What the heck is this spurrrs thing people keep talking about? And why did my prime just ask us if we have one?
The Supplier Performance Risk System or SPRS (pronounced spurs) is the system that “...is the authoritative source to retrieve supplier and product PI [performance information] assessments for the DoD acquisition community to use in identifying, assessing, and monitoring unclassified performance.” (DoDI 5000.79) The DoD is using it, after a fashion, to track contractor and subcontractor cybersecurity compliance. Essentially there was a decree from Ceasar Agustus that all the world should be taxed… well perhaps not that long ago… but the DoD has mandated that their entire supply chain down to the lowest tiered subcontractors who handle the DoD’s sensitive information must submit to the SPRS a score based on their methodology that demonstrates how well contractors have implemented all of their cybersecurity requirements.
Handling DoD sensitive information is the key point. You have to be handling this sensitive information in order to be required to submit a score. What is this sensitive information you ask, and how will we know when we see it? There is a lot of confusion on that going around. This sensitive information is Controlled Unclassified Information or CUI. It should be marked “CUI” at the top and bottom of the page, and in other ways. Unfortunately, today inside and outside of the DoD, many questions remain about what is CUI, and when to mark it despite the mandatory annual training for all DoD personnel.
There is also a lot of “be prepared to handle” vs “are handling” challenges. I wrote a blog on that a couple of years ago, and still think that prediction is accurate.
So what we have today are many primes and in some cases government contracting officers (KOs) demanding score submission with no knowledge or understanding of what CUI is, or where it might be flowing.
Point 1: As a contractor or subcontractor, if you really are not dealing with CUI you might be able to negotiate that this is not a requirement. The argument is based on the Defense Federal Acquisition Regulation Supplement (DFARS) clauses that actually make this a contractual requirement. DFARS 252.204-7019 and 7020. 7019 (c)(1) “(c) Procedures. (1) The Offeror shall verify that summary level scores of a current NIST SP 800-171 DoD Assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) are posted in the Supplier Performance Risk System (SPRS) (https://www.sprs.csd.disa.mil/) for all covered contractor information systems relevant to the offer.” Elsewhere in this section of rule it defines covered contractor information systems as those handling CUI. No CUI. No relevant covered information system.
This negotiation is a choice. Will you annoy your customers? What if they won't listen? Etc. You can be 100% right and still be punished. Generally, in my personal view, it is not worth the fight. On top of that the first time they email you something marked CUI then … the argument no longer holds water. Additionally, we are moving from the era of undermarking CUI to overmarking CUI. That pendulum swing is in progress. So you are increasingly likely to receive CUI eventually.
So let’s say that you do have CUI or have decided not to fight the fight that you do not. What now? Well now you have to understand how to get a cyber score into SPRS.
Point 2: There are two ways to get an SPRS score: the government audits you, or you do your own self-assessment. I am sure that holding your hand up for a government audit will never be a popular choice and in truth, they don’t give you one. The Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) announces to you when they plan to arrive. If you do receive a DIBCAC visit though, they will enter a SPRS score for you based on their assessment of your compliance, and that score will be good for three years.
For the vast majority of organizations, the answer is doing your own self-assessment, often referred to as the Basic Self Assessment. There are actually rules you are supposed to follow in conducting that assessment. Reading NIST 800-171, and giving yourself 1 point every time you say, “Yeah I think we kind of do that sometimes,” is not actually the way.
DFARS 252.204-7019 says,
“b) Requirement. In order to be considered for award, if the Offeror is required to implement NIST SP 800-171, the Offeror shall have a current assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) (see 252.204-7020) for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order. The Basic, Medium, and High NIST SP 800-171 DoD Assessments are described in the NIST SP 800-171 DoD Assessment Methodology located at https://www.acq.osd.mil/asda/dpc/cp/cyber/docs/safeguarding/NIST-SP-800-171-Assessment-Methodology-Version-1.2.1-6.24.2020.pdf.
Point 3: NIST Special Publication 800-171 has the list of things you need to do and what the regulation says you have to implement. NIST 800-171 is what the regulation requires you to implement. SPRS score is about how completely you have implemented the 110 security requirements or controls that 171 lists.
