Purchase CMMC or use your DIBBS or SAM Navigator credentials to login
HomeAssessment OverviewAssessment ToolSysten Security PlanSubmit by Email
Submit by Posting in SPRSRegister in PIEE Register in SPRSPurchaseContact Us
Assessment Overview

When you have a CMMC Navigator account, all the links on this page will be active. Click here to subscribe.

The Department of Defense is concerned about Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations and keeping it secure from exposure to malicious cyber activity which threatens the security of the nation. Accordingly, the DOD has initiated a program of cybersecurity that impacts all activities with all vendors and suppliers. In collaboration with NIST (National Institute of Standards and Testing) a comprehensive program has been developed and is in the process of being implemented.

The major component of this program is the development of an assessment methodology that will measure vendor/contractor implementation of cybersecurity requirements. The specifics of this program are detailed in NIST SP 800-171 and (Protecting Controlled Unclassified Information Nonfederal Systems and Organizations) and SP 800-171  DOD Assessment Methodology. These are enabled are enabled in Defense Federal Acquisition Regulations by the DFAR sections 252.204-7019 and 252.204-7020 

What this means - the DOD is implementing a cybersecurity program that all suppliers of goods and services to the DOD will need to comply with. Compliance with the DoD Assessment requirement is achieved by posting your Assessment score in the DoD SPRS site and stating that you have a System Security Plan (SSP)

When is compliance required – The requirement for Assessment compliance is rolling out currently. Virtually all DLA solicitations now include the two DFARS clauses (need links 252.204-7019 and 252.204-7019) as a requirement. The JCP program certifies a business to receive controlled document (most drawings are controlled). Since 2020, the DLA has required that a JCP applicant show Assessment compliance. To get a new JCP certification or renew an existing certification, you must complete a CMMC assessment and post the score in SPRS. DLA has recently begun to proactively contact JCP approved companies and advise them that they have 30 days to file your Assessment with SPRS or your JCP may be suspended.

What is an Assessment – as detailed in NIST 800-171, an assessment consists of reviewing and indicating that you have Implemented or have Not Yet Implemented with each of 110 cybersecurity requirements. Each requirement has a numeric value. You start with a score of 110 and for each requirement that you have Not Yet Implemented, the value of that requirement is subtracted from the beginning score. The assessment will result in a single numeric score that you post in SPRS. Many of these requirements are relevant to only very large businesses. The DOD expects that many scores will be negative.

What is SPRS – SPRS is the Supplier Performance Risk System. Access to SPRS is through the PIEE (Procurement Integrated Enterprise Environment). PIEE is the government enterprise system portal that all suppliers to the government use for all transactions, shipping, billing, and payment. To access SPRS, you must register in PIEE. To see detailed instructions and links to PIEE click here. An alternative means of posting in SPRS is to submit your score by email.

How do I perform an Assessment - the Assessment program has multiple levels of attainment within the Assessment framework. For the vast majority of businesses, a Basic Self-Assessment is all that is required. Higher levels will require the engagement of a third-party assessor. Any level of assessment involves reviewing the list of 110 requirements and determining whether your company meets the requirement or not. Each requirement carries a numerical score value. You start the Assessment with a score of 110 and subtract points for each requirement you have Not Yet Implemented. The sum of these comprises your Assessment Score. The scoring system will produce a negative score for most companies. This is expected by the DOD and is not a problem. There will be some requirements that are not applicable to your business. Mark these as "Not Applicable". The sheet that shows individual requirement scoring is not submitted. The CMMC Navigator Assessment Scoring Tool lists all 110 Requirements, provides a compliance buttons, and will calculate your Assessment Score for you. Click here to access the Scoring Tool.

What is an SSP – The System Security Plan documents in writing your response to each of the 110 Requirements in the Assessment. The SSP is intended to be used internally by the business to systematically address and correct all cybersecurity deficiencies identified by the Assessment. Details on how to create an SSP are explained here

How do I submit my Assessment: - there are two ways to submit your score. You can send the score directly to SPRS by email or you can use a SPRS link in your PIEE account to post directly. This latter option will require you to set up a PIEE account, if you do not have one, and to enable SPRS access in PIEE. Both methods achieve the objective of getting an Assessment Score into SPRS.

  1. Email the score directly to SPRS. Click here to see detailed instructions.
  2. Post score in SPRS by establishing an account in PIEE and setting SPRS as an option within PIEE. Click here for detailed instructions and links.
Additional Resources:
PIEE Homepage here
SPRS Homepage here
NIST/MEP Cybersecurity Self Assessment Handbook here
DFAR 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting here
 
©Copyright 2021 DIBBSNav, LLC