This 13m video answers your recent questions about DFARS 252.204 7012 impact on NIST 800 171 rev 2, your self-assessment score submission into the DOD SPRS system, and the progressive evolution from NIST 800-171 to CMMC. It also presents examples of actual letters sent from the Under Secretary of Defense and Prime contractors to subcontractors to discuss the implications to you. Lastly, we will discuss our low-cost SPRS consulting services to help you meet your SPRS submission requirement into the DOD SPRS system.
We’ve been receiving inquiries from defense industrial base companies who received letters from the DOD or their prime contractor. They talk about the November 30th deadline, SPRS submission self assessment score, NIST 800 171 rev 2 and DFARS 252.204 7012, and the progressive evolution to CMMC compliance. They’re worried because they haven’t submitted yet, and they really haven’t even focused on this. We have a couple of examples that we’ll show in this video, but…
What’s this all about?
This pertains to defense contractors that handle controlled unclassified information (CUI). The November 30th, 2020 date is the effective date of the interim DFARS rules, which is the change to the existing DFARS 7012 rule about NIST 800 171 rev 2
As a defense industrial base contractor, is there something that I was required to do or respond to by November 30th? If so, is there a grace period?
From the DOD’s point of view, the DFARS rule change went into effect on November 30, 2020. From the prime contractor’s point of view, however, they have set November 30th as the date for their subs to comply. So for subs, they need to meet their prime’s compliance requirements ASAP. After November 30th, 2020, the DOD will start including the new DFARS rules into the new RFP’s (request for proposal) and the contracts.
NIST 800 171 rev 2, SPRS, SSP, and POAM: Let’s unpack some of the terminology
NIST 800 171 rev 2 is a cyber security standard for protecting controlled unclassified information (CUI) in the defense contractor systems. SPRS stands for supplier performance risk system, and it is managed by the DOD. It is a system to track and store assessment result submissions by the contractors. The DOD uses it as an evaluation criteria for contract awards. SSP stands for system security plan, and it documents contractors’ CUI scope and boundary, controls and practices, and roles and responsibilities. It is a security plan that the defense contractors developed and now follow. POAM is a plan of action and milestone document that shows the compliance gaps, plan for remediation, and estimate date for remediation completion.
The NIST 800-171 self assessment score- what does it mean, and what’s a perfect score? Is it possible for me as a defense industrial base company to go through this exercise and get a negative score?
The self assessment summary level score shows your level of compliance to NIST 800-171. The perfect score is 110, and it is possible to get a negative score. Some of our clients start with a negative score because they don’t have many practices in place yet. Each of the 110 practices have an associated score. You start with a perfect score of 110, but if the practice is not being implemented, it will be deducted. Your net score is the assessment score you submit to SPRS.
What if I haven’t done an SSP or I’ve just estimated it internally because I didn’t have the resources or put the time and effort into it?
You want to start a compliance effort ASAP because it takes time and effort. We have developed a proprietary CUI data lifecycle methodology to define and minimize your CUI footprint. This is also a more efficient and cost-effective process. We evaluate how CUI data enters your organization, how you create CUI, how you store and protect it, how you use and access it, how you share it, how you archive it, and how you dispose of the data securely. This allows us to quickly complete the documentation required for the SPRS submission. We can do this as quickly as two weeks for the smaller companies.
What happens if there’s a negative score? Does that mean I’m not compliant, or is it possible to be NIST 800 171 compliant even with a negative score?
It’s pretty common to start with a negative score if you are missing some of the critical controls. With that being said, you will actually be in compliance because you meet the submission requirements. However, you want to tackle the POAM items as soon as possible to get your score up. You can prioritize your plan of action based on the criticality of your practices.
Will my prime contractor be able to see my NIST 800-171 score?
Primes will not be able to see your score in the SPRS.
How much time will I have to reach a perfect score of 110?
There is no time frame; but remember, if you are a prime contractor, your assessment score in SPRS will be used as an evaluation criteria for new contracts or recompetes. You want to get the perfect score of 110 as soon as possible. As a reminder, you should not inflate the score because the DOD reserves the right to audit you.
How does CMMC relate to all of this?
CMMC is a progressive follow-up cybersecurity requirement for DOD contracts. It will be rolling out in the next five years between now and the end of 2025. You will start seeing some new contracts with CMMC requirements starting in 2021. CMMC has 20 additional practices on top of NIST 800-171, so it should be a smaller incremental effort to get to CMMC compliance if you have already achieved NIST 800-171 compliance or a perfect score of 110.
Letters sent from the Under Secretary of Defense and prime contractors to subcontractors
In the video, there are two examples of the letters that Kyle and I were referring to earlier. The first is a letter that was sent out by the Office of the Under Secretary of Defense. The other was sent out to defense industrial base prime contractors.
In the first paragraph, it states that DFARS supplement 252.204-7012 requires contractors and subcontractors to implement the security requirements of NIST 800-171. It’s all about protecting CUI in non-federal systems and organizations when it resides on or transits through the contractors’ or subcontractors’ internal information system. In the second paragraph, it speaks to the requirement that the self-assessment results be submitted and documented into the SPRS.
The second letter is typical of what prime contractors have been sending out to their subs. It speaks to the new DFARS requirements effective November 30th of 2020. There are three new regulations: DFARS ending in 7019 is the notice requirement, 7020 is the NIST 800-171 self-assessment requirement, and 7021 is the progressive evolutionary standard from NIST 800-171 to CMMC. All contractors must have and submit their current assessment score to the DOD’s SPRS. Prior to awarding contracts and subcontracts that involve CUI, the contracting organizations must confirm that a current assessment score has been submitted.
In the third section, it shows what prime contractors are typically asking of their subcontractors. It advises to send a formal letter to your prime contractor addressing each of the following for your organization prior to November 30th of 2020:
- Confirmation that your NIST 800-171 assessment score has been submitted into the SPRS
- POAM estimated completion date for any unimplemented NIST 800-171 requirements
- Status/estimated completion date for the additional 20 CMMC practices
- Status/estimated completion date for Level 2/3 maturity processes
About KLC Consulting
We’re cyber security consultants who specialize in NIST 800-171 and CMMC requirements, and we’re here to help. We recognize that November 30th has come and gone and that a lot of folks are a bit anxious about this. They feel that they’ve missed the deadline and that they’re behind. Now they’re wondering how it might affect their status with the DOD or their prime contractors.
Right now, we’re offering a SPRS consulting special on our website. For $5,900, we will help prepare and get you to the point where you can submit the necessary information to the SPRS. We’ll put together your system security plan, your POAM, and your self-assessment score worksheet. The important thing to note is that even if you’re coming up with a negative score, that’s quite common. By getting this information into the SPRS, you’re now compliant. If you need help with remediation, we’re certainly available to help with that as well.
We’re also going to be doing a follow-up video to talk about the CMMC preparation and the certification process with one of our provisional CMMC assessors. Thank you for watching, and please feel free to reach out with any questions.
For more information about our services, visit our blog post.
Please visit our YouTube channel for other free resources and cybersecurity discussion topics. LIKE and SUBSCRIBE!
And please visit us on LinkedIn.