I started writing SSP’s (System Security Plans) well before the original Executive Order mandated deadline of December 31st 2017 and have since written at least 50 SSP’s for defense contractors of every imaginable type and size. There wasn’t a lot of guidance on how to do this at that time, other than to have a very thorough and complete understanding of the nearly 500-page NIST 800-53 framework.
If you are reading this, by now you have heard of the CMMC (Cybersecurity Maturity Model Certification) and know that at some point it will directly affect your business. You may have been instructed by a prime contractor or the government itself to enter your organization’s SPRS (Supplier Performance Risk System) score into the SPRS website, which is run by the DoD. In this purposefully short blog, I am going to teach you some high-level facts about how SPRS is scored, and then provide you with a free tool that will allow your organization to calculate your SPRS score quickly and easily.
How to enter that score once you have calculated it is pretty complex on its own, so I will save that for another blog. For now, we are going to just stick with how to calculate the number itself, so you know where you stand.
For reference, the official DoD instructions for calculating your SPRS score are located here: NIST 800-171 DoD Assessment Methodology. At 21 pages it's not terribly hard to digest, but we are in a hurry here so let’s do things the easy way – automation.
First things first, open your NIST 800-171 aligned SSP (System Security Plan) so we can reference from that. If you don’t have this or its not fully completed, you’re unfortunately way behind the curve and it’s going to take some major organization level effort to get caught up. Think trying to do your businesses taxes on April 14th, or trying to lose 50lbs. If you find yourself in this position, reach out to us now for a free consultation with me or another one of Appalachia’s cybersecurity experts, and we can get you started down the right path.
Your SSP will have a detailed response to each of the individual 110 controls listed in NIST 800-171, and these controls should all be marked Compliant/Yes, Not Compliant/No, or N/A (Not Applicable). It’s not uncommon to see SSP’s with controls marked “Partial”, but unfortunately SPRS awards zero points for partially compliant controls, with three exceptions dealing with MFA (Multi-Factor Authentication) and also encryption types. However, we have accounted for those in our free tool.
The range of possible resulting SPRS scores is peculiar – the highest possible score is 110, and the lowest is MINUS 203. The basic process is we start with 110 points, and then subtract the prescribed number of points (5, 3, or 1) for each control that is not met. Since SPRS went live in Fall of 2020, most of the scores we have seen have actually been negative, so do not be surprised or alarmed if yours is negative as well. There is no evidence as of yet suggesting that contract decisions are being made by relying on these scores, but NOT having any score (or worse, not having an SSP) can lock you out of DoD work.
To use the tool, click on the drop-down arrows in column D, “Compliance Status”:
And select Yes, No, or N/A, based on the responses in your own SSP. You can use Partial where you deem appropriate, but again keep in mind that zero points are awarded for partially met controls. We include this option to add some flexibility in tracking your controls.
For controls 3.5.3, 3.12.4, and 3.13.11, read the notes in column E, “Scoring Notes”, and then enter the prescribed numeric value in column G, “Calculated SPRS Score.”:
For the other 107 controls, the tool will fill in column G for you. With your SPRS score you can enter it into the SPRS system – which again, is rather complex in itself so I will address that in another blog.
Now that you have your SPRS score, the first thing you are thinking, is “Well, how do I get from where I am now, to the required 110 points?” And while that may seem daunting (like trying to lose 50lbs), with the right plan and thoughtful execution it is most certainly doable. Appalachia can help with everything you need – contact us now for a free CMMC consultation.
To download the tool, click here.
Senior Engineer, Cybersecurity Risk and Compliance, Appalachia Technology
Jason McNew is a CISSP and a CMMC RP (Registered Practitioner). Jason, a United States Air Force veteran, holds a Master’s degree from Penn State University in Information Sciences, Cyber Security and Information Assurance, in addition to a Bachelor of Science and two Associate of Science degrees. Penn State’s Cyber Security program has been reviewed and endorsed by the National Security Agency (NSA) and the Department of Homeland Security (DHS). He also worked for the White House Communications Agency from 2003 until 2015. In 2017 he founded Stronghold Cyber Security, which was acquired by Appalachia Technologies in 2020.