Supplier Performance Risk System (SPRS) Submission: Getting It Done Correctly, For the Long Haul

By Eric Noonan • January 27, 2021

The Department of Defense (DoD) suppliers were notified at the end of September about the new DFARS Interim Rule designed to collect NIST 800-171 assessment scores from all DoD contractors through submittal to the Supplier Performance Risk System (SPRS). As mentioned in a previous blog post, starting in mid-October, Northrop Grumman, Lockheed Martin, General Dynamics, BAE, and other prime contractors sent letters to suppliers asking them to determine their current DoD assessment score and upload it to the SPRS by November 30th. As of December 1st, the DFARS Interim Rule has become law reinforcing suppliers need to submit their NIST 800-171 assessment score to the government to avoid lost DoD revenue.

The Rush to Submit to SPRS

SPRS submission is being enforced and contractors are being told “no submission, no contract.” In just these first few weeks of 2021 CyberSheath has taken on several customers with incredibly short timelines on SPRS submission either because they didn’t believe that the requirement would be enforced or did not know it existed. The result has been a mad scramble of resources (both on their side and ours) to ensure that DoD revenue was not denied due to failure to conduct, score and submit the required NIST 800-171 gap assessment and related details. These contact us submissions are coming in regularly and with varying degrees of urgency, but the common thread is that “our contracting officer is refusing to take action without an SPRS submission.” 

For the remaining thousands upon thousands of defense contractors who have yet to move positively towards SPRS submission, NIST 800-171 compliance or CMMC at any level, rest assured it will be more cost-effective and sustainable to get started now. Having a contract award delayed because of SPRS assessment scoring submission is entirely avoidable. Correctly addressing compliance, with the endgame of CMMC in mind, rather than a one-off SPRS contracting hurdle, proves to be the better business decision. 

Even before the SPRS requirement, Cybersecurity Maturity Model Certification (CMMC) loomed large for defense contractors. In fact, when we recently surveyed more than 200 senior executives, our results revealed that 82% of contractors believed they had Controlled Unclassified Information (CUI), necessitating CMMC Maturity Level 3. Contrasting the requirement to be CMMC ML3 with what we have found to be an average score of -115, on the scale that ranges from -203 to 110 for SPRS scoring, and you can see that what executives believe to be true is in no way aligned with how they are resourcing the problem. CyberSheath will be opening the vault on our data across the hundreds of Prime and Sub-contractor assessments we’ve completed and scored, sharing trends and benchmarks at our free webinar on February 3, 2021, but said succinctly; the DIB is failing at cybersecurity.

So, How Can You Meet Both Short-term (SPRS) and Long-term (CMMC) Objectives?

Recognize that despite all of the potentially confusing acronyms and jargon, the requirements in 2020, and the steps to long-term compliance, are very much the same as they have been since 2015. 

Everything is grounded in compliance with NIST 800-171 as an initial step. 

  • Compliance with DFARS 252.204-7012 mandates NIST 800-171 compliance. 
  • Your SPRS submission is based on compliance with NIST 800-171.
  • CMMC at its foundation is based on NIST 800-171.

All journeys to near- and long-term compliance start with NIST 800-171 and everything else, as of this writing, is a distraction. Start with NIST 800-171, and you will end up at CMMC ML3 if you follow our proven path to success, which includes these five steps:

5 Steps to CMMC ML3 Compliance

1. Assess current operations for compliance with NIST 800-171. Requirement 3.12.1 of NIST 800-171 mandates that you “periodically assess the security controls in organizational systems to determine if the controls are effective in their application.” The assessment should cover all 14 families and 110 security requirements. It can be an internally led effort or executed by a third party and you can kill two birds with one stone by using this opportunity to do your required SPRS scoring as well. 

2. Write a System Security Plan (SSP).

Requirement 3.12.4 (System Security Plan, added by NIST 800-171, Revision 1), requires the contractor to develop, document, and periodically update, system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. Your SSP is likely the first thing you will be asked for in an audit. It should accurately reflect your actual implementation of the controls. A common mistake is to write an SSP that doesn’t reflect the reality of control implementation.

3. Document Plans of Action & Milestones (POAMs).

Requirement 3.12.2 (Plans of Action), requires the contractor to develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems. It’s likely that a number of the 110 security requirements will not be fully implemented in your environment. This should be exposed during your assessment and POAMs should be documented, ideally during the assessment.

4. Implement the required controls.

Execute your POAM’s and achieve full compliance with NIST 800-171. This is probably going to be a full-time effort and if you are using only internal resources remember they all already have day jobs, so set your expectations accordingly. If you work with a third party to implement the controls look for the following expertise:

  • Have they implemented the NIST 800-171 controls for similar sized businesses?
  • Have they solved the unique challenges that come with implementing NIST 800-171 controls in manufacturing, lab and engineering environments?

Ask for and check references. Implementation can be complex in manufacturing, lab and engineering environments and your SSP should reflect these complexities.

5. Maintain Compliance

Document and implement a plan to leverage internal or external resources to maintain compliance. Compliance has a long operations and maintenance tail and should be a repeatable outcome of daily operations, not an annual fire drill. Key questions to answer include:

  • How will you detect, respond and report incidents within the required 72-hour reporting period? 
  • What is your plan to manage your subcontractors and suppliers to meet your compliance requirements?
  • How will you update SSP’s and POAM’s as your business and IT infrastructure changes?

Maintaining compliance is an often-overlooked aspect of achieving compliance. With the significantly evolving regulatory landscape counting on a vendor who can help navigate these landmines is critical. Don’t make the expensive mistake of ignoring the ongoing need to demonstrate compliance and automate and document your efforts for sustained success.

Kickstart Your Compliance Efforts

Don’t forget, we will be opening the vault on our data across the hundreds of Prime and Sub-contractor assessments we’ve completed and scored, sharing trends and benchmarks at our free webinar on February 3, 2021.

How Secure is the DIB Supply Chain?

Cybersheath Blog

3 Reasons Why You Need a Privileged Access Risk Assessment

A privileged account is one used by administrators to log in to servers, networks, firewalls, databases, applications, cloud services and other systems used by your organization. These accounts give enhanced permissions that allow the privileged user to access sensitive data or modify key system functions, among other things. You can…

Incident Response – Learning the Lesson of Lessons Learned

“Those who do not learn from history are condemned to repeat it.” Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant…

What is DFARS 252.204-7012 and NIST SP 800-171?

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft