However, in November, DFARS released a new clause saying that DoD suppliers and any contractors supporting those suppliers to fill contracts would need to demonstrate their level of NIST compliance by posting their self-assessment score to SPRS as a requirement for landing new work, or renewing existing contracts.
To find out your SPRS score, you can use this score sheet from the Office of the Undersecretary of Defense, which includes a list of each of the controls and their related value. After completing the assessment you must then post your score to SPRS, where it will be available to DoD personnel.
Completing the SPRS score sheet and finding your score can be more complicated than many businesses anticipate. Here are four things you should know about attaining and posting your SPRS before you get started.
1. Posting a score is better than no score.
Businesses taking the self-assessment can have scores ranging from −203 (meaning you’ve done nothing) to +110 (meaning you’ve done everything). Some businesses don’t know their score, or suspect that their score might be low, and have decided not to post their scores to avoid looking worse than their competition.
However, publishing your SPRS score is now a requirement in order to receive a DoD contract. Because of this, it is better to post your score, even if you’re worried that it may be low, than to have no score visible at all.
2. Your self-assessment score must be accurate.
If you don’t know your SPRS score, don’t just post a guess. Any score you post may be audited by the DoD, meaning you will need to show documentation that you have met each security control in order to justify your self-assessment. If you’ve made up a number based on what you think you’ve probably achieved, or if you fudged the numbers to have a higher score, it can land you in hot water.
3. If you’re working on your score, you need to have a System Security Plan (SSP) and a Plan of Actions and Milestones (POAM) ready.
In order to complete the score sheet, you must first have an SSP and a POAM in place. Both of these documents are required to meet security standards, and some of the items are impossible to answer without them.
What is a System Security Plan (SSP)?
An SSP is an extensive document that details the scope of your computer network, as well as any key access points to that network, including users, other networks, IT providers, and cloud service providers. The SSP should also give an overview of how you are securing your system according to each NIST SP 800-171 requirement.
What is a Plan of Action and Milestones (POAM)?
For any point on your SSP where you haven’t met NIST requirements, you will need a POAM to record what steps need to be taken to meet those requirements, who in your organization will be in charge of overseeing the fulfillment of each step, and when your organization expects those steps to be completed.
Both an SSP and a POAM are detailed documents that usually require working with a security expert to complete. If you don’t have someone trained in compliance who can help you work on these documents, BrightlineIT Compliance Team can help you with this, contact us today!
4. NIST can be a to-do list, but CMMC requires everything to be checked off.
Achieving NIST SP 800-171 compliance can be a work in progress. So long as you are demonstrating that your business has achieved certain security measures and is working toward achieving the rest, you can continue filling contracts along the way.
However, it is only a matter of time before the DoD rolls out the new CMMC requirements, and by that time, businesses who want to continue working with the government must have fulfilled all these security steps. Prioritizing NIST compliance now places your business in a position to continue handling government contracts later, without having to scramble at the last minute to meet the new standards.
Work with a NIST or CMMC consultant to ensure you meet compliance standards.
The NIST and CMMC compliance standards set a high bar for cybersecurity. Because of this, many businesses will struggle to meet these standards without expert assistance. In some cases, working with an expert who has received training in these standards may be required.
It’s better to contact specialists for help early in the process, rather than put compliance work off because you’re stuck and don’t know what to do next. Working with a cybersecurity and compliance specialist from the onset not only prevents you from wasting hours of time trying to decipher these standards on your own, it’s also the best way to make sure you are fully compliant.