Are you a Department of Defense (DoD) contractor or a vendor supporting DoD contractors? Surprise, you have another security requirement to comply with.
Unless you want to miss out on contracts or get fined, you must report your Supplier Performance Risk System (SPRS) score to the right agencies. The DoD uses your SPRS score to assess your – and other suppliers’ - cybersecurity risk, making it an unwaivable requirement.
Here is a quick, no-frills, step-by-step guide to reporting your SPRS cybersecurity score.
Intelligent Technical Solutions (ITS) created this guide to help contractors ensure their SPRS score accurately reflects their cybersecurity practices. With years of experience securing companies with DoD contracts, we understand the complexities of DoD compliance and the importance of maintaining an accurate SPRS score.
In this guide, you’ll also learn:
- How to improve a negative SPRS score
Sean Harris, ITS’ Senior VP for Cybersecurity, will also share his expertise on this topic.
By the end of this guide, you’ll have the information to submit your SPRS score and ensure that your company stays competitive in the defense contracting space.
1. Assess your NIST 800-171 compliance
"The SPRS cybersecurity score is essentially a NIST 800-171 assessment,” Harris explained, “where companies score themselves based on whether they're doing each of the requirements.”
Conduct a thorough self-assessment against 110 security controls from NIST 800-171 Revision 2. For each control that you fully implement, you gain points toward your final score.
"We had a client that originally self-assessed with a score of 88, but after doing a thorough gap assessment, we found they were actually at negative 30."
Pro Tip:
Today, you should create a document that chronicles your compliance process. Clarify which tasks are assigned to which people, and what tools they use to complete the compliance process. Note who has log-in and access details to unique software.
2. Calculate your initial score
The SPRS cybersecurity score is calculated based on how many NIST security controls you've implemented.
Each of these controls is worth between 1 to 5 points, depending on how implemented they are for protecting Controlled Unclassified Information (CUI).
“You actually start at negative 203, and then each thing that is done you’ll get one, three, or five points,” Harris said. “Fully implemented controls earn five points, partially implemented controls earn three points, and minimally implemented controls earn one point."
For example, fully implementing a critical control like multi-factor authentication (MFA) might add 5 points, while partial implementation could add 3 points.
A perfect score would be 110, meaning all controls have been fully implemented.
3. Prepare documentation
Gather all necessary documentation that proves your compliance with each control. This includes security policies, training logs, audit results, and system configuration settings.
Each piece of evidence should directly correspond to one of the controls in the NIST SP 800-171.
4. Access the SPRS website
Once you’ve calculated your score, you’ll need to access the Procurement Integrated Enterprise Environment (PIEE) on the SPRS website. You must have an account with PIEE in order to submit your score.
5. Submit your SPRS score
"You're self-reporting it, and then if you're [CMMC] Level 2, you’ll have to have an auditor come in to affirm all of that,” Harris said.
After logging into PIEE:
- Navigate to the SPRS module.
- Enter your score based on your NIST 800-171 self-assessment.
BONUS STEP: Monitor and update your score regularly
The cybersecurity landscape is constantly changing, and so should your security measures. Review and update your SPRS score annually or whenever there is a significant change in your security posture.
Keeping your score up to date ensures you remain compliant and prepared for audits. You also need to continuously monitor your cybersecurity compliance and be ready to update your controls based on new SPRS requirements.
How to Improve a Negative SPRS Score
If your score is negative, don't panic!
“It's not unheard of to have a negative number on your final score,” Harris reassured.
There are clear steps to improve your SPRS score.
1. Focus on High-Impact Controls
Prioritize controls that offer the most protection, such as those related to access control, encryption, and incident response.
2. Develop a Plan of Action
Create a Plan of Action and Milestones (POA&M) that outlines how you will address each deficient control. This will help you systematically raise your score.
3. Work with a Consultant
If you're unsure about implementing certain controls, consider working with an experienced cybersecurity consultant, like ITS, to guide you through the process.
Need more help with your SPRS score?
Reporting your SPRS score accurately is not only a legal requirement but a strategic necessity for companies in the defense contracting space. Failing to comply can lead to severe consequences, from losing contracts to incurring penalties.
However, by understanding how to review your NIST 800-171 compliance, calculating your score, and submitting it correctly through SPRS, you can ensure your business remains compliant and competitive.
At ITS, we specialize in helping organizations like yours navigate the complexities of federal compliance, including SPRS submissions. Whether you need help with your self-assessment or improving a negative score, we are here to guide you every step of the way.
Ready to improve your SPRS score and protect your DoD contracts? Contact ITS today to schedule a consultation with our team of cybersecurity experts.
- Can an MSP Help You with Regulatory Compliance?
- Choosing the Best Compliance-Focused MSP (4 Insider Tips)
- IT Needs Analyzer [TOOL]