The purpose of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 is to protect Controlled Unclassified Information (CUI) in nonfederal systems and organizations.
Businesses who want to fill Department of Defense (DoD) contracts must have their security controls in compliance with NIST 800-171 to meet the regulations. This is carried out with the Supplier Performance Risk System (SPRS).
So, what do government contractors, or organizations who want to start contracting, need to know about SPRS?
What is the Supplier Performance Risk System (SPRS)?
The SPRS (pronounced “spurs”) supplies storage and retrieval capabilities for specific NIST SP 800-171 details (SPRS, 2022). It is the authoritative source to gather supplier and product performance information (PI) assessments for the DoD acquisition community to use in identifying, assessing, and monitoring unclassified performance (DoDI 5000.79).
What is a SPRS Assessment?
As of November 30, 2020, the Defense Federal Acquisition Regulation Supplement (DFARS) requires an accurate self-assessment of your Supplier Performance Risk System (SPRS) score if you are awarded a task order, delivery order, or an option period of performance.
This requirement is necessary to maintain security compliance as the DoD reviews the upcoming Cybersecurity Maturity Model Certification (CMMC) compliance standards.
Related content: Discover why you shouldn’t “wait and see” regarding CMMC.
What is a SPRS Score?
The SPRS score, also called summary level score, helps identify a government contractor’s progress toward implementing the NIST SP 800-171 security controls. A score sent to the SPRS gives the DoD an assessment of their application of this framework.
What is a Good SPRS Score?
The highest score you can receive is 110. Each security control has a value attached to it: 1, 3, or 5. These values are deducted from the max score (i.e., 110) if the requirement is not met. The lowest score your business can get is -203. This is the equivalent of having no security controls in place.
Pro Tip: Do not avoid posting your score in fear that you will pale in comparison to your competitors. It is best to post your score because it is a requirement for DoD contracts. It is better to have a visible score than none. In fact, contractors and subcontractors must post a score showing their progress toward NIST 800-171 compliance before contract award or renewal of an existing contract.
How are SPRS Scores Calculated?
Scores can be calculated by using the NIST SP 800-171 DoD Assessment Scoring Template. This is a tedious process that requires a strong understanding of information technology solutions to gain an exact score.
The self-assessment is time intensive. It requires a thorough assessment of your security controls, analysis of your system security plan, and having a plan of action and milestone documentation to back it up.
Pro Tip: Always post a correct score. You may be audited by the DoD. If you are, this will require documentation showing you have met each security control. Inaccurate scores, intentional or not, can put you on the hot seat. It’s bad for business.
What You Need if You’re Improving Your Score
It’s perfectly acceptable if you’re currently working on improving your SPRS score. That said, there are a couple of things that you will need to complete before submitting your score sheet: the Plan of Action and Milestones (POA&M) and System Security Plan (SSP).
What is a System Security Plan (SSP)?
The SSP is a document that covers the scope of your computer network. It needs to supply a comprehensive overview of how you are securing your systems according to NIST SP 800-171 requirements – including the CUI environment, controls to protect CUI, and associated cybersecurity requirements.
The SSP should reflect how CUI is being protected because this is a critical focus for both NIST 800-171 and CMMC. Information to cover includes:
- The types of CUI your business handles
- What you do with the CUI
- How you store, process, and transmit the CUI
- The controls in place to protect the CUI
- Known gaps in your compliance
Key access points to the network that should be noted are:
- IT providers
- Cloud service providers
- Other networks
What is a Plan of Action and Milestones (POA&M)?
As you’re creating your system security plan, note any NIST requirements not fulfilled. These items will require a POA&M to record:
- The steps that need to be taken to meet the requirements
- Who in your organization will ensure that each requirement is fulfilled
- When each requirement is expected to be completed
These are extensive documents that often require working with a security expert to complete – either with your in-house security team or managed security service provider (MSSP), like Aligned Technology Solutions.
Prioritize NIST 800-171 Now for Government Contracts Later
Think of NIST SP 800-171 as your requirement preparation checklist for your organization. They are the security elements your organization needs in place to earn contracts. Achieving a 110 SPRS score puts your organization in the best position for the future.
When the CMMC assessment arrives, everything needs to be checked off your “to-do” list. This will allow you to continue handling government contracts.
If you don’t have a perfect SPRS score, prioritize NIST 800-171 to set your organization up for success for when CMMC rolls out. Set realistic goals to complete your requirements but aim to complete them within 9 to 12 months.
Revolutionize Your Approach to IT & Cybersecurity
Sign up to receive expert insights delivered straight to your inbox every month, and start turning your IT into a strategic asset.
Related content: What is CMMC Compliance? Experts Answer Your CMMC Questions