Paul and Kyle discuss the DoD Supplier Performance Risk System in this DOD SPRS Video. And cover all the related DFARS clauses you need to know about.[Paul] Hello Kyle, how are you doing today? [Kyle] Good, how are you doing, Paul? [Paul] I’m good, thanks. [Kyle] That’s great. [Paul] Today, we will talk about the DoD SPRS reporting requirement, the Supplier Performance Risk System. I thought that would be helpful information to share with our defense industrial base clients. So, the DOD SPRS Kyle, what is it? Can you just explain it? Give a high-level explanation of what the DOD SPRS is, please?
What is the DoD SPRS[Kyle] So, the DOD SPRS is a system hosted by DoD. It captures the NIST 800-171, the DoD assessment methodology scores. Along with where you are with the NIST 800-171 implementation. Right. So, if you do have gaps, you will input the date when you will complete your implementation for all practices. Also, you will input the score based on the DoD assessment methodology. [Paul] So, okay. That’s good. So, it gives the DoD, if I understand this correctly, a high-level overview. Without getting into too much detail about where you stand with your NIST 800-171 self-assessment. How compliant are you with the controls? And then, what is the length of time that you’re estimating. It’ll take you to remediate all of your gaps and deficiencies. Is that about, correct? [Kyle] Yeah. Yep. that is correct.
DoD SPRS and DFARS 252.204-7020[Paul] okay, good, I got that part. This ties, if you will, to DFARS 252.204-7020. That’s a DFARS requirement that defense industrial base companies who handle CUI comply. Is that also correct? [Kyle] That’s correct. And they have to follow the DoD assessment methodology. The DoD NIST 800-171 assessment methodology. That’s where it specifies what you need to do to generate a score. And you must have a system security plan and a POAM. If you do have a POAM, you need to create those documents. Once you have that information, you comply with the DFARS 252.204-7020. And that’s when you are ready to submit the score to the DOD SPRS.
DoD SPRS and DFARS 7019, and 7020[Paul] great, okay, so, DFARS 252.204-7020, we’ll abbreviate it and call it 7020, right but DFARS is also, if I understand it correctly, related to 7012 and 7019, right? These kinds all play off each other. Can we talk just a little bit about that, the requirements of 7012 and 7019 as well? [Kyle] Yep. So, DFARS 7012 ties to NIST 800-171. It also has incident reporting requirements. DFARS 7012 is a little bit different from DFARS 252.204-7020. Because DFARS 7012 is a requirement stating that you have to comply with NIST 800-171 if you handle the CUI. However, there is no verification process. You don’t have to do anything. So, that’s why DoD created 7019 and DFARS 252.204-7020. 7019 is a notification saying that you have to follow the DoD assessment methodology if you handle CUI. The NIST 800-171 assessment methodology shows how you do the DoD assessment methodology, and you have to report. You report to the DoD SPRS system.
DoD SPRS: The failure of the self-assessment methodology[Paul] Okay, and I think if I understand this right too, one of the issues with DFARS 7012, the self-assessment methodology, was that they used the best of good faith efforts. But defense industrial base companies couldn’t accurately perform a self-assessment, is that correct? And that the goal here was to be able to have some interim supervision, if you will, for the DoD to be looking over the shoulder of the defense industrial base companies in this interim period before CMMC becomes final? [Kyle] right when they had DoD 7012, there was never accountability because the way it says in the regulation is that if you are not compliant, you have to let DoD Know. Nobody let the DoD know. So the DoD assumed everything was good until the DoD Inspector General found out many defense contractors were not in compliance. DFARS 252.204-7020 is, like I said, an interim solution for the defense contractors to input their scores and tell DoD how well they are doing. DoD is going to hold the defense contractors accountable
What is DFARS 252.204-7019[Paul] right, okay, good, that’s good to know. And what is 7019? I know it’s related to this, but it’s not clear to me. What is DFARS 252.204-7019 Kyle? [Kyle] So DFARS 7019 is a notification. The DoD notifies the defense contractors that they must do the NIST 800-171 DoD assessment methodology. And you must report the score to the DOD SPRS system. So, that is the notification piece. DFARS 252.204-7020 is the part that gives you the instruction on how to do this and do the reporting.