Point 4: When doing your self-assessment, follow the DoDAM. So the rule states even for the Basic Self Assessment that you must follow the DoD Assessment Methodology or DoDAM. It links to the document that explains in 21 pages how to conduct your assessment. Please do follow that. Here is a crib sheet of the highlights
Write your System Security Plan first. Technically in order to have a score (buried in the details) you must have an SSP. It does not have to be a perfect SSP. It does not have to mark all controls as Met. Planned to be Implemented is fine. But you have to have one. Use the template for an SSP found here. Right-hand side of the page, under supplemental material, “CUI SSP Template.” This format is not strictly required but it is the NIST example that nearly everyone uses. If you happen to be familiar with government SSPs based on 800-53… I recommend not using those as a template. There are differences and they have things you don’t need.
You must use the NIST Assessment Guide NIST SP 800-171A. But wait. It gets better. Nested in the DoDAM there is another 92 page pub you also must use to evaluate your compliance. Really this boils down to 171A has broken each 171 security requirement into one or more assessment objectives. All the assessment objectives must be Met for the control to be Met. They add some requirements so you have to take them into account.
Use the DoDAM Scoring Method (which is confusing). Once you can accurately determine Met/Not Met for each security requirement then you must go through and make 110 determinations of Met or Not Met based on having completed the 320 assessment objectives in 171A. You start with 110 points and subtract 5,3, or 1 point for each security requirement that you have not implemented. Scores range from a full 110 down to -203. Scores less than zero are very possible even probable. There is an appendix in the DoDAM with the point values. As a part of our free self-assessment tool, we have a spreadsheet laid out for that which also automatically adds up the score and has other useful tabs and info.
Point 5: There are two ways to submit your score to SPRS. The best way is to do so directly by having a login to SPRS. In order to obtain one (and it might take a few weeks from a cold start to work through this process) refer to the SPRS reference material here. The listed Quick Entry Guide is a good place to start.
The other way is to email it in. This is easier but goes to a government in box where SPRS score entry is not their primary duty. When your contracts depend on it, it is always better to directly enter the information yourself whenever possible to make sure it is done. “But we emailed it in,” may not save your contract. Bottom line I recommend using the first method but if you are in a time crunch or suffer a defeat at the hands of the government system for accessing SPRS (possible) then email is an option. The people at the other end of the address are really quite helpful and I have worked with them several times. Email the results as follows
DFARS 252.204-7012 (c) Procedures - “ (2) If the Offeror does not have summary level scores of a current NIST SP 800-171 DoD Assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) posted in SPRS, the Offeror may conduct and submit a Basic Assessment to webptsmh@navy.mil for posting to SPRS in the format identified in paragraph (d) of this provision.
…(d)...
(1) Basic Assessments. An Offeror may follow the procedures in paragraph (c)(2) of this provision for posting Basic Assessments to SPRS.
(i) The email shall include the following information:
(A) Cybersecurity standard assessed (e.g., NIST SP 800-171 Rev 1).
(B) Organization conducting the assessment (e.g., Contractor self-assessment).
(C) For each system security plan (security requirement 3.12.4) supporting the performance of a DoD contract—
All industry Commercial and Government Entity (CAGE) code(s) associated with the information system(s) addressed by the system security plan; and
A brief description of the system security plan architecture, if more than one plan exists.
(D) Date the assessment was completed
(E) Summary level score (e.g., 95 out of 110, NOT the individual value for each requirement).
(F) Date that all requirements are expected to be implemented (i.e., a score of 110 is expected to be achieved) based on information gathered from the associated plan(s) of action developed in accordance with NIST SP 800-171.”
Point 6: Write a Plan of Actions and Milestones or POAM. Take all of your “To be implemented,” security requirements and put them into a POAM. NIST has a posted template for this too also on their 171 home page linked above and again here. Right-hand side, supplemental material, CUI Plans of Action template.
I hope this quick list of how to obtain and submit and SPRS score helps. Even in brief we are up over 4 pages with lots of references. If you want help, my company does this too. We can walk you through the process, and help a little or a lot according to what you need. Contact us at info@cybersecgru.com or just touch base with me on LinkedIn.
Originally posted to Linked in here.