SPRS and You: Managing DOD Cybersecurity Expectations

Show Notes

We just dived deep into the Department of Defense's NIST SP 800-171 assessment requirements. This is crucial for any contractor involved with DoD contracts, especially when it comes to cybersecurity. Here are three key takeaways:

• Assessment Frequency: If you're implementing NIST SP 800-171, make sure you have a recent assessment conducted within the last three years for every covered information system tied to DoD contracts.
• Assessment Levels: There are three types of DoD assessments - Basic, Medium, and High. Understanding which level applies to you and how to proceed can make or break your eligibility for DoD contracts. The details for each can be found in another key document, the NIST SP 800-171 DoD Assessment Methodology.
• Reporting Requirements: Once your assessment is complete, post your summary level scores in the Supplier Performance Risk System (SPRS). This is a mandatory step to demonstrate your commitment to cybersecurity, and remember, time is of the essence – scores need to be posted within 30 days of assessment completion.

🔗 If you’re involved in defense contracting, keeping up with these requirements is non-negotiable! Tune into our latest episode for the full breakdown and stay ahead in the ever-evolving landscape of cybersecurity standards.

For the official CMMC documentation, click this link: https://dodcio.defense.gov/cmmc/Resources-Documentation/

#DefenseContracting #Cybersecurity #NISTSP800171 #DOD #CMMCNews #PodcastHighlights

