As you may well know any business seeking to work with the Department of Defense or file contracts with them will have to become NIST 800-171 compliant in order to do so.
NIST 800-171 was created to provide a standardized set of controls for business to implement in order to better protect controlled unclassified information (CUI). Due to the increase in large scale cyber-attacks made against critical infrastructure it is important that the private sector works congruently with the federal government to increase the nation's overall security posture.
NIST 800-171 seeks to facilitate this agreement and the new CMMC model will be implemented into contracts come May of 2023. Now more than ever it is important for your business to know where your gaps are and what needs to be done to patch them. DFARS requires a SPRS score for every organization seeking to work with the DOD and become CMMC compliance. If you have no idea what a SPRS score is then continue reading for more information!
SPRS stands for "Supplier Performance Risk System" and is a platform that provides storage and access to your organizations NIST 800-171 scoring. Any organization with existing contracts or contracts they plan to bid on in the future must conduct a self assessment of their NIST 800-171 compliance and submit their score to SPRS. Remember, this score is required for both existing and new contracts. The Office of the Undersecretary of Defense has provided a score sheet you can use to find out what your SPRS score is. This score sheet includes all of the required NIST 800-171 controls and what they are valued at.
Organizations that conduct a self-assessment can have a score ranging from -203 to a maximum of +110. Scoring 110 points means that you have done everything needed to become compliant, conversely -210 means you have done absolutely nothing. Many organization may be tempted to guess or overestimate their compliance and submit a score higher than what may be reality. It is advised that your self-assessment is honest and all-encompassing, errors in your reporting can lead to trouble including loss of contracts, loss of money, and even legal action. Even if you believe your score is low it is worth submitting it to see where you need to improve in the future.
Other documentation is required to complete an accurate score sheet for SPRS including an SSP as well as a POAM. An SSP, or "System Security Plan", is a document that details the entire scope of your network. This includes your access points, users, servers, and other networks within your IT infrastructure. This SSP will also include descriptions of how you are going to apply NIST 800-171 to your network. Additionally, your organization will need to submit a plan of action and milestones (POAM) to SPRS. A POAM records any gap in your compliance that may impact your score and how your organization plans to remediate these gaps.
Submitting an accurate SPRS score is crucial if you are seeking to become CMMC compliant now or in the future. Let CorpInfoTech help you become as complaint as you can when it comes time to submit your score to SPRS.