Interim Rule and Scoring
DoD published an Interim Rule for CMMC on September 30, 2020. The Interim Rule went into effect November 30, 2020, and created two new DFARS clauses, 252.204-7019 and 252.204-7020. Those clauses are now effective and are appearing in DoD contracts.
Under these clauses, DoD contracting officers must, prior to contract award or renewal, validate that “basic” cybersecurity self-assessment scores have been entered into the Supplier Performance Risk System (“SPRS”) for all contractors for whom DFARS 252.204-7012 applies (i.e., those contractors who will create or receive Controlled Unclassified Information (“CUI”)). The basic cybersecurity self-assessment scores are scores generated by comparing the contractors’ cybersecurity program to the security requirements defined in NIST SP 800-171 (“800-171”) using the basic assessment methodology described in DoD’s “NIST SP 800-171 DoD Assessment Methodology“.
In essence, under DoD’s methodology, a basic self-assessment starts with a score of 110 and, for each 800-171 security requirement the contractor has not fully implemented, the contractor loses points (either 1, 3, or 5 points depending on a few different factors). NIST SP 800-171A, “Assessing Security Requirements for Controlled Unclassified Information,” provides helpful insight into what constitutes full implementation of a particular security requirement.
CMMC Info’s Free Scoring Template/Tool
Our free scoring tool, which can be downloaded below, includes all of the details necessary to perform a self-assessment. It includes:
- A full listing of all NIST SP 800-171 requirements, prioritized using the FAR and Above methodology developed by the CMMC Information Institute and our industry partners;
- Detailed requirements definitions, including evaluating each requirement against the objectives defined in NIST SP 800-171A;
- Automated FAR and Above scoring;
- Automated SPRS scoring;
- Updated listings and references to reflect CMMC 2.0 numbering scheme;
- Listing of all potential assessment considerations for every requirement;
- System Security Plan (“SSP”) template based on the SSP template published by NIST; and
- Comprehensive list of CUI types from the National Archives and Records Administration (“NARA”) website.
The tool also includes a Plan of Action and Milestones (“POA&M” or POAM) template that incorporates concepts drawn from the POA&M template published by NIST.
Submitting your Scores
DoD has published a FAQ and a quick reference guide for those trying to access the SPRS system. Some previous reports suggested that a CAC card, and the PIV certificate that comes with it, were needed to create a SPRS account. That is not true. To access SPRS, you will, however, first need an account in the Procurement Integrated Enterprise Environment (“PIEE”) system. Looking at the PIEE login screen it is easy to see why some had the impression that a PIV was needed; finding the link to create an account can be a little difficult. Once there, the registration process is fairly straightforward provided your company is already registered in the System for Award Management (“SAM”) and at least one Contractor Administrator is associated with your CAGE code. If you do not have a Contractor Administrator associated with the CAGE code, you will need to reach out to the PIEE support team.
Once your PIEE account is created, you should follow the instructions in the quick reference guide to submit your score. Your entry will include the date you performed the self-assessment, the CAGE code corresponding to the system(s) that was assessed, the score, and, if your score is less than 110, the date by which you expect to achieve a 110 score. Our tool will auto-calculate the score and the 110-point score date using the information you enter into the tool (it chooses the date farthest forward in time). If your organization uses multiple system security plans, you will also need to describe the system security plan architecture and the relationship of the plans for which you are submitting your scores. It is important to note that DoD only wants the aggregate score for the assessed system; they do not want you to submit the requirement-by-requirement assessment or copies of your SSP(s).
More About Our Self-Assessment/Gap Analysis Tool
As noted above, the tool allows you to track any security requirements that are not fully implemented, including assigning one or more responsible parties, identifying resources needed (including individuals and financial resources), setting specific milestones toward implementation (target dates for each milestone should be included), and any changes in the milestones. Again, this information is used for your internal tracking purposes and will not be submitted to DoD.
We hope the tool is useful to you and welcome feedback on how to improve it. As noted in the tool, it is released under the Creative Commons CC-BY-SA license. You are welcome to use and share the tool, including for commercial purposes, but you must include a reference back to the CMMC Information Institute. Please see the CC-BY-SA license for more details, and please see the tool for additional disclaimers. While you are free to redistribute the tool, we do update it from time to time, and strongly suggest that visitors return here for the latest version.
As you prepare to submit your score and other information, it is important to remember that the submission of scores to SPRS is likely to constitute an affirmative declaration by your organization of its readiness to handle Controlled Unclassified Information. DoD will be relying on the scores to make risk-based decisions about which proposals are best. Submitting false information, such as higher than appropriate scores or shorter than anticipated completion dates, could result in significant fines and penalties under the False Claims Act and even result in debarment. We will soon offer free, video-based training on the False Claims Act, CMMC, Section 889 compliance, and other topics related to cybersecurity and data privacy. Be sure to register for our newsletter for more details!
For additional details about how to use the tool, please see the introduction worksheet in the tool. If the tool is helpful to you, please consider making a donation to the CMMC Information Institute.
While our tool will help organizations take the first steps toward a compliant cybersecurity program, we also recognize that many organizations will quickly outgrow the capabilities of a spreadsheet-based tool. When that happens, and even before, we encourage our visitors and members to consider a tool like FutureFeed, a CMMC Information Institute sponsor.