Last Updated on March 16, 2023
One of the requirements for compliance with the US Department of Defense (DoD)’s current and future security program around CMMC 2.0 and NIST 800-171 is to submit an accurate score to the Supplier Performance Risk System (SPRS) database. This condition is spelled out in the longstanding DFARS 7012 contract clause and the DFARS 7019 clause that is replacing it. These clauses pertain to US defense industrial base (DIB) orgs that handle controlled unclassified information (CUI).
Before you submit a score to SPRS, however high or low, you need to gather evidence to back it up. To complete the SPRS scoring process and address all the questions, you also need a realistic system security plan (SSP). Also essential are Plans of Action & Milestones (POAMs) to explain how and when you will remediate all gaps to achieve a perfect 110 score indicating full NIST 800-171 compliance.
To give DIB contractors a clear understanding of continuous compliance and how it relates to DoD cyber compliance, we asked Andrea Willis, Senior Product Manager at Exostar, to join a recent episode of The Virtual CISO Podcast. Hosting the show is John Verry, Pivot Point Security CISO and Managing Partner.
None of this is really new
The requirement to enter a NIST 800-171 compliance score in SPRS and to complete an SSP and POAMs have been part of DoD security requirements since the DFARS 7012 clause first appeared in contracts in 2018. This compliance scenario carries over into DFARS 7019 and CMMC 2.0.
What is an SSP and why do we need one?
According to the current CMMC Appendix B:
A system security plan (SSP) is a document that outlines how an organization implements its security requirements. An SSP outlines the roles and responsibilities of security personnel. It details the different security standards and guidelines that the organization follows. An SSP should include high-level diagrams that show how connected systems talk to each other. The organization should outline in its SSP its design philosophies. Design philosophies include defense-in-depth strategies as well as allowed interfaces and network protocols. All information in the SSP should be high-level. Include enough information in the plan to guide the design implementation of the organization’s systems. Reference existing policies and procedures in the SSP.
Reviewing your SSP would be “step one” in any compliance evaluation. The purpose of your SSP is to give a government assessor, your prime, a security partner or anyone else looking into your security controls or attempting to validate your SPRS score a clear and comprehensive overview of what controls you have in place.
As noted above, you need a “real” SSP before you can submit an SPRS score. Because, by definition, you can’t perform a viable self-assessment without first having an SSP that defines the CUI environment you’re assessing. If the government inquires and your SSP is missing or incomplete, the assessment (and probably your contract) will end right there, as you’d be considered out of compliance with your DFARS contract clause.
Why does our SPRS score need to be accurate?
Posting an SPRS score is now required to receive a DoD contract. So, it’s better to post a low score than no score. But if you don’t know your real score, or you think your score is too low, don’t post a guess or fabrication.
Per DFARS 7020, the government has the right to audit any SPRS score you post. In that event, you’ll need to present documentation on each control you say you implemented. If your SPRS score is bogus, you could lose your contract and maybe the right to bid on future contracts. Even worse, your SPRS score could be considered a “false claim” to the market under the False Claims Act, with potentially dire consequences.
John relates a cautionary tale about a client that wanted to improve their SPRS score. When asked to share their SSP, John was told, “We don’t really have one.”
“I said, ‘No, no, no guys—you’re not in a good spot right now,’” recounts John. “’If DIBCAC walked in the door you’ve got a False Claims Act action on your hands. Let’s get that fixed ASAP!’”
“When you said that I just about fell off my chair,” Andrea deadpans.
What range of scores are my competitors posting?
According to John Virgolino, CEO at Consul-vation, many of his Aerospace & Defense clients are entering low or even negative compliance scores into SPRS. Most are between -50 and +50 on a scale of -203 (you have zero security) to +110 (you have all 110 NIST 800-171 controls).
This means that the government is, de facto, “grading on a curve” because so many firms have low scores. So, if your score isn’t all it could be, all is not lost.
The right approach: Know your score and work to improve it
As a compliance expert, Andrea’s advice to DIB orgs is simple: “Be truthful with your SPRS score. If it’s a negative 26, put negative 26. If it’s 25, put 25. And have that SSP to document what your score is.”
“But also, it’s continuous compliance,” Andrea emphasizes. “So, keep working to finish off and sign off on a POAM to get additional points, and keep updating SPRS as your score improves. Show your improvement to the government and your prime partners. Because this is a continuum—it is a continuous journey.”
Many companies face high audit risk right now
How is the DIB doing with following Andrea’s advice? Not very well so far, if recent news from John Ellis at DCMA on “assessing the assessors” is any indication.
“… for the assessments of the assessors that [the DCMA are] doing, a number of them claimed that they were over 100 points on SPRS,” shares Andrea. “And 70% of those they found actually could not support a score over 100. That’s huge. And these are the assessors, so…”
“These are the most knowledgeable, ahead-of-the-curve group,” amplifies John. “Which means… I would bet you that 95% of conventional DIB companies are not going to be able to support their SPRS score.”
“Be truthful, and then have the documentation to support it,” reiterates Andrea. “And then you’re okay. And just keep working to improve that score.”
Want to talk with a NIST/CMMC expert about how to calculate and confirm your SPRS score?
Contact Pivot Point Security to start a conversation on next steps and how we can help.
To hear the podcast episode with Andrea Willis from Exostar in its entirety, click here.
A Simple Guide to Comply with the DoD's Cybersecurity Maturity Model Certification (CMMC) This NEW CMMC V2 Certification Guide will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.