Navigating the Complex World of Compliance

Nov 30, 2021 | CMMC, Blog, Compliance, Department of Defense, SPRS | 0 comments

As CMMC continues to mature, we want to ensure you keep up to date with the latest news, and we want to help your organization meet the DoD Interim Rule while it remains in effect.

Large prime contractor companies like General Dynamics, Northrop Grumman, and Raytheon have all specifically noted on their websites that their subcontractors must meet this DoD Interim Rule by entering an assessment score into the Supplier Performance Risk System (SPRS) database. They are making this requirement to ensure their supply chain can continue contributing to existing contracts or to bid on new ones.

Interestingly, the DoD permits the SPRS score through a “self-assessment,” which implies that organizations can do this on their own. While this seems simple enough, this “basic” self-assessment is against the 110 security controls across 14 domains listed in NIST-800-171 and must be completed in accordance with the DoD Assessment Methodology.

To consider any given control as being met, the NIST publication for assessing security requirements for CUI (NIST 800-171A) requires a company to meet all the underlying assessment objectives, in addition to the letter of the control itself. This means the 110 controls become 319 objectives required to earn a perfect score of 110.

Additionally, controls are valued differently under the DoD Assessment Methodology. The new CMMC 2.0 does allow for a Plan of Action on some controls. However, controls with a high value must be implemented. They are not permitted to be an action item to be completed in the future. High level controls must be in place prior to submitting the score.

In addition, the Department of Justice (DOJ) recently announced that the DOJ will actively pursue companies who receive federal funds through government contracts if they fail to follow cybersecurity practices. The DOJ will use the False Claims Act as the basis for penalizing companies who choose to allow business practices with unacceptable cybersecurity risk.

Helping our clients navigate CMMC and the SPRS database is one area of our compliance expertise.

To help guide you through NIST 800-171 and SPRS readiness, we offer the following:

  • Review of infrastructure and documentation against all 319 assessment objectives
  • Review of your SSP. If no SSP exists currently, we will help generate the SSP framework with you
  • Update/develop a current Plan of Action
  • Detailed instructions on recording your SPRS score into the Procurement Integrated Enterprise Environment (PIEE) site

If we can be of service, please don’t hesitate to reach out.