What’s Your SPRS Score?

DefenseScoop reported on Stacy Bostjanick’s comments on NIST SP 800-171 compliance at a CMMC conference hosted September 20, 2022 by NeoSystems in Alabama. Bostjanick is the chief of implementation and policy reporting to the DOD chief information security officer.

“Bostjanick said John Tenaglia, the principal director of defense pricing and contracting, ‘has given direction to his contracting officers to start paying more attention’ to the NIST standards. Up to this point, both contractors and contracting officers have been “lackadaisical” about meeting the standards set by NIST SP 800-171 as “part of the responsibility determination” for contracts, she said. “We need to pay attention to this, we need to get moving on it, and we’ve got to stop procrastinating,” Bostjanick said, adding that people have become vocal with their concerns only now that DOD has said, “we’re coming to look and check.” She added: “That’s not acceptable.” So, as contractors anticipate CMMC implementation next spring, it’s as good a time as ever to start getting things in order to attest — truthfully — that they meet the 110 requirements under NIST SP 800-171, Bostjanick and her co-panelists at the event said Tuesday.”

Knowing where your company stands regarding the NIST SP 800-171 controls is the first step towards compliance.  Calculating your Supplier Performance Risk System (SPRS) score isn’t as straight forward as some may think. Although there are 110 controls and a perfect SPRS score is 110, each control is not worth one point.  A beginning score starts at negative 203 with different value of points (1, 3 and 5 points based on the importance of the control) being added as controls are met. Controls are only met when all the objectives associated with the control are met.

Ascolta offers a free downloadable Systems Security Plan (SSP) template that automatically calculates your SPRS score as objectives are marked “met” in the tool. Built for Microsoft Excel, the tool allows companies to document compliance, create a program of actions and milestones (POAM) for unmet controls, accurately calculate your SPRS score and contains an executive level dashboard for simple tracking and reporting.

As the DoD has repeatedly and continuously stated, CMMC is coming, but the NIST SP 800-171 requirement is already here. Don’t get caught with your controls down!