The purpose of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 is to protect Controlled Unclassified Information (CUI) in nonfederal systems and organizations.
Businesses who want to fill Department of Defense (DoD) contracts must have their security controls in compliance with NIST 800-171 to meet the regulations. This is accomplished with the Supplier Performance Risk System (SPRS).
So, what do government contractors, or organizations who want to start contracting, need to know about SPRS?
Table of Contents
What is the Supplier Performance Risk System (SPRS)?
The SPRS (pronounced “spurs”) provides storage and retrieval capabilities for specific NIST SP 800-171 details (SPRS, 2022). It is the authoritative source for gathering supplier and product performance information (PI) assessments for the DoD acquisition community to identify, assess, and monitor unclassified performance (DoDI 5000.79).
Empower your company with CMMC knowledge. This guide covers the process, benefits, maturity levels, and how to prepare for your CMMC audit.
What is a SPRS Assessment?
As of November 30, 2020, the Defense Federal Acquisition Regulation Supplement (DFARS) requires an accurate self-assessment of your Supplier Performance Risk System (SPRS) score if you are awarded a task order, delivery order, or an option period of performance.
This requirement is necessary to maintain security compliance as the DoD reviews the upcoming Cybersecurity Maturity Model Certification (CMMC) compliance standards.
What is a SPRS Score?
The SPRS score, also called summary level score, helps identify a government contractor’s progress toward implementing the NIST SP 800-171 security controls. A score submitted to the SPRS gives the DoD an assessment of their application of this framework.
What is the max SPRS Score?
The highest score you can receive is 110. Each security control has a value attached to it: 1, 3, or 5. These values are deducted from the max score (i.e., 110) if the requirement is not met. The lowest score your business can get is -203. This is the equivalent of having no security controls in place.
Pro Tip: Do not avoid posting your score in fear that you will pale in comparison to your competitors. It is best to post your score because it is a requirement for DoD contracts. It is better to have a visible score than none. In fact, contractors and subcontractors must post a score indicating their progress toward NIST 800-171 compliance before contract award or renewal of an existing contract.
How are SPRS Scores Calculated?
Scores can be calculated by utilizing the NIST SP 800-171 DoD Assessment Scoring Template. This is a tedious process that requires a strong understanding of information technology solutions to gain an accurate score.
The self-assessment is time intensive. It requires a thorough assessment of your security controls, analysis of your system security plan, possessing a plan of action and milestone documentation to back it up.
Pro Tip: Always post an accurate score. You may be audited by the DoD. If you are, this will require documentation showing you have met each security control. Inaccurate scores, intentional or not, can put you on the hot seat. It’s bad for business.
What You Need if You’re Improving Your Score
It’s perfectly acceptable if you’re currently working on improving your SPRS score. That said, there are a couple of things that you will need to complete before submitting your score sheet: the Plan of Action and Milestones (POA&M) and System Security Plan (SSP).
What is a System Security Plan (SSP)?
The SSP is a document that covers the scope of your computer network. It needs to provide a comprehensive overview of how you are securing your systems according to NIST SP 800-171 requirements – including the CUI environment, controls to protect CUI, and associated cybersecurity requirements.
The SSP should reflect how CUI is being protected because this is a critical focus for both NIST 800-171 and CMMC. Information to cover includes:
- The types of CUI your business handles.
- What you do with the CUI.
- How you store, process, and transmit the CUI.
- The controls in place to protect the CUI.
- Known gaps in your compliance.
Key access points to the network that should be noted are:
- Users
- IT providers
- Cloud service providers
- Other networks
What is a Plan of Action and Milestones (POA&M)?
As you’re creating your system security plan, make note of any NIST requirements that are not fulfilled. These items will require a POA&M to record:
- The steps that need to be taken to meet the requirements.
- Who in your organization will ensure that each requirement is fulfilled.
- When each requirement is expected to be completed.
These are extensive documents that often require working with an expert compliance professional to complete – either with your in-house security team or a sophisticated managed service provider (MSP).
Empower your company with CMMC knowledge. This guide covers the process, benefits, maturity levels, and how to prepare for your CMMC audit.
Prioritize NIST 800-171 Now for Government Contracts Later
Think of NIST SP 800-171 as your requirement preparation checklist for your organization. They are the security elements your organization needs in place to earn contracts. Achieving a 110 SPRS score puts your organization in the best position for the future.
When the CMMC assessment arrives, everything needs to be checked off your “to-do” list. This will allow you to continue handling government contracts.
If you don’t have a perfect SPRS score, prioritize NIST 800-171 to set your organization up for success for when CMMC rolls out. Set realistic goals to complete your requirements but aim to complete them within 9 to 12 months.
Contact us anytime if you need white glove IT services for your small business.