SPRS Cybersecurity Assessment for Defense Contractors

SPRS Cybersecurity Assessment Requirements

An SPRS Cybersecurity Assessment is a requirement for businesses providing products or services to the Department of Defense (DoD).  This Supplier Performance Risk System assessment is to be completed by the contractor before DoD contracts can be awarded.  

This requirement was released as an interim ruling on September 29, 2020 to provide protection of Controlled Unclassified Information (CUI) until the Cybersecurity Maturity Model Certification (CMMC) framework is fully implemented.  The interim ruling, DFARS 252.204-7012, places immediate cybersecurity requirements on Department of Defense (DoD) supply chain contractors. 

The assessment is based on a scoring methodology of security requirements based on the NIST SP 800-171 DoD assessment methodology. The methodology is comprised of three levels (basic, medium and high).  The interim rule requires a basic level self-assessment to be completed by the contractor.  Medium or high assessments must be completed by the government. 

Self-attestation to NIST 800-171 is already a requirement under current regulations, however the interim ruling allows the government to inspect compliance more carefully.  CMMC will not be required for for Commercially Available Off-the-Shelf (“COTS”) procurements at or below the micro-purchase threshold.

SPRS Cybersecurity Assessment

NIST SP 800-171 Cybersecurity Assessment

NIST SP 800-171 requirements apply to the information systems of nonfederal organizations with access to CUI.  The self assessment is to be performed by small manufacturers.  Because a variety of security solutions may be available for the protection of CUI, it is important for a small manufacturer to understand their organizational requirements so that they can select appropriate security measures. 

NIST SP 800-171 assessment can present a challenge to small organizations.  CVG Strategy is ready to perform an SPRS cybersecurity assessment for your organization.  Our Certified ISO 27001:2013 Lead Auditors can help you meet future CMMC requirements.  Additionally, CVG Strategy can assist in the development of an effective Information Security Management System ISMS to protect CUI and instill confidence in your clients.

Assessment Preparation

Initially a number of activities must be conducted to establish the objectives and scope of the assessment.  These can include:
  • Identifying the company’s business operations.
  • Characterizing information system architecture.
  • Review of any previous assessments.
  • Development of a specific assessment plan.

Elements of the Assessment Process

There are 110 specific controls that are required in the NIST SP 800-171 assessment process.  These involve evaluation of:
  • Access Control to CUI.
  • Level of organizational awareness and training.
  • Configuration management of information systems
  • Identification and authentication controls.
  • Incident response capability including preparation, containment, analysis, and recovery.
  • Information system maintenance.
  • Media protection.
  • Personnel security.
  • Physical protection including facility and visitor controls.
  • Risk assessment including characterization of vulnerabilities and updating of security protocols.
  • Security assessments to verify effectiveness of controls.
  • Systems and communications protection.
  • System and information integrity.

Assessment Scoring

The NIST SP 800-171 assessment process uses a weighted scoring system that reflects the level of risk posed to CUI.  This score is a function of which of the 110 NIST SP 800-171 security controls a contractor has implemented.  A perfect score of 110 is reached if an organization has all security controls in place.  More points are assigned for controls deemed to provide a more significant security.

Reporting the Assessment

The results of NIST SP 800-171 Assessments are to be reported in the Supplier Performance Risk System (“SPRS”), an internal system accessible to DoD contracting personnel. DoD itself is responsible for reporting the results of Medium or High Assessments, given DoD’s involvement in the validation of those assessment scores. However, contractors (and subcontractors) themselves are responsible for reporting the results of a self-performed Basic Assessment. New DFARS clause 252.204-7019 spells out the procedures contractors should follow in reporting the results of their Basic Assessments.

CVG Strategy is Here to Help

CVG Strategy cybersecurity experts are here to help small business DoD contractors perform their SPRS Cybersecurity Assessments.  We can then utilize the assessment results to enhance your system security plan an improve assessment scores.  Our cyber security consultants have over a decade of experience with Cybersecurity, Quality Management Systems (QMS) and Export Compliance

We understand that each business has a unique set of requirements that demand tailored solutions.  Developing these solutions assessing an organization’s culture and involving all stakeholders.  Using this information, we can develop programs that are effective and can adapt as a business grows.

Cyber Security Training

Training is an essential component for any viable information security management system.  Despite major advances in organizational cybersecurity, human error continues to be a major cause of data breach.  Proper cyber protocols must be consistently reinforced through training that is informative and engaging. 
Effective training should include review of basic procedures such as using appropriate network security and not allowing unauthorized access to work areas.  It should also include a review of all ISMS policy and procedure changes.  CVG Strategy has been involved in business training for over a decade.  Our experts take pride in effective and engaging training sessions that ensure that participants retain important information.

MIL-STD-810 Training Webinars

We now offer regular MIL-STD-810 webinars for your product development team.  Learn how to use this important standard to get the most from your product test and evaluation.

Latest News