Effective dates of DFARS 7012, 7019, and 7020[Paul] good, very good, okay. And just curious, when did these DFARS clauses become effective? Were they about at the same time? Or were they spaced over time a little bit? [Kyle] Yeah, so DFARS 7012 became effective on December 31st, 2017. So, that’s very early. And DFARS 7019 and DFARS 252.204-7020 became effective in November 2020. In the meantime, CMMC progresses. We’re expecting CMMC to be coming out. Our estimate is July 2023. That’s an estimate we don’t have finalized yet. [Paul] right, okay, okay, good. So, this is the interim rule, sort of, falls under the interim rule if I understand that right. We’re in a little bit of a holding pattern with CMMC. Until the final rule-making comes out, that’s correct? [Kyle] yes yeah, absolutely okay.
Information you need to submit to the DoD SPRS[Paul] What information do companies need to submit to the DoD SPRS? [Kyle] The information you have to submit is the DoD assessment methodology score. You use the NIST 800-171 DoD assessment methodology and assess if you have the practices implemented or not. So, based on the NIST 800-171, the DoD assessment methodology, you will generate the score. And that is the score that you report. On top of that, you have to report when you will complete all 110 practices. And you also have to let the DoD know what the scope is. Is that based on the contract? Based on the enclave? Or based on the enterprise? So, you just have to select one that should fit your scope. And let them know the date when you are going to complete. That’s pretty much what you have to tell them.
Who has access to your DoD SPRS submittal?[Paul] okay good. Once this information goes into the DOD SPRS, who has access to it? Is it just the DoD? Or do the prime customers also have access to it as well? [Kyle] Yeah, the only people who have access to your DoD SPRS record is the DoD. And yourself, the company that submits the DoD SPRS information. The DoD will make information available only about whether you submitted it to the DOD SPRS system. They will not tell anyone other than: “you have submitted.” So, the score will not be available to anyone else, including your prime customers. All that information is confidential. The DoD considers that as controlled unclassified information. So they will not share it with anyone.
DoD Prime Customer DFARS compliance inquiries[Paul] okay, okay, that’s good. We know from the subcontractors who have contacted us for help in this area, whether it’s compliance or help with their DoD SPRS submission. They’ve been receiving these form letters that the primes have been sending out. And I’m assuming that that’s because of their flow-down requirements. If the primes need to comply with 7012, 7019, and DFARS 252.204-7020? Any subcontractors they contract with also have to meet these exact requirements if they share CUI? [Kyle] Yep. Absolutely. So, if the subcontractors are not the “Commercially Off The Shelf COTS” vendors, Yep. They will have to comply with all the flow-down requirements. [Paul] Okay. Yep. So, okay. That’s why they are receiving all these letters, correct? Good. And so, um, that begs the question: if they’re getting these form-type letters, what information should they be sharing?
How to respond to DFARS compliance request letters[Kyle] I recommend the subcontractors tell the primes that they comply with DFARS 252.204-7020. Because: they submitted the information to the DOD SPRS system. [Paul] okay good. What information should they NOT share? [Kyle] The primes will usually ask; they will push to see what your score is. And they will move to ask you to share the system security plan or SSP. They will try, but I would suggest you not provide this information if you don’t have to. These are your proprietary, confidential information.
All you have to tell them is: We comply because we have submitted our information to the DOD SPRS system. The only exception is if you signed your contract with your prime contractor with a right to audit clause. The primes may have the right to audit your system and look at your system security plan or policies and procedures. So, in that case, it will be different. But otherwise, you don’t have to share that information.
Prime customer’s “Right to Audit.”[Paul] that’s a good point. From a business perspective, I suppose the primes are the ones who are holding all the cards in this, right? And so, if it’s in the contract and you’ve signed it, you’re going to have to provide the information. Or make yourself available for the audit. You just don’t have any choice. [Kyle] Yeah, exactly.
