Purchase CMMC or use your DIBBS or SAM Navigator credentials to login
HomeCMMC OverviewAssessment ToolSysten Security PlanSubmit by Email
Submit by Posting in SPRSRegister in PIEE Register in SPRSPurchaseContact Us
CMMC Overview

When you have a CMMC Navigator account, all the links on this page will be active. Click here to subscribe.

The Department of Defense is concerned that the theft of intellectual property and sensitive information from all U.S. industrial sectors, due to malicious cyber activity, threatens economic security of the nation. Accordingly, the DOD has initiated a program of cybersecurity that impacts all activities internally within the DOD and externally in all vendors and suppliers. In collaboration with NIST (National Institute of Standards and Testing) a comprehensive program has been developed and is in the process of being implemented.

A major component of this program is the development of an assessment methodology that will measure contractor implementation of cybersecurity requirements. The specifics of this program are detailed in NIST SP 800-171 and (Protecting Controlled Unclassified Information Nonfederal Systems and Organizations) and SP 800-171  DOD Assessment Methodology. These are enabled are enabled in Defense Federal Acquisition Regulations by the DFAR sections 252.204-7019 and 252.204-7019 and 252.204-7021

What this means - the DOD is implementing a cybersecurity program that all suppliers of goods and services to the DOD will need to comply with.

When is compliance required - Currently the program is scheduled to be fully implemented in 2025. In the intervening years, it is uncertain how many solicitations will require the bidder/awardee to have an assessment score posted in SPRS. To get a new JCP certification or renew an existing certification, you must complete a CMMC assessment and post the score in SPRS.

What is an Assessment – as detailed in NIST 800-171, an assessment consists of reviewing and indicating that you COMPLY or DO NOT COMPLY with each of 110 Cybersecurity Requirements. The assessment will result in a single numeric score. Each Requirement has a numeric value. You start with a score of 110 and for each Requirement that you do not comply with, the value of that Requirement is subtracted from the beginning score. Many of these Requirements are relevant to only very large businesses. The DOD expects that many scores will be negative.

What is SPRS – SPRS is the Supplier Performance Risk System. Access to SPRS is through the PIEE (Procurement Integrated Enterprise Environment). PIEE is the government enterprise system portal that all suppliers to the government use for all transactions, shipping, billing, and payment. In order to access SPRS, you must register in PIEE. To see detailed instructions and links to PIEE click here.

How do I perform a CMMC Assessment - the CMMC program has multiple levels of attainment within the Assessment framework. For the vast majority of businesses, a Basic Self-Assessment is all that is required. Higher levels will require the engagement of a third-party assessor at significant cost. Any level of assessment involves reviewing the list of 110 requirements and determining whether your company meets the requirement or not. Each requirement carries a numerical score value. You start the Assessment with a score of 110 and subtract points for each Requirement you DO NOT meet. The sum of these comprises your Assessment Score. The scoring system will produce a negative score for most companies. This is expected by the DOD and is not a problem. There will be some requirements that are not applicable to your business. Mark these as "Do Not Comply". Those items that are relevant to your business, but not implemented now, comprise your Security Plan. Your plan needs to note how and when you will comply. Note that you submit only the summary numerical summary score to SPRS. The sheet that shows individual Requirement scoring is not submitted. We are providing an online Scoring Tool that lists all 110 Requirements, provides a compliance checkbox, and will calculate your Assessment Score for you. Click here to access the Scoring Tool.

What is an SSP – The System Security Plan documents in writing your response to each of the 110 Requirements in the Assessment. The SSP is intended to be used internally by the business to systematically address and correct all cybersecurity deficiencies identified by the Assessment. Details on how to create an SSP are explained here

How do I submit my Assessment: - there are two ways to submit your score. You can send the score directly to SPRS by email or you can use a SPRS link in your PIEE account to post directly. This latter option will require you to set up a PIEE account, if you do not have one, and to enable SPRS access in PIEE. Both methods achieve the objection of getting a CMMC Assessment Score into SPRS and making you compliant with Item (2) on the DLA Export Control Technical Data Management Questionnaire here. This document is a required submission if you are seeking JCP approval and access to controlled unclassified documents and drawings.

  1. Email the score directly to SPRS. Click here to see detailed instructions.
  2. Post score in SPRS by establishing an account in PIEE and setting SPRS as an option within PIEE. Click here for detailed instructions and links.
Additional Resources:
PIEE Homepage here
SPRS Homepage here
NIST/MEP Cybersecurity Self Assessment Handbook here
DFAR 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting here
©Copyright 2021 DIBBSNav, LLC