SPRS Cybersecurity Assessment for Defense Contractors
SPRS Cybersecurity Assessment Requirements
An SPRS Cybersecurity Assessment is a requirement for businesses providing products or services to the Department of Defense (DoD). This Supplier Performance Risk System assessment is to be completed by the contractor before DoD contracts can be awarded.
This requirement was released as an interim ruling on September 29, 2020 to provide protection of Controlled Unclassified Information (CUI) until the Cybersecurity Maturity Model Certification (CMMC) framework is fully implemented. The interim ruling, DFARS 252.204-7012, places immediate cybersecurity requirements on Department of Defense (DoD) supply chain contractors.
The assessment is based on a scoring methodology of security requirements based on the NIST SP 800-171 DoD assessment methodology. The methodology is comprised of three levels (basic, medium and high). The interim rule requires a basic level self-assessment to be completed by the contractor. Medium or high assessments must be completed by the government.
Self-attestation to NIST 800-171 is already a requirement under current regulations, however the interim ruling allows the government to inspect compliance more carefully. CMMC will not be required for for Commercially Available Off-the-Shelf (“COTS”) procurements at or below the micro-purchase threshold.
NIST SP 800-171 Cybersecurity Assessment
NIST SP 800-171 requirements apply to the information systems of nonfederal organizations with access to CUI. The self assessment is to be performed by small manufacturers. Because a variety of security solutions may be available for the protection of CUI, it is important for a small manufacturer to understand their organizational requirements so that they can select appropriate security measures.
NIST SP 800-171 assessment can present a challenge to small organizations. CVG Strategy is ready to perform an SPRS cybersecurity assessment for your organization. Our Certified ISO 27001:2013 Lead Auditors can help you meet future CMMC requirements. Additionally, CVG Strategy can assist in the development of an effective Information Security Management System ISMS to protect CUI and instill confidence in your clients.
Assessment Preparation
- Identifying the company’s business operations.
- Characterizing information system architecture.
- Review of any previous assessments.
- Development of a specific assessment plan.
Elements of the Assessment Process
- Access Control to CUI.
- Level of organizational awareness and training.
- Configuration management of information systems
- Identification and authentication controls.
- Incident response capability including preparation, containment, analysis, and recovery.
- Information system maintenance.
- Media protection.
- Personnel security.
- Physical protection including facility and visitor controls.
- Risk assessment including characterization of vulnerabilities and updating of security protocols.
- Security assessments to verify effectiveness of controls.
- Systems and communications protection.
- System and information integrity.
Assessment Scoring
The NIST SP 800-171 assessment process uses a weighted scoring system that reflects the level of risk posed to CUI. This score is a function of which of the 110 NIST SP 800-171 security controls a contractor has implemented. A perfect score of 110 is reached if an organization has all security controls in place. More points are assigned for controls deemed to provide a more significant security.
Reporting the Assessment
The results of NIST SP 800-171 Assessments are to be reported in the Supplier Performance Risk System (“SPRS”), an internal system accessible to DoD contracting personnel. DoD itself is responsible for reporting the results of Medium or High Assessments, given DoD’s involvement in the validation of those assessment scores. However, contractors (and subcontractors) themselves are responsible for reporting the results of a self-performed Basic Assessment. New DFARS clause 252.204-7019 spells out the procedures contractors should follow in reporting the results of their Basic Assessments.
CVG Strategy is Here to Help
CVG Strategy cybersecurity experts are here to help small business DoD contractors perform their SPRS Cybersecurity Assessments. We can then utilize the assessment results to enhance your system security plan an improve assessment scores. Our cyber security consultants have over a decade of experience with Cybersecurity, Quality Management Systems (QMS) and Export Compliance.
We understand that each business has a unique set of requirements that demand tailored solutions. Developing these solutions assessing an organization’s culture and involving all stakeholders. Using this information, we can develop programs that are effective and can adapt as a business grows.
Cyber Security Training
MIL-STD-810 Training Webinars
We now offer regular MIL-STD-810 webinars for your product development team. Learn how to use this important standard to get the most from your product test and evaluation.
Latest News
CMMC Final Rule to be Implemented in 2025
The Department of Defense (DoD) has released its Cybersecurity Maturity Model Certification (CMMC) final rule. This rule will now require contractors to verify that required