In a previous blog post, we discussed how to calculate your SPRS (Supplier Performance Risk System) score in support of your CMMC (Cybersecurity Maturity Model Certification) efforts. In that same blog, we also provided a free tool to help you calculate your SPRS score automatically.
In this follow-on blog, we’ll talk about how to provide your SPRS score to the DoD, which is a whole other chore once you’ve actually determined what your score is. In order to access the part of the SPRS website where your score is uploaded, we first need a CAC (Common Access Card) or a DoD approved medium assurance ECA (External Certification Authority) certificate. The primary purpose of this certificate is to ensure that the individual person entering the score is who they actually claim to be (non-repudiation), in addition to ensuring the confidentiality of the data.
The whole process is pretty convoluted and a bit wonky – about as much fun as filling out your income taxes manually, using an abacus that is missing a few beads. I worked for the DoD for many years, so this isn’t a surprise – at least not to me. We found a few possible errors in the various DoD instructions themselves, so have patience and take your time. Might be a good idea to stick to decaf for this week.
Anyway, a large number of DIB (Defense Industrial Base) contractors won’t have a CAC card available to them, so you will have to purchase an ECA certificate from either WidePoint or IdenTrust. The link to the ECA Certificate Policy and these two vendors can be found here.
If you are not accustomed to the DoD’s style of I.T., you may be surprised to learn that the ECA certificate will be issued to a single person in your organization, who will then install the certificate on a single designated machine. Not exactly convenient, but Que Sera Sera. Also, the person to whom the ECA certificate is tied should be the same as your EB POC (Electronic Business Point of Contact) as listed in SAM.gov. If this is not the case, then the EB POC must designate a CAM (Contract Administrator) by submitting this CAM Appointment Letter via e-mail to DISA (Defense Information Systems Agency). The instructions to install the ECA certificate can be found on the PIEE (Procurement Integrated Enterprise Environment) website found here.
Once you have your workstation set up, you can then register for access to SPRS using the PIEE website by following the instructions located here.
At this point, you're probably ready to start chewing your own arms off, and we don’t blame you. By now, the aforementioned abacus won’t be the only thing missing a few beads. However, we can now head to the SPRS website and enter your score. To do that, follow these instructions.
Whew! Well, that was fun. This whole process is nothing if not more aggravation.
Alternatively, you can also submit your SPRS score via an encrypted e-mail to . Once you obtain your ECA certificate, send an e-mail to that address requesting a signed and encrypted e-mail in return. Now that you have their public key, you can reply with your self-assessment and other results.
It goes without saying that all of this is a royal pain; unfortunately, nothing which has "DoD" and "cybersecurity" in the same sentence is easy. Take heart though -- once your SPRS score has been entered, this will open up bidding opportunities that might not otherwise be available and provides your company with a competitive edge.
Senior Engineer, Cybersecurity Risk and Compliance, Appalachia Technology
Jason McNew is a CISSP and a CMMC RP (Registered Practitioner). Jason, a United States Air Force veteran, holds a Master’s degree from Penn State University in Information Sciences, Cyber Security and Information Assurance, in addition to a Bachelor of Science and two Associate of Science degrees. Penn State’s Cyber Security program has been reviewed and endorsed by the National Security Agency (NSA) and the Department of Homeland Security (DHS). He also worked for the White House Communications Agency from 2003 until 2015. In 2017 he founded Stronghold Cyber Security, which was acquired by Appalachia Technologies in 2020.