Transcript

0:13

Alright. Welcome in, everyone. Ready for another deep dive. Absolutely. Always ready to dig into some fascinating documents. And we've got a really timely one today, especially for anyone involved with Department of Defense contracts. Yeah. This is about cybersecurity front and center. Exactly. It's a DOD document all about cybersecurity assessment requirements for contractors. And we know you, our listeners, are busy folks, so we're gonna cut through the jargon and get right to the heart of what you absolutely need to know to navigate these rules. No need to get bogged down in the technical weeds. We'll give you the clear takeaways. So the main document we're dissecting today is titled, get ready for this, notice of NIST SP eight hundred one seventy one DOD assessment requirements, Novi 02/2023. Catchy title, Really rolls right off the tongue. But seriously, this is the DOD laying down the law or at least the expectations for anyone working with them, especially when it comes to cybersecurity. And it's all about those assessments, those checks that tell the DOD just how secure your systems really are. So let's jump right in. This notice, right off the bat, it states that if your organization has to implement something called NIST SP eight hundred one seventy one. Which is a pretty big deal for a lot of DOD contractors, especially those handling certain types of sensitive information. Yeah. If that's you, then you absolutely have to have a recent assessment. And by recent, I mean, within the last three years for every single covered contractor information system that's connected to any DOD offers or contracts you're involved with. That three year window is key, but always, always double check the specific contract you're working with. Some might have even shorter time frames. Oh, yeah. Absolutely. The contract always trumps the general rule. So what about this term, covered contractor information system? Well, think of it as any system in your organization that touches covered defense information. Okay. So if you're working with that kind of data for the DOD, these assessment rules are coming for you. Exactly. And to understand it fully, we'd have to dive into clause two five two point two zero zero four seven zero twelve, which is all about safeguarding that sensitive defense information and reporting any cyber incidents. We won't go down that rabbit hole today, but it's good to know where it fits in. Absolutely. It's all connected. So the big picture here is that these assessments are all about making sure you're eligible to even get a DOD contract award. It's a baseline requirement, really showing the DOD that you're taking cybersecurity seriously. Okay. Now this is where it starts to get interesting. The document then outlines these different types of NIST SP eight hundred one hundred and seventy one DOD assessments, and there are three of them. Basic, medium, and high. High. Kinda like a difficulty setting for cybersecurity. Right? Yeah. Exactly. The document itself doesn't go super deep into what makes each level different, but it does give us a link to another document that does. Oh, that's helpful. What's it called? It's the NIST SP eight hundred one seventy one DOD assessment methodology. And where can our listeners find that? Well, the link is a bit of a mouthful, but it's https.www.acq.0sd.Mila's dad p c c c p cyber doc safeguarding NIST s p 800. You know, the usual government website. Easy to remember. So if anyone needs the deep dive on those assessment levels, that's the place to go? Exactly. All the details are in there. Alright. So let's say you've had your assessment done. Now what? Well, it's not enough to just have it sitting on a shelf somewhere. Right. You gotta prove it to the DOD. Exactly. The document really stresses that you need to make sure those summary level scores from your current NIST SP eight hundred one seventy one DOD assessments are actually posted in a system called SPRS. SPRS? That stands for supplier performance risk system. Ah, okay. So that's where all this information lives. It's like the DOD central hub for tracking how their suppliers are doing, and that includes cybersecurity these days. Makes sense. They need to have a clear picture of the security posture of everyone they're working with. Exactly. It's all about informed decision making and risk management. Now what if you don't have a current score in SPRS? What happens then? Well, the documents got you covered. If you need to meet these NIST SP 800, one hundred and 70 one requirements, but you don't have that score in SPS, you can do something called a basic assessment and submit it to get it posted. So it's like a starting point, getting your foot in the door. Yeah. Think of it as establishing your baseline cybersecurity standing. Okay. So how do you actually submit this basic assessment? Is there, like, an online forum or something? You'd think. Right. Yeah. But nope. It's all done through email. Really? Email? Yep. Good old email. And there's some specific information they want you to include. First off, you gotta state which cybersecurity standard you were assessed against. Like NIST, SP eight hundred one seven one revision one, for example. Exactly. And you also have to say, who did the assessment, which for a basic assessment would usually be contractor self assessment. So you're basically vouching for yourself at this level. Yeah. It's a self evaluation, but it still has to be done rigorously and honestly. Right. No cutting corners. Absolutely not. Now for each system security plan or SSP that you have supporting a DOD contract, things get even more granular. More details. Great. You'll need to include all the associated CAGE codes. CAGE codes. Remind Remind me what those are again. They stand for commercial and government entity codes. Oh, right. Those unique identifiers for organizations. Exactly. Those are essential. So the DOD can link the assessment to the right organizations and contracts. Got it. So they know exactly who they're dealing with. And if you have multiple SSPs, which many larger organizations do, you need to provide a short description of how each plan's architecture is set up. Just so the DOD knows what systems are covered by each plan. Precisely. Okay. So we've got the standard, who did the assessment, and the CAGE codes and SSP details. What else goes in this email? Well, you also need to state when the assessment was completed. The exact date. Yep. And this is a big one. You absolutely have to provide that summary level score. So, for example, you might say 95 out of a possible 110. So that's your overall score showing how well you're meeting those security controls? Exactly. The DOD wants that big picture view, not the individual scores for each requirement. Makes sense. They wanna know how you're doing overall. And one last thing. Right. Right. You have to include the date when you expect to have all the requirements fully implemented, meaning you've hit that perfect score of a 10. So that's based on your plan of action, how you're gonna fix any security gaps you found. Exactly. It's a way of showing the DOD that you're committed to continuous improvement. Always getting better. That's the goal. Now the document even gives you a specific format for all this if you're reporting on multiple SSPs in one email. It's all about clarity and making sure the DOD can easily understand and process all this information. Keep it organized. Definitely. Now for the medium and high assessments, it's a bit different. Oh, how so? For those, the DOD actually takes care of posting the summary level scores in SPRS. You don't submit them directly via email like with the basic assessment. I guess that makes sense since those are more in-depth assessment. Right. They're usually conducted by the DOD itself or under their direct supervision. Like by the Defense Contract Management Agency or DCMA? Exactly. Or another specific DOD organization, usually identified by their DODAC. BODI case. Now there's another acronym for you. Stands for Department of Defense Activity Address Code. Right. Because the DOD loves their acronyms. They really do. So the information they post for medium and high assessments is basically the same as what you'd include for a basic assessment. Right? Yep. The standard, who did the assessment, the cage codes, a description of the SSP architecture, the date and level of the assessment, that summary level score, and the target date for full compliance. So whether it's basic, medium, or high, it all ends up in SPRS. Exactly. It all feeds into that central system. Now who can actually see all this information in SPRS? Well, the document's pretty clear on that. Access to those assessment summary scores is limited to DOD personnel. So it's not public knowledge? No. It's internal DOD information protected by DOD instruction, 5,000.79. Which is all about how they handle supplier and product performance information. Right. It's confidential stuff. But contractors could see their own summary level scores. Oh, that's good. So you can at least check your own standing. Absolutely. They even provide a link to the SBIRS software user's guide for awardees contractors so you know how to navigate the system. Very helpful. Now what about those high assessments? You mentioned they might have additional documentation. Yeah. That's an important point. That extra documentation is treated as CUI, controlled unclassified information. Meaning, it's sensitive but not classified. Right. And it's strictly for internal DOD use only. Not something they're gonna be sharing freely. Definitely not. It's protected from unauthorized release even through Freedom of Information Act requests. So high assessments really are a whole other level of scrutiny. They are. It shows you how seriously the DOD takes cybersecurity, especially when it comes to the most sensitive information. Okay. One last question. How long does it usually take for all these schools to actually show up in SPRS? Well, the document says that summary level scores for all assessments, basic, medium, and high, should be posted within thirty days of the assessment being completed. So there's a clear time frame, no waiting around forever wondering if it went through. Exactly. It's a well defined process. So for our listeners out there, what's the big takeaway from all this? Well, if you're a contractor working with the DOD, especially if you're handling covered defense information, These NIST SP 801 to seven one assessment requirements are nonnegotiable. You gotta know them and you gotta meet them. Absolutely. It's not just a box to check. It's about demonstrating that you're taking cybersecurity seriously and giving the DOD the confidence they need to trust you with their contracts. It's all about proving your commitment to cybersecurity. Exactly. This deep dive really shows how important cybersecurity has become in the defense industrial base. It's not an afterthought anymore. It's a core requirement. Right. And those different assessment levels, basic, medium, and high, really make you think about the different levels of risk involved. Yeah. The more sensitive the information, the higher the stakes and the more rigorous the assessment. Exactly. And as these requirements keep evolving, it makes you wonder how contractors, especially smaller businesses, are gonna keep up. It's a big investment both in terms of time and money. It is. So that's something to think about. How will the landscape of government contracting and cybersecurity continue to change, and what challenges will contractors face in the future? It's a conversation that's not going away anytime soon. Definitely not. Well, thanks for breaking it all down for us today. Always happy to dive into the details. And to our listeners, thanks for joining us for another deep dive. Until next time, stay curious and stay secure. See you next time.