If you haven’t made your DoD SPRS submittal[Paul] Okay. A follow-up question would be: What if a defense industrial base subcontractor hasn’t submitted to the DoD SPRS yet? What would you recommend they do? [Kyle] So, if they have not submitted the DoD SPRS system and handled CUI – the controlled unclassified information, they already have to follow DFARS 7012. It’s already been in place since December 2017. If you have not complied with NIST 800-171, you are not in compliance with the DFARS 7012.
And DFARS 7012 today, that’s in pretty much all the contracts that handle CUI. So, technically you are in violation right now. However, they don’t check the DFARS 7012 compliance right now. But technically, you are in violation. So, you want to work on your NIST 800-171 and your DFARS 252.204-7020 as soon as possible.[Paul] right yeah, so it’s time to get going. Is your advice? [Kyle] Yes, yeah.
We develop a list of POAM items. And essentially give them everything they need to be then able to report: “hey, we’re now in compliance with DFARS 7012, 7019, and DFARS 252.204-7020.” So, maybe we can talk about that just a little bit?
Accurate CUI Scope is crucial to your DoD SPRS submittal[Kyle] Yeah. So, we typically will start with scope. We help our client to define the scope. You don’t need to have the entire company in scope. We only need to focus on what systems are in scope. So, we will help our clients go through the CUI data life cycle. And also go through the data flow.
So, we’ll go through the input and creation of the CUI so we understand when and how the CUI information gets into the client’s environment. Let’s understand how the information gets input. How does our client get the information? And how does our client create the information? Once you have that information, where is it stored? You store it, how? Then we get into the usage. We’ll understand how and what applications and systems the users are using for CUI information.
Sharing: how is the CUI shared with subcontractors or back to their prime contractors? Also, how is CUI archived or backed up, right? Where is that stored? Who’s responsible for the backup? Is that in the cloud or on-prem? In the end, we will determine how the data is getting disposed of or destroyed.
KLC Consulting’s CUI Data Lifecycle approach
So with our CUI data lifecycle, we’ll clearly understand: what systems, what applications, and who has access; should all be in scope. Then we can focus on these systems, applications, and departments. You know, the group of people. So, that will help us narrow down the scope.
We want to keep the scope as small as possible. And that will help us, you know, determine the scope. Once we have the scope, we can start with the system security plan. We can walk through the practices and only focus on the systems and applications in scope. And then, we will check based on the gaps that we identify. KLC creates the POAM information and the gaps. We help our clients prioritize these gaps. They’re almost impossible to work on all the gaps all at once.
Scope, SSP, and POAM
So, we’ll help them prioritize. Yeah, so we’ll give the scope, the SSP, the system security plan, and the POAM. We identify the gaps and helps them create priorities. They can have a road map regarding how to remediate these gaps.[Paul] That’s great. It’s a practical package, too, I might add. And it’s one of high value. It’s a very affordable service.
One point I’d like to interject here, Kyle is that you talk about the importance of scope. And I think many people hear that, and maybe initially, I did as well. And you kind of think: Yeah, yeah, yeah. The scope of my CUI. But it’s critically important. And I say that with the benefit of hindsight. Some clients we’ve worked with didn’t begin there.
A NIST 800-171 template is the WRONG place to start!
They acquired a template, a NIST 800-171 self-assessment template. They started filling it out without really taking the time to identify their scope. And to your point, if you don’t determine your scope, you may think that this is a companywide exercise. And it doesn’t need to be. The goal of what you said earlier is to minimize its footprint within your business organization. And why? Because it becomes a minor exercise. It’s a less costly compliance endeavor to comply with NIST 800-171 and eventually with CMMC.[Kyle] Yep. Absolutely. So, if you; so, for example, some companies, as you mentioned, buy a template. Then they start filling it out. And they will assume everything in the company is in scope. But for example, the accounting, financial, and some of their CRM applications don’t have to be in scope. HR systems may not need to be in scope. So, if you don’t have CUI information in these systems or applications, you don’t need to make them in scope. So, that’s why we feel that it’s very critical to understand the scope first. Once you know the scope, you can focus your controls, the NIST 800-171 practices, and focus only on the “in scope” systems.
