Summary: You must have to choose the SPRS assessment scope while submitting basic assessment results to the SPRS. This article discusses the assessment scope in detail and how you should select one of the three scopes for your assessment.
The US Department of Defense often updates its rules related to the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 compliance. A similar update, Interim Rule, came on September 29, 2020, from the DoD that included some additional requirements for assessing the compliance of DoD contractors to NIST 800-171.
Under this Interim Rule, the DoD contractors are required to generate a summary score by using the NIST SP 800-171 Assessment Methodology. After generating the score, the contractors should upload it to SPRS (Supplier Performance Risk System), a DoD enterprise application.
The Basic Assessment results are required to be uploaded to SPRS having the following key information: -
- Date of Assessment
- Assessment Score
- SPRS Assessment Scope
- Expected Date of Completion (Plan of Action)
- Commercial and Government Entity Codes (CAGEs)
In this article, I will discuss what is SPRS assessment scope and how to include it in the basic assessment result.
SPRS Assessment Scope
There are three categories in which the SPRS score of your organization can fall including enterprise, enclave, or contracts. The SPRS Assessment Scope of your organization is dependent on various factors including organizational structure, CAGE hierarchy, and current DoD contracts.
If you have only one CUI environment for your entire organization, then you will choose the option of the enterprise. This scope covers the entire network of a company with the listed CAGE code.
The companies whose assessments address one of the multiple environments within their organization are required to choose the option of the enclave. The enclave scope covers each environment under the CAGE code as a single business unit. An example of these environments is a test enclave or hosted resources.
If your assessment is related only to a single contact, then you should choose the option of contracts in the field of SPRS Assessment Scope. This scope is for SSP review specified to a contract.
The basic assessment of your organization would lie in one of the above-mentioned categories. It is a primary requirement to select one of these three scopes for submitting your basic assessment results.
You can submit the results to the SPRS through the SPRS account or mail. The most convenient method is to submit these results directly on the SPRS. If you are unable to do so, then you can go for a second option of submitting results over email.
Conclusion
The Interim Rule published by the DoD requires every contractor to ensure its NIST SP 800-171 compliance by uploading its basic assessment results to the SPRS. One of the primary requirements to upload the results is choosing the . There are three scopes in this field and you are required to choose one of them. Your assessment should lie in one of these three scopes including enterprise, enclave, and contracts.