This sixth article in the series from the Cybersecurity Desk will give you a better understanding of how to submit your basic NIST 800-171 self-assessment score into SPRS (Supplier Performance Risk System).
Today’s read is a feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column is in Heat Treat Today’s March 2023 Aerospace Heat Treating print edition.
Introduction
This sixth article in the series from the Cybersecurity Desk will give you a better understanding of how to submit your basic NIST 800-171 self-assessment score into SPRS (Supplier Performance Risk System).
Why Should You Do This?
The Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7020 is one of the three newly released clauses (after the original 252.204-7012) of the DFARS 252.204-70 series (7019, 7020, 7021) in November 2020. DFARS 252.204-7019 is the “Notice of NIST 800-171 DoD Assessment Requirements”; whereas DFARS 7020 consists of the requirements alone. DFARS 7020 requires you to submit your basic NIST 800-171 self-assessment score to SPRS. Contractors and service providers are to provide the government access to its facilities, systems, and personnel any time the Department of Defense (DoD) is renewing or conducting a Medium or High assessment.
Once your self-assessment score has been submitted and accepted into SPRS, you will be eligible to be awarded contracts. Your score must remain in SPRS throughout the duration of the contract(s). You’ll need to show that you are working towards full compliance.
If a self-assessment score submitted to SPRS is required in order to win a contract, and you don’t have a self-assessment score in the system because you don’t have CUI, does that mean you will lose the contract? Maybe.
The requirement for NIST SP 800-171 DoD self-assessment is being enforced whether or not you have CUI. So, it makes sense to get started on this ASAP to position your company for additional business. Plus, having better cybersecurity controls in place is definitely a business best-practice.
How To Submit Your Basic Self-Assessment Score to SPRS
There are two ways to submit your basic self-assessment score to SPRS.
Option 1: Using email to send the information. Submitting your self-assessment score via email to SPRS includes the following steps:
- Get an accurate NIST 800-171 Self-Assessment and Score. Conduct the self-assessment and obtain your score using cybersecurity professionals that carefully follow the required DoD Assessment Methodology for NIST Special Publication (SP) 800-171A.
- Identify your SPRS “Scope of Assessment.” Your SPRS score submission will fall into one of three categories: Enterprise, Enclave, or Contracts.
- Determine your expected completion date. The “Plan of Action Completion Date” must be determined according to your compliance project timelines.
- Find your commercial and government entity CAGE codes. Your CAGE codes represent the part(s) of your organization included in the assessment and represented in the final System Security Plan (SSP) document.
- Provide a brief description of the SSP format and system architecture.
- Submit your self-assessment score to SPRS. To submit your score, send an email (optionally encrypted and signed) to webptsmh@navy.mil with the subject line “SPRS Self-Assessment Score Submission” in the exact format specified below:
- Assessment date
- Assessment score
- Scope of assessment
- Plan of action completion date
- Included CAGE(s) codes
- Name of System Security Plan (SSP) assessed
- SSP version/revision
- SSP date
- Wait for email confirmation
Option 2: Using the PIEE (Procurement Integrated Enterprise Environment).
Register a PIEE account at https://piee.eb.mil/. Once your business is registered, choose the SPRS link and follow all instructions. You will need to provide all the same information as shown in Option 1.
Funding & Cost Sharing May Be Available for Heat Treaters
With the huge push for stricter cybersecurity practices by the government and many businesses, cost sharing and funding sources have been identified that may cover a substantial percentage of the costs associated with these critical cybersecurity projects. Every state has at least one MEP (Manufacturing Extension Partnership). Many states are more than willing to help out with the cost of implementation.
About the Author:
Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe at joe.coleman@go-throughput.com.