SPRS Cybersecurity Assessment for Defense Contractors
SPRS Cybersecurity Assessment Requirements
An SPRS Cybersecurity Assessment is a requirement for businesses providing products or services to the Department of Defense (DoD). This Supplier Performance Risk System assessment is to be completed by the contractor before DoD contracts can be awarded.
NIST SP 800-171 Cybersecurity Assessment
NIST SP 800-171 requirements apply to the information systems of nonfederal organizations with access to CUI. The self assessment is to be performed by small manufacturers. Because a variety of security solutions may be available for the protection of CUI, it is important for a small manufacturer to understand their organizational requirements so that they can select appropriate security measures.
NIST SP 800-171 assessment can present a challenge to small organizations. CVG Strategy is ready to perform an SPRS cybersecurity assessment for your organization. Our Certified ISO 27001:2013 Lead Auditors can help you meet future CMMC requirements. Additionally, CVG Strategy can assist in the development of an effective Information Security Management System ISMS to protect CUI and instill confidence in your clients.
- Identifying the company’s business operations.
- Characterizing information system architecture.
- Review of any previous assessments.
- Development of a specific assessment plan.
Elements of the Assessment Process
- Access Control to CUI.
- Level of organizational awareness and training.
- Configuration management of information systems
- Identification and authentication controls.
- Incident response capability including preparation, containment, analysis, and recovery.
- Information system maintenance.
- Media protection.
- Personnel security.
- Physical protection including facility and visitor controls.
- Risk assessment including characterization of vulnerabilities and updating of security protocols.
- Security assessments to verify effectiveness of controls.
- Systems and communications protection.
- System and information integrity.
The NIST SP 800-171 assessment process uses a weighted scoring system that reflects the level of risk posed to CUI. This score is a function of which of the 110 NIST SP 800-171 security controls a contractor has implemented. A perfect score of 110 is reached if an organization has all security controls in place. More points are assigned for controls deemed to provide a more significant security.
Reporting the Assessment
The results of NIST SP 800-171 Assessments are to be reported in the Supplier Performance Risk System (“SPRS”), an internal system accessible to DoD contracting personnel. DoD itself is responsible for reporting the results of Medium or High Assessments, given DoD’s involvement in the validation of those assessment scores. However, contractors (and subcontractors) themselves are responsible for reporting the results of a self-performed Basic Assessment. New DFARS clause 252.204-7019 spells out the procedures contractors should follow in reporting the results of their Basic Assessments.
CVG Strategy is Here to Help
CVG Strategy cybersecurity experts are here to help small business DoD contractors perform their SPRS Cybersecurity Assessments. We can then utilize the assessment results to enhance your system security plan an improve assessment scores. Our cyber security consultants have over a decade of experience with Cybersecurity, Quality Management Systems (QMS) and Export Compliance.
We understand that each business has a unique set of requirements that demand tailored solutions. Developing these solutions assessing an organization’s culture and involving all stakeholders. Using this information, we can develop programs that are effective and can adapt as a business grows.
Cyber Security Training
MIL-STD-810 Training Webinars
We now offer regular MIL-STD-810 webinars for your product development team. Learn how to use this important standard to get the most from your product test and evaluation.
BIS Adds Military End User List (MEU) to the EAR The U.S. Department of Commerce announced on December 21, 2020 that the Bureau of Industry