The Department of Defense (DOD) suppliers were notified at the end of September about the new DFARS Interim Rule designed to collect NIST 800-171 assessment scores from all DOD contractors through submittal to the Supplier Performance Risk System (SPRS). As mentioned in a previous blog post, starting in mid-October, Northrop Grumman, Lockheed Martin, General Dynamics, BAE, and other prime contractors sent letters to suppliers asking them to determine their current DOD assessment score and upload it to the SPRS by November 30th. As of December 1st, the DFARS Interim Rule has become law reinforcing suppliers need to submit their NIST 800-171 assessment score to the government to avoid lost DOD revenue.
The CyberSheath team works with our clients to ensure they meet all DOD cybersecurity requirements, and to that end, have assisted our clients in the submittal of their assessment to the SPRS. To help suppliers navigate a potentially overwhelming process, we have created a step-by-step guide to showing how to successfully create an account and submit your assessment score to the government.
Step-by-Step Guide to SPRS Assessment Submittal
Step 1: Set up Your Account
First, you will want to visit the PIEE website. Click on REGISTER button on the top right of the screen.
Next, accept the Privacy Act Statement and Terms and Conditions.
Select VENDOR from the options.
If your company has a Common Access Card or Certificate, you can choose this option from the drop down. However, you can choose User ID\Password if you do not have the other information readily available.
Enter in your security questions.
Provide your name and contact information.
Enter supervisor (not required) and company contact information.
STEP 2: Access the Supplier Performance Risk System (SPRS)
Select SPRS (Supplier Performance Risk System) from the drop-down menu.
STEP 3: Select SPRS Cyber Vendor User
STEP 4: Add Roles
Next, click ADD ROLES. You will see a line at the bottom with a LOCATION CODE field. This is where you will enter the CAGE code for your company.
Enter in your CAGE code. If you have multiple CAGE codes, you will need to repeat Step 3 to add those additional lines.
Enter the justification for your account. Attachments would be used for justification and/or identification. However, do not attach your self-assessment here.
Step 5: Complete the Agreement
From here you will need complete the Agreement portion of the application. You should receive approval for your account promptly after completion. If you do not have a CAGE code or if the CAGE code, you have not been registered with an in-use DOD contract you may not be able to successfully create an account. If you run into this issue or your company has never won a contract, you can submit your self-assessment to firstname.lastname@example.org. *NOTE* Remember to submit your self-assessment via encrypted email.
Step 6: Admin Approval of Cage Code
Once you register you will have to have the admin who is linked to the cage code approve your account.
If you are not the Contract Administrator of the cage code and are unsure who that person is, you can look it up by going to the PIEE homepage and selecting FIND MY ACCOUNT ADMINISTRATOR from the NEED HELP WITH YOUR ACCOUNT? menu.
On the next screen you will need to input your cage code under the LOCATION CODE. You do NOT select any options from the APPLICATION or ROLE options. After the cage code has been inputted type in the numbers from the CAPTCHA Image and click SUBMIT.
The next screen will populate who the Administrator of the cage code is and who you will need to contact for account approval. If there has not been an Administrator linked to the cage code you will need to contact PIEE support (1-866-618-5988) to get that provisioned.
You have successfully created your account. Once the account registration is approved by the cage code administrator you are ready to submit your score.
Step 7: Submit Your Assessment Score
Now that you have an account you will need to go to the PIEE website and click LOG IN.
Select the SPRS Icon. Then select NIST SP 800-171 Assessment from the options.
You will need to select the company name at the desired level (BASIC will be the most common unless your company went through an audit consisting of Government personnel). Once selected click ADD NEW ASSESSMENT from the menu.
Enter assessment details and click SAVE.
You have successfully submitted your assessment meeting the requirements under the DFARS rule and can now begin working toward your Plans of Actions and Milestones (POAM).
If you have not done an NIST 800-171 assessment and do not know your score, we are here to help. Please do not hesitate to reach out with any questions or talk through a project plan to avoid penalties and remain competitive in the DOD acquisition process.