• Frequent Findings from the Most Recent Joint Surveillance Voluntary Assessments (BETA)

    As a Registered Practitioner Organization, BSC is directly involved with the CMMC Cyber-AB organization and attends multiple meetings and town halls to stay current on the CMMC landscape. While no official CMMC assessments will be performed until rulemaking is completed, here are some of the common issues that arose during the voluntary beta assessments. Organizations ... Read More →

    read more »

  • Common Challenges and Pitfalls to Becoming CMMC Compliant.

    Any organization that works with the DoD or is part of a DoD prime contractor supply chain must be compliant with CMMC 2.0. While there is some question as to the actual timeline of when full compliance will be required, many subcontractors are discovering that their primes are not waiting and they need to be ... Read More →

    read more »

  • Preparing for the Coming Quantum Cryptographic Break

    Computers based on quantum mechanics are maturing to a point where they seriously threaten to compromise much of today’s existing traditional cryptography, including HTTPS, Wi-Fi networks, logon authentication, smartcards, multifactor authentication, and public key infrastructure (PKI). No one knows exactly when quantum computers will mature to the point of being a real threat to most ... Read More →

    read more »
  • What is OSCAL and Why Does it Matter?

    What is OSCAL and Why Does it Matter?

    NIST first released OSCAL, short for Open Security Controls Assessment Language, in June 2021. According to NIST, “An important goal of OSCAL is to move the security controls and control baselines from a text-based and manual approach (using word processors or spreadsheets) to a set of standardized and machine-readable formats. With systems security information represented ... Read More →

    read more »

  • Have you entered your SPRS score yet? Don’t be caught off guard!

    Many think they can put off entering a score into the Supplier Performance Risk System (SPRS) until they get a new DOD contract.  This is not true, as any modification or renewal to your contract will require that a score be entered before it can be awarded.  In addition, Prime contractors are now coming after their ... Read More →

    read more »

Many think they can put off entering a score into the Supplier Performance Risk System (SPRS) until they get a new DOD contract.  This is not true, as any modification or renewal to your contract will require that a score be entered before it can be awarded.  In addition, Prime contractors are now coming after their subcontractors that have not updated SPRS, and they are sometimes less forgiving. 

SPRS requires an assessment of the controls contained in NIST 800-171.  How many controls are applicable depends on the type of data you access in your contract. If it is just FCI, then you only have to deal with 17 controls and it is a relatively easy task. If your organization processes CUI, however, you need to process all 110 controls that are contained in NIST 800-171. Once the assessment is complete an SPRS score is calculated based on your level of compliance with these controls.

What do you need to enter your SPRS score?

  • A System Security Plan, which is required before an assessment can be performed and is used during the assessment.
  • A NIST 800-171 controls assessment score.
  • A Plan of Action and Milestones (POA&M) to address any outstanding items. (Essentially a corrective action plan.)

Where do you go to enter your score?

To access the NIST SP 800-171 Assessments module, users must be registered in the Procurement Integrated Enterprise Environment (PIEE) and be approved for access to SPRS. An “SPRS Cyber Vendor User” role is required for companies to enter/edit basic self-assessment information. 

Here is the URL: https://www.sprs.csd.disa.mil/nistsp.htm

SPRS provides contracting officials with a method to gauge the overall assessment of the supplier performance and supplier risk. Using the Supplier Risk Score, contracting officials can identify “high risk” suppliers and assess the likelihood of the non-fulfillment of terms of contract, unsuccessful performance, or delivery delays. It also provides storage and access to the NIST SP 800-171 assessment scoring information. The NIST SP 800-171 Assessments module contains assessment date, score, scope, plan of action completion date, included Commercial and Government Entity (CAGE) code(s), System Security Plan (SSP) name, SSP version, SSP date, and confidence level. The NIST SP 800-171 Basic Assessment cannot be performed in SPRS; SPRS only stores the results of NIST SP 800-171 Assessments. 

For preparation information including our assessment methodology, and how we can calculate your score, please contact Phil Norton at BSC Systems at (703) 405-7131. We would be happy to discuss your requirements and would welcome the opportunity to be of service.