Scope your CUI accurately = Save $[Paul] Right. So, the smaller the footprint, the less costly it is to become compliant with NIST 800-171 and eventually with CMMC. [Kyle] Yep. It will give you clarity in terms of what systems handle CUI. So, you know, it will help you prepare yourself. You won’t be confused if an assessor comes and asks you where your CUI is? How do you handle your CUI? You’ll have an obvious answer [Paul] right. And I think you alluded to this just a little bit earlier. But as we do these DOD SPRS Consulting engagements and you conduct these zoom calls, we don’t just have the folks from IT come along with these interviews, right? We also have leaders from other divisions within the company—especially operations. But potentially HR as well, right? So, the idea there is what? Because it seems that there’s no one person or no one department within a company has a complete understanding of how everybody works with the CUI information?
No single business unit fully understands the CUI scope[Kyle] Exactly. So, CUI input is usually not handled by the IT department. It could be Procurement. The engineers could take it. It could be input by somebody in a business unit that is non-IT. So, we have to work with different departments to understand how the information gets in. And also, during the handling process, somebody might be storing the CUI information in the cloud somewhere that’s outside of IT’s control. IT probably wants to know that as well. So, it’s better to get all the different groups of people that handle and touch CUI in the same room to talk about the process during the scoping exercise.
As you mentioned, there are HR Legal, Compliance, IT, and Infosec. All the different departments. And also possibly the business units, the heads of the business units: like Procurement. And if Business Continuity is another department, you probably want to get that as well. Because they may have a backup system somewhere else that you’re unfamiliar with, they could be different. In manufacturing, you want to include Q-A, quality control, and engineering. So, there are various departments you wish to have during the scoping exercise.
The challenge for manufacturers[Paul] okay, okay, good to know. I’m glad you brought up the uh the point about manufacturers because they have that extra um, that different level to it, right? In terms of the production environment. The operational technology. The possibly, the IoT and even the IIoT component to their compliance program, okay. [Kyle] good Yep. yep.
KLC’s DoD SPRS consulting takes how long?[Paul] okay good. How long does it usually take to complete this DoD SPRS Consulting offer and be compliant with DFARS 252.204-7020? [Kyle] I think this depends on the size and your complexity. So, it depends. But if you don’t have a complex environment, we can do this in as little as four to six weeks. So, we’ll do the scoping and help you put together the system security plan and the SSP and help you identify the POAM. And help you put together the POAM as well. So, yeah, it depends on the complexity starting with four to six weeks. But, if you have more cage codes, more physical locations, and more subsidiaries, this becomes more complex. So, and the number of systems. If you have many complex systems in your environment, that will increase the timeline. [Paul] Right. And I think just a word of note here too, especially with manufacturers, right. from a business perspective we know that manufacturers have had to make themselves very lean and mean for decades. To remain competitive within manufacturing. And so, quite often, we deal with clients who are operating legacy systems right. I know some of our clients use systems dating back to the 1980s. How, generally speaking, does this affect compliance for a defense industrial base company that’s a manufacturer?
Manufacturer’s legacy systems[Kyle] You know, I think it depends on the situation, but it’s not uncommon to see old systems in the manufacturing environment. Right, but there are ways around it if there are outdated systems that Microsoft no longer supports. For example, if you use Windows 98, Windows XP, and Windows 7 for your CNC machines. Or some of the manufacturing equipment you have, there are ways to secure them by putting them in a separate network, for example. So, there are different ways that we can design the controls to make them effective and be DFARS 252.204-7020 compliant.
Dialogue with your prime customers[Paul] great, okay. And yeah, I wanted to go down that avenue with you because it’s pretty common with the manufacturing clients we work with, so, yes, yes, okay. Another question would be how should defense industrial base companies who are subcontractors, how should they respond to these prime customer request letters about DFARS 252.204-7020? With a couple of assumptions: if they haven’t made any progress toward their DOD SPRS submission? And then perhaps if they’re at least in the process of it, how do you generally recommend that they would respond to these letters? [Kyle] Yeah, I know the prime contractors. They are following up with the subcontractors quite often, especially for the subcontractors that have not complied with the DFARS 252.204-7020. They have not submitted the score to the DOD SPRS system. So, if you started it, it’s better to let your prime contractor know that you are working on it. You are in the process of getting the self-assessment done, and you expect to get this DOD SPRS submission done within the next few weeks. You know whatever that day might be. And you just want to communicate with your prime contractors, make sure they’re aware then. So, you don’t lose any contracts, right.
