The United States Department of Defense (“DoD”) is taking a “crawl-walk-run“ approach to rolling out CMMC requirements, meaning that it will be incorporating CMMC requirements into only a relatively few (but gradually increasing number of) contracts over the next few years. In the interim, DoD knows that it needs to make more risk-informed decisions about the contractors that it entrusts with creating or receiving Controlled Unclassified Information.
Interim Rule and Scoring
To that end, DoD published a new Interim Rule on September 30, 2020. The Interim Rule went into effect November 30, 2020, and created two new DFARS clauses, 252.204-7019 and 252.204-7020. The Interim Rule status means it takes effect immediately, but is subject to change in the next several weeks depending on DoD’s adjudication of comments submitted by industry and other interested parties. If the -7019 and -7020 DFARS clauses are revised in any significant way we will publish an update to this article. Be sure to subscribe to our newsletter to stay up to date.
Under the Interim Rule and the corresponding clauses, DoD contracting officers must, prior to contract award or renewal, validate that “basic” cybersecurity self-assessment scores have been entered into the Supplier Performance Risk System (“SPRS”) for all contractors for whom DFARS 252.204-7012 applies (i.e., those contractors who will create or receive Controlled Unclassified Information (“CUI”)). The basic cybersecurity self-assessment scores are scores generated by comparing the contractors’ cybersecurity program to the security requirements defined in NIST SP 800-171 (“800-171”) using the basic assessment methodology described in DoD’s “NIST SP 800-171 DoD Assessment Methodology“.
In essence, under DoD’s methodology, a basic self-assessment starts with a score of 110 and, for each 800-171 security requirement the contractor has not fully implemented, the contractor loses points (either 1, 3, or 5 points depending on a few different factors). NIST SP 800-171A, “Assessing Security Requirements for Controlled Unclassified Information,” provides helpful insight into what constitutes full implementation of a particular security requirement.
CMMC Info’s Free Scoring Template
These self-assessments are not expressly part of the CMMC program. However, we recognize the difficulty some contractors may have in preparing for and performing the self-assessments. In addition, NIST SP 800-171 is the basis for many of the CMMC requirements through Maturity Level 3. To that end, we have created the NIST SP 800-171 scoring template linked below. This template is an Excel spreadsheet that automates calculating your organization’s score and collects other relevant information that will be useful in submitting your score to SPRS. The template also doubles as a Plan of Action and Milestones (“POA&M” or POAM) and incorporates concepts drawn from the POA&M template published by NIST.
Submitting your Scores
You can submit your scores in two different ways. The first, and most efficient, is to submit the scores and other information directly into SPRS yourself. The other is to E-mail a copy of the information to DoD representatives in the US Navy who are handling copying the information into SPRS. We have heard mixed reports on the turn-around time for E-mailed submissions, with some saying it takes a few days, and others saying they have received feedback from the Navy within a day.
SPRS Access and Direct Submissions
DoD has published a FAQ for those trying to access the SPRS system. Some previous reports suggested that a CAC card, and the PIV certificate that comes with it, were needed to create a SPRS account. That is not true. To access SPRS, you will first need an account in the Procurement Integrated Enterprise Environment (“PIEE”) system. Looking at the PIEE login screen it is easy to see why some had the impression that a PIV was needed; finding the link to create an account can be a little difficult. Once there, the registration process is fairly straightforward provided your company is already registered in the System for Award Management (“SAM”) and at least one Contractor Administrator is associated with your CAGE code. If you do not have a Contractor Administrator associated with the CAGE code, you will need to reach out to the PIEE support team. As an aside, if you receive an error message referencing the “WAWF” system, that is handled by the PIEE support team as well.
Once your PIEE account is created, you should follow the instructions in the FAQ to submit your score. Your entry will include the date you performed the self-assessment, the CAGE code corresponding to the system(s) that was assessed, the score, and, if your score is less than 110, the date by which you expect to achieve a 110 score. Our template will auto-calculate the score and the 110 point score date using the information you enter into the template (it chooses the date farthest forward in time). If your organization uses multiple system security plans, you will also need to describe the system security plan architecture and the relationship of the plans for which you are submitting your scores. It is important to note that DoD only wants the aggregate score for the assessed system; they do not want you to submit the requirement-by-requirement assessment.
E-mailing your Information
If you don’t have a PIEE account or can’t access SPRS for some reason, you can send your information to DoD via E-mail. The E-mail address is [email protected] The body of your E-mail needs to be formatted in a particular way, and must include certain information, in order:
- Date of Assessment
- Assessment score (< or = 110)
- Scope of Assessment, chosen from:
- Contract – Contract-specific SSP review
- Enterprise – Entire company’s network under the CAGE(s) listed
- Enclave – Standalone network under Enterprise CAGE, such as a business unit, test enclave, hosted resources, etc.
- Plan of Action completion date (the specific calendar date at which you expect to attain a score of 110)
- Included CAGEs (CAGEs you are reporting that are covered by the SSP).
Your submission must be in the format above and complete for each CAGE being submitted or the DoD representatives will ask you to reformat it. It is important to note that this format is slightly different than described in the Interim Rule.
More About the Template
As noted above, the template also allows you to track any security requirements that are not fully implemented, including assigning one or more responsible parties, identifying resources needed (including individuals and financial resources), specific milestones toward implementation (target dates for each milestone should be included), and any changes in the milestones. Again, this information is used for your internal tracking purposes and will not be submitted to DoD.
We hope the template is useful to you and welcome feedback on how to improve it. As noted in the template, it is released under the Creative Commons CC-BY-ND license. You are welcome to use and share the template, including for commercial purposes. Please see the CC-BY-ND license for more details, and please see the template for additional disclaimers.
One Final Note
As you prepare to submit your score and other information, it is important to remember that the submission of scores to SPRS is likely to constitute an affirmative declaration by your organization of its readiness to handle Controlled Unclassified Information. DoD will be relying on the scores to make risk-based decisions about which proposals are best. Submitting false information, such as higher than appropriate scores or shorter than anticipated completion dates, could result in significant fines and penalties under the False Claims Act and even result in debarment. We will soon offer free, video-based training on the False Claims Act, CMMC, Section 889 compliance, and other topics related to cybersecurity and data privacy. Be sure to register for our newsletter for more details!