NIST 800-171 Supplier Performance Risk System (SPRS) assistance in reporting to the DoD for defense contractors
Arlington can help your organization accurately and confidently assess and report on NIST SP 800-171 within the Supplier Performance Risk System (SPRS). Per The Defense Information Systems Agency (DISA), the Supplier Performance Risk System (SPRS) “...is the authoritative source to retrieve supplier and product PI [performance information] assessments for the DoD [Department of Defense] acquisition community to use in identifying, assessing, and monitoring unclassified performance”.
SPRS and NIST 800-171
If you are bidding on or being included as a subcontractor on a contract in which your organization will ultimately create, receive, store, process, or transmit Controlled Unclassified Information (CUI), you must submit a self-assessment score to the DoD SPRS system illustrating current compliance with NIST SP 800-171.
It’s important to note that SPRS provides contracting officials essential scoring information for the overall assessment of the supplier performance and supplier risk. Using the Supplier Risk Score, contracting officials are able to identify “high risk” suppliers and assess the likelihood of the non-fulfillment of terms of contract, unsuccessful performance, or other concerns.
Where DoD contractors need assistance is determining scope of the systems to report on, along with the “true” score to enter. Per the Office of the Under Secretary of Defense – Acquisition and Sustainment, “…it is important to note an assessment is about the extent to which the company has implemented the requirements. It is not a value judgment about the specific approach to implementing – in other words, all solutions that meet the requirements are acceptable. This is not an assessment of one solution compared to another.”
Key points to note about self-assessing with SPRS:
Not all NIST requirements are equal.
For each NIST requirement met, you receive one point.
For certain NIST requirements not met, you will have a deduction of three or five points.
Many companies will have negative scores.
Corresponding Case Studies
How Arlington Can Help with SPRS Reporting
Helping confirm critical system scope issues for entering of scores (i.e., enterprise, enclave, contract).
Determining control maturity and compliance, then assigning points to each requirement for determining total score.
Assistance with remediation for areas where scoring was deficient.