Understanding The Importance Of The DoD’s SPRS Cybersecurity Requirements
Chris Petersen, CEO, CTO, Co-Founder at RADICL Defense.
Are you compliant with the cybersecurity requirements of your government contracts? If not, or if you don’t know, it’s time to commit to increasing your cybersecurity efforts to keep your company and the nation safe.
The Importance Of Security And Compliance For The DIB
The Defense Industrial Base (DIB) and U.S. Critical Infrastructure (CI) don’t just rely on large enterprises for manufacturing and technology. They’re increasingly relying upon small and medium-sized businesses (SMBs) for inventions, ideas and technologies to support advancing defense systems that keep our nation safe, both domestically and abroad.
Still, despite working with sensitive confidential data, these smaller companies often don’t have the robust security approach that enterprises do to keep their data and IP safe. This could be for many reasons, from lack of awareness to lack of budget and resources. Unfortunately, their limited access to robust cybersecurity capabilities makes them perfect targets for nation-state actors and cybercriminals who want to steal confidential data and national secrets, release ransomware, or halt defense supply chains.
As a cybersecurity industry veteran and innovator, I believe more can be done to protect these SMBs so they can continue to develop their products and ideas, build their businesses, and serve their country. The DoD is taking active steps to ensure a minimum baseline of cybersecurity protection by implementing specific initiatives to increase cybersecurity compliance for its contractors. For instance, certain contractors are currently required to post their NIST SP 800-171 self-assessment score to the Supplier Performance Risk System (SPRS). DIB companies will also be required to participate in the Cybersecurity Maturity Model Certification (CMMC) process once the rule goes into effect—estimated by many to be early next year.
Understanding SPRS
The Department of Defense (DoD) doesn’t want to do business with a company that may put them at risk. Specific to cybersecurity risk, the DoD has introduced various Defense Federal Acquisition Regulation Supplement (DFARS) clauses along with specific Supplier Performance Risk System (SPRS) reporting requirements.
The Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204.7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” states that “The Contractor shall provide adequate security on all covered contractor information systems” and goes on to detail those requirements, one of them being compliance with NIST SP 800-171. The clause also details actions for cyber incident reporting, the discovery of malicious software, cyber incident damage assessment and more.
Another DFARS clause, 252.204.7019 Notice of NIST SP 800-171 DoD Assessment Requirements requires contractors required to comply with NIST SP 800-171 (per DFARS 252.204.7012) post an assessment score to SPRS. The clause specifically states, “In order to be considered for award, if the Offeror is required to implement NIST SP 800–171, the Offeror shall have a current assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) (see 252.204–7020) for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order.”
SPRS is a database the DoD maintains of companies and their supply chain risk. Contracting officers leverage the SPRS database to assess vendor risk across three factors: item risk, price risk and supplier risk. The last factor, supplier risk, is where NIST SP 800-171 comes in. If a contract requires a company to have submitted a self-assessment score per DFARS clause 252.204.7019, and they have failed to so, the contract will not be awarded.
Understanding The NIST SP 800-171 Self-Assessment Score
A company’s NIST SP 800-171 self-assessment score is determined by evaluating compliance with all 110 security requirements in accordance with the NIST SP 800-171 DoD Assessment Methodology. Scores range from 110 to -203. All met requirements earn one point toward the score. Unmet requirements subtract from the score. Certain requirements will subtract multiple points, hence being able to reach a score of -203.
Why You Should Implement Rigorous NIST SP 800-171 Self-Assessment Operations
Care should be taken to ensure a submitted NIST SP 800-171 self-assessment score is accurate. While assessments generally have some level of subjective evaluation, there needs to be a reasonable level of rigor backing the submitted score. The score should be backed by a self-assessment operation that captures why each requirement was assessed as met or unmet, with all supporting evidence and related information captured.
Rigorous self-assessment operations will ensure company leadership understands their true NIST SP 800-171 compliance posture, which ultimately serves as an indicator of a company’s cyber incident risk—something all CEOs should be concerned about, especially those serving the defense industry.
Rigorous self-assessment operations will also help protect from Federal False Claims Act (FCA) accusations and resulting legal repercussions. FCA claims are starting to be seen. A notable example of is Verizon Business Network Services, which agreed to pay $4 million as a result of failing to “completely satisfy certain cybersecurity controls in connection with an information technology service provided to federal agencies.”
Protect Yourself, Protect America
The DFARS clauses mentioned in the article, combined with the upcoming CMMC rule, are in place to defend American innovation and critical operations from nation-state threats. These threats are real and growing. Companies required to comply with DFARS clauses 7012, 7019, and 7020 should be striving to achieve and maintain a score of 110 via a rigorous self-assessment operation.
While investments in cybersecurity and the ability to submit a higher score into the SPRS won’t assuredly result in a competitive advantage, it certainly won’t hurt. And at the same time, you’ll be reducing your company’s risk of experiencing financial loss or brand damage from a cyber incident. You’ll also better ensure you are prepared to achieve CMMC L2 compliance once the rule goes into full effect (estimated Q1 2025), which could either hinder or accelerate future contract opportunities.
Be ahead of the curve. Protect your brand. Protect your operations. Protect America’s national security.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Source link