On September 29, 2020, the Department of Defense (DoD) released an interim rule to begin the implementation of its Cybersecurity Maturity Model Certification (CMMC) framework. The majority of the interim rule focuses on new requirements for confirming that contractors are currently in compliance the 110 security controls of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (NIST 800-171). The new assessment requirements surrounding the Supplier Performance Risk System (SPRS) were the source of many questions this past month. In fact, we have questions too.
Here are some of our favorite questions:
What is the November 30th deadline all about?
Beginning on November 30, 2020, contracting offers will have to confirm that an organization has an active SPRS Assessment in its system before awarding a new contract or exercising an option under an existing contact where the contractor or offerer is required to implement NIST 800-171. The requirement on offerors is that they must have a current (not older than three years) assessment on record in SPRS.
November 30, 2020 is not a deadline. It’s the date the interim rule becomes effective.
How you pronounce SPRS? “Spurs” like cowboy spurs? Or “spears” like Brittany Spears?
I like Spurs, but I hear S-purs quite a bit.
I’m a defense contractor. Do I need to do anything before Hell Year 2020 is over?
If you handle Controlled Unclassified Information (CUI) and would like to be considered for a contract (or if other contract action is occurring), conduct a self-assessment and submit your score to SPRS.
What’s the difference between Basic, Medium, and High Assessments?
DoD Assessments may be conducted at one of three levels: (1) Basic, (2) Medium, and (3) High. Basic is the self-assessment. Medium and High assessments are performed by the Government.
Any of those three assessments may be utilized in SPRS, and you can volunteer to have the government come out and assess your environment. A Basic self-assessment is all that is required under the interim rule.
Are there exceptions to the Basic Assessment requirement?
The Basic Assessment requirement only applies to those with a “Covered Contractor Information System” under DFARS 252.204-7012. Basically, if you have CUI then this requirement applies. If you do not, then the requirement does not apply.
How does the scoring work?
Everybody starts with a score of a 110. The DoD has weighted each requirement from 1-5. For each requirement that is not implemented you subtract the appropriate points. The highest score is 110. The lowest score is -210. (Yes, that’s a negative number!)
108 of the 110 require full implementation to get credit. For 3.5.3 (Multifactor) and 3.13.11 (FIPS Validated Cryptography), there exists the potential to get partial credit.
The score is a snapshot how your security posture on the day you enter it. They can be improved, revisited, and updated.
Is a third party assessment or audit required in order to get the Basic Assessment done?
Nope. The Basic Assessment is a self-assessment.
I’m the one responsible for giving my company their grade in the SPRS. Should I be more “Easy A” or “Type A”?
Neither. Use the required methodology: NIST SP 800-171 DoD Assessment Methodology, Version 1.2. It’s how assessments of a contractor’s implementation of NIST SP 800-171 are supposed to be performed.
I am ready to start entering my Basic Assessment information. Anything I need to know before I start?
If you got to this point, you are doing well. For those that have not yet registered, it can be an adventure. Remember when trying to register in PIEE, you register as a vendor, not a contractor. Yes, it’s confusing.
PIEE stands for Procurement Integrated Enterprise Environment. Before you input a Basic Assessment score, you have to register in PIEE.
There are 10 General Steps for a vendor to follow to use PIEE. They are:
Step 1. Register with the System for Award Management (SAM). (This is a mandatory step.)
Step 2. Establish an Electronic Business (EB) Point of Contact (POC) in SAM. (This is a mandatory step.)
Step 3. Ensure CAGE Code is added to the Procurement Integrated Enterprise Environment Vendor Group Structure. (This is a mandatory step.)
Step 4. Establish an Organizational Email Address. (This is an WAWF step only.)
Step 5. Designate a Contractor Administrator (CAM). (This is a mandatory step.)
Step 6. Determine if batch feeds for data input is necessary. (This is an WAWF step only.)
Step 7. Set up PCs to Access applications in Procurement Integrated Enterprise Environment.
Step 8. Self-Register CAM. (This is a mandatory step – there must be a CAM to activate vendors.)
Step 9. Have all users for the CAGE Code(s) self-register on the Procurement Integrated Enterprise Environment web site for one of the available Vendor Roles.
Step 10. Complete the Web Based Training for the applications you will use in Procurement Integrated Enterprise Environment.
Is the SPRS score also my CMMC score?
No, but since CMMC is mainly based on NIST SP 800-171 it will give you a pretty good idea of where you stand vis a vis the CMMC capabilities requirements. If you are doing well, awesome! Now go work on those processes.
I am not a government contractor and do not have any CUI, but someone is asking me to enter my Basic Assessment score in SPRS.
If you are not a government contractor you will not be able to enter a score in SPRS. You need a cage code.
If you are a DoD contractor, but don’t have any CUI, then the DoD does not require you to enter a score into SPRS.
You will have to work with whomever is asking you to make sure that you are meeting their requirements.
Contact Sera-Brynn at www.sera-brynn.com or info@sera-brynn for more information on our services, including assessment support and our CHECKLIGHT™ subscription service for the defense industrial base.