Summary: The SPRS self-assessment is a primary requirement under the new rules set by the Department of Defense (DoD). The contractors must have to submit a self-assessment score to the SPRS to ensure their NIST 800-171 compliance.
The DoD has outlined a new set of rules in a proposal published in the Federal Register. These rules are proposed to be added in the DoD Federal Acquisition Regulation Supplement (DFARS) as clauses. These new rules have been effective from November 30, 2020. These new rules have two basic requirements including: -
- Performing SPRS Self-Assessment related to Cybersecurity under the NIST 800-171 Assessment Methodology.
- Submitting required information through the Supplier Performance Risk System (SPRS)
The SPRS is a warehouse of shared data related to the performance of the suppliers on their ongoing and completed DoD contracts/projects. The information that is needed to be submitted through the SPRS includes the name of the system security plan, CAGE codes, Description of plan architecture, assessment date, total score, and date of the achieved score (110).
SPRS Self-Assessment under the NIST 800-171 Assessment Methodology
The Office of Secretary of Defense published the NIST 800-171 Assessment Methodology back in November 2019. Here are some of the main points that are needed to be covered under this methodology for SPRS self-assessment: -
- The IT System Security Plan (SSP) of every DoD contractor must include each facet covered by a CAGE code.
- The evaluation of each SSP is based on a rubric having a maximum score of 110.
- 110 is the maximum security level that means the contractors have implemented robust policies and regulations in terms of cybersecurity.
- There is a possibility of a negative score as 110 controls in the 800-171 framework carry different scores. For example, 42 controls carry 5 marks, 14 controls carry 3 marks, and 54 controls carry 1 mark.
- A contractor will get a zero mark if it will not implement an SSP.
The basic SPRS self-assessment deals with the evaluation of compliance with all 110 controls under the NIST 800-171 framework. On some occasions, the DoD asks for the submission of self-assessment results immediately. The contractors can take the services of an expert to get things done quickly related to the SPRS self-assessment. These experts have developed strategies to give a preliminary score to a contractor very quickly.
After generating a basic self-assessment score, the contractors are required to submit it via the SPRS. There are some important requirements for getting access to the SPRS. A contractor must have a CAC card or an ECA certificate to get this access. They have to create a PIEE account in this regard by fulfilling various requirements. The contractor must have to appoint a contractor administrator (CAM) to get registered on PIEE. The CAM must be authorized by the Electronic Business point of contact (EB POC). After getting approval of your application to access PIEE, you can enter the SPRS. You have to follow some instructions available on the official website of the SPRS to submit your self-assessment score. However, this SPRS self-assessment score is deemed as a basic, or low confidence assessment score. After submitting this score, a contractor has to implement a medium or high-level assessment related to the DoD 800-171 compliance. The basic score can also be submitted through encrypted email to webptsmh@navy.mil. However, an ECA certificate is still required to follow this submission method.