Prime customer requests originate from flow-down requirements[Paul] and that seems to be the key. And like so many things in life or business, it’s about communication. Just not remaining silent and ignoring it. Just respond and let your business partner know that you are working on it. You’re, uh, you have a plan to get up to speed with this stuff. And I think the good news there is that, you know, help is available. And you know, we might be able to get you where you need to be in four to six weeks, or not too much longer after that if you’re a little bit larger and more sophisticated. [Kyle] Yep. right
How to prioritize POAM remediation[Paul] okay, so, let’s go to the next step: a company has made their submission and comply with DFARS 252.204-7020. They’re comfortable with their score. They have their POAM; what’s next in this process for DoD cyber security compliance? [Kyle] Yeah, once they have the POAM, they want to prioritize and understand what they need to do. What kind of resources do they have. What type of budget do they have. How long will the remediation take based on the available resources they have right. So, this will be the roadmap for them to remediate the work towards the 110 practices for NIST 800-171 or CMMC. [Paul] right, okay, and I think we usually tell people with the POAM period to take about a year. Because even within their IT department, they typically have their hands full with other work they’re doing on behalf of their company. [Kyle] so, Yep. Usually, we’ll take a year or more, depending on the resources’ availability and the budget. Right now, we are expecting July 2023. That’s the estimated time for CMMC. But in the meantime, you just want to start planning. So, I don’t expect everyone must be compliant by July 2023. But you don’t want to wait because it will take time for you to plan it out. It also takes time to work on the remediation.
CMMC 2.0 allows for limited POAMs[Paul] Right. In the current draft form, correct me if I’m wrong. CMMC 2.0 allows for some limited POAM items. Is that correct? [Kyle] Some limited items right as long as they are not high risk. “High Risk” is based on the DoD assessment methodology. You should not have any items that are worth five points. [Paul] five points, okay, good to know, good to know. And you know, as a C3PAO candidate consulting firm, we offer consulting service help in this area with POAM remediation right. So, if you will, our tagline is that we give folks as much or as little help as they need. Now, we recognize that many companies like to try to do as much of the work as they can. As they’re able to take on, to save money, but also because it helps them gain a more intimate understanding of what’s involved with developing a DoD cyber security compliance program.
KLC Consulting offers as much or as little help as you need[Kyle] Yep. Absolutely yeah. And if they want to do more, we can be their guide. We can be their advisor and provide guidance. So, give them homework, then we can check and give the direction in terms of how they are doing. And provide additional advice if necessary. [Paul] right, okay, good. So, let’s say again, following along with that example, that we’re working with a client. And we’re in the POAM remediation process, in that phase of things. How do we generally make recommendations as to what items on their POAM list they tackle first? [Kyle] so, we usually recommend the priority based on the risk and the effort. So, the higher risk items, meaning if there are items worth five points or three points in the DoD assessment methodology. These are considered high-risk items. If you have a high-risk item with a low effort, you probably want to work on that first. It gives you the most significant boost in your DOD SPRS score.
Remediate high-risk, low-effort gaps first
Then you work on the lower risk low-effort items because you can knock off a lot of these items. You know, the one-point things. Once you finish with these low-effort items, you can estimate based on the effort. Then you can work on the rest of the high risk or the low risk with a more significant level of effort. And establish your effort and prioritize it. So, these are something that we will help you prioritize work with you. And based on our understanding of the risk and the gap you have. And based on the availability of your resources, we’ll give you a recommendation. You can tweak it as you want. But initially, we will provide you with a road map and help you prioritize. So, you know what’s ahead of you.
