CMMC DFARS SPRS self-assessment - ChatFortress


Posted on June 21, 2021 by Benjamin Bressington


CMMC DFARS SPRS self-assessment - ChatFortress

What is SPRS self-assessment?

Supplier Performance Risk System (SPRS) “...is the authoritative source to retrieve supplier and product PI [performance information] assessments for the DoD [Department of Defense] acquisition community to use in identifying, assessing, and monitoring unclassified performance.” (DoDI 5000.79)

Need to complete your SPRS Self-Assessment?

Use the ChatFortress Easy Compliance SPRS Self-Assessment tool to calculate your SPRS score. Activate your Free SPRS Self Assessment today!

The DFARS Interim Rule requires Department of Defense (DoD) contractors whose contracts contain the new version of DFARS Clause 252.204-7012 to submit their scores to the Supplier Performance Risk System (SPRS).

Technically, your score does not need to be submitted until contract award, and presumably contract evaluation. However, many prime contractors and business partners are pushing for early score submissions in response to the DFARS Interim Rule.

Like many other DoD contractors, you may be having difficulty obtaining SPRS access through the Procurement Integrated Enterprise Environment (PIEE).

How to Submit Your SPRS Score for DFARS 7012?

  1. Get an Accurate Assessment and SPRS Score.
  2. Identify your SPRS 'Scope of Assessment'
  3. Determine Your Expected Completion Date.
  4. Find Your Commercial and Government Entity (CAGE) Codes
  5. Submit Your SPRS Self-Assessment Score.
  6. Wait for Email Confirmation

Get an Accurate Assessment and SPRS Score.

Conduct the assessment and obtain your score using SPRS Assessment Tool which carefully follows the required DoD Assessment Methodology for NIST Special Publication (SP) 800-171A. Completely free DoD Self-Assessment and Scoring Tool.

Your score is not permanent. There is no limit to how often you can update your score via email submission or the SPRS website. However, you must notify the Contracting Officer of any changes in score for contract bids and existing contracts that include the new version of DFARS Clause 252.204-7012 [December 2020 onwards] or DFARS Clauses 252.204-7019 / 252.204-7020.

Identify your SPRS Scope of Assessment

Your SPRS score submission will fall into one of three categories, depending upon your organizational structure, Commercial and Government Entity Program (CAGE) hierarchy, and current DoD contracts:

  • "Enterprise" scope covers an entire company’s network under the CAGE code listed. Choose this option if you currently have one CUI environment for your entire organization.
  • "Enclave" scope covers standalone environments under the CAGE code as a business unit (ex. test enclave, hosted resources). Choose this option if your assessment addresses one of the multiple environments within your organization.
  • "Contracts" scope is for contract-specific SSP review. Choose this option if your assessment is specific to a single contract, such as an environment set up expressly for use by one contract.

Determine Your Expected Completion Date.

The Defense Federal Acquisition Regulation Supplement (DFARS) Interim Rule, DoD expects all contractors to eventually achieve a perfect score of 110. However, there is currently no public guidance on how Contracting Officers are to evaluate scores.

The 'Plan of Action Completion Date' must be determined according to your compliance project timelines and this determines the date you expect an organization's status will meet "perfect" which requires extensive documentation and technical implementation.

Your 'Plan of Action Completion Date' should be connected to your POA&M document. Don't worry using the ChatFortress Easy Compliance SPRS Assessment tool we can help you create your POA&M Template automatically. SPRS Assessment Tool

We recommend choosing an expected completion date within one year because if at any point in time it appears that the process may not happen by then we need flexibility for updating or changing due dates accordingly with contract bids as well as past contracts including DFAR Clause 252-204-7012 [December 2020 onwards]

Find Your Commercial and Government Entity (CAGE) Codes

Your CAGE codes represent the part(s) of your organization included in the assessment and represented in the final System Security Plan (SSP) document.

You can find your organization's CAGE codes online here: https://cage.dla.mil/Home/UsageAgree

Submit Your SPRS Self-Assessment Score.

To submit your score, send an email (optionally encrypted and signed) to webptsmh@navy.mil with the subject line "SPRS Self-Assessment Score Submission" in the exact format specified below:

Assessment Date:

Date of your assessment, as MM/DD/YYYY

Assessment Score:

Score obtained, between -204 and 110

Scope of Assessment:

"Enterprise", "Enclave", or "Contract". See above for descriptions.

Plan of Action Completion Date:

Expected date to complete all assessment POA&M items and obtain a perfect score of 110, as MM/DD/YYYY. If the score is already 110, then "N/A".

Included CAGE(s):

The CAGE code(s) covered by the assessment

Name of System Security Plan (SSP) Assessed:

The name or scope of the SSP. If the SSP only applies to one network or location, it should be described here. If the Scope of Assessment is "Enclave" or "Contract", it should be described here.

SSP Version / Revision:

[optional] The version or revision number of the SSP.

SSP Date:

The date of the SSP. Should be equal to or greater than the Assessment Date.

Wait for Email Confirmation

You will receive an email confirmation of the score submission once the SPRS Customer Support Desk processes your email. While waiting, we highly recommend obtaining access to the SPRS website for future score updates and submissions.

If you do not receive a confirmation within 5 business days, we suggest replying to the original email thread to request a status update on your score submission.

Companies must follow DFARS requirements. If you are a small company or have only part of your business focused on work for the Department of Defense, it may not be possible for you to hire someone with all these skills full-time. That's why ChatFortress can help you with your DFARS Compliance Consulting. Contact us and let us help you with your DFARS, CMMC, NIST800-171 compliance requirements.

Are you worried that your company is vulnerable to ransomware?

The Business Cybersecurity System protects you against real-world threats while building your cybersecurity culture. Using the latest in breach and attack simulation our team can show you which ransomware and malware attacks would cripple your company regardless of the cybersecurity protections you already have in place!

Who is ChatFortress

ChatFortress is a leading cybersecurity company that helps small and medium-size companies protect themselves from hacking attempts. Using Cybersecurity AI, Gamified cybersecurity awareness programs and providing virtual security analysts. Our goal is to help you create a cybersecurity aware culture.


Search
Cybersecurity Resources

Talk to Us

Reduce your cybersecurity risk and exposure. Schedule time with your ChatFortress Specialist now
or Call 307-999-7755

commoncybersecuritymistakes
Cybersecurity Education Links

Common Cybersecurity Mistakes and how you can protect yourself and your business from liability and financial loss! Instant Webinar Access!

Schedule Your Free Cybersecurity Risk Assessment Click Here to Schedule Call

Discover current hacker trends to steal your data and how you can protect yourself in 7 day FREE Email Cybersecurity crash course

Here are the 8 common types of email phishing attacks that hackers use to steal your identity. Are you protected?

Protect your business from hackersCrash Coursesmall business cybersecurity protectionHackerssmall business cybersecurity protection8typesofemailphishingscamssmall business cybersecurity protectionCMMC Compliance Check ListCybersecurity For Business