Follow US defense/intelligence agency recommendations[Paul] right, and I’ll also point to the work you’ve done in pulling together the best recommendations to help prevent cyber-attacks. In the current environment of threats that we see today. Indeed, in light of what’s going on with the Russia Ukraine conflict, I should say that. Cybersecurity breaches seem to be everywhere. They’ve become everyday household news items that we hear about on the major news networks.
And you’ve done the work to pull together the recommendations of the best practice recommendations of The White House and the Department of Defense; let me see who else have we done? NSA, CISA, and the FBI. I think that that might be the five. But I’ll put the link on our website. You’ve pulled together those best practice recommendations for people to follow. And that becomes part of your recommendation regarding how you go after those POAM items. What ones do you address first to help prevent cyber-attacks, right?[Kyle] right. Especially for some companies that are probably a little bit riskier. They have a lower score in the DOD SPRS. They probably don’t have many security practices in place. Which I would say are a little bit riskier. They have a little bit higher risk of getting compromised by cyber attackers. So, in that case, we would recommend what they have to do to protect themselves.
Secure your perimeter
Secure their perimeter, for example. Look for the vulnerabilities first, right? We’ll put vulnerability scanning capabilities first to ensure that they are not compromised already. So, we will put some recommendations to help them secure the perimeter and help them protect themselves first. Once we have that secure perimeter, we know we are working in a secure environment. Then we can tackle all the rest of the remediation. But we don’t want to start working on the less risky gaps, knowing that we have not secured the perimeter.[Paul] and that’s such a practical approach to tackle this. So, that’s terrific. It’s great that you pulled all those sources together and made it so easy for folks.
CISA “Shields-Up Alerts”[Kyle] CISA has also worked with all the agencies you mentioned. They issued the “shields up alerts” a couple of months ago. It stated that defense industrial base companies are increasingly under attack by cyber attackers. So, that is something that all defense contractors need to know. Those cyber attackers are targeting the defense contractors. [Paul] Right, great. Great point. So, I think with this example, let’s say we’ve been working with a client helping them tackle their POAM remediation items. And they’re making progress, and their score is going up. That initial submission to the DoD SPRS that’s not cast in stone. At some point, does it makes sense to go back and update your submittal? So the DoD can see that you’re making a good-faith effort? And see you’re tackling your POAM items? And you’re working to compliance with DFARS 252.204-7020?
Keep your DoD SPRS Submittal current[Kyle] Yep, yep. Absolutely. So, once in a while, you want to go in and update your score; I would say you probably don’t need to go in too often. But if you have some significant updates right, if you get your score up 20, 30, or 50 points, you want to go in and update your score. So, showing that you have the progress. But every time you update the score, you will have a record showing that you are updating the score. So, yeah, you don’t have to update yourself every other day. Just update when you have that significant progress. [Paul] Right, okay. Good, okay, all right, Kyle. Well, I’ll wrap this up; I think this was terrific. First of all, it’s an excellent overview of the process. The DFARS requirements and explaining what’s involved. The time frame to reach compliance if companies choose to work with us.
KLC Consulting is a CMMC-AB cleared candidate C3PAO
I’ll finish by saying KLC Consulting – we are a cleared candidate C3PAO firm. NIST 800-171 and CMMC are our niche specialty. We help defense industrial base companies become NIST 800-171 and CMMC compliant. And we do that by providing the most affordable combination of consulting services and technology solutions through some of our partner companies available today in the market.
We have among our resources; we have Provisional Assessors and a soon-to-be Provisional Instructor. And Kyle, you, you’re close. You’re knocking on the door of that. You just need to hear back notification that you have clearance from the DoD. And which we anticipate and expect will be coming soon. But that’s a little bit about us as well. So, I’ll thank you very much for your time today Kyle. And hopefully, people will find this helpful.[Kyle] Yeah, thank you.
Check out our CMMC Consulting Service Page for the most affordable NIST 800-171 and CMMC compliance consulting service options available today!
Are you in a fog about NIST 800-171 and CMMC Compliance?
Are you ready for your CMMC Assessment by a C3PAO?
Be sure! Gain confidence with our mock C3PAO assessment.