DISCLAIMER: This is an attempt to help regular DoD contractors by describing very simple ways to perform the process. Get assistance from your contract officer or SPRS / PIEE helpdesk if you have questions!
For official instructions, see the following sources:
Q: How do I perform a self-assessment and get a score to submit?
Check out our page on DFARS 252.204-7012 which has links to the resources you need to build your security program and do a self-assessment. Note: If you do not have a cybersecurity expert on staff (or a consultant), you do not have the pre-requisite knowledge to perform this. Get help.
Optional: Send me an email if you would like recommendations for consulting solutions.
Q: If my organization doesn’t have CUI on our systems (we use Gov or partner systems for CUI), should we submit something?
I’ve had a few contractors ask me this question. I haven’t seen an official response yet.
If a self-assessment is required in order to win a contract, and you don’t have a self-assessment in the system because you don’t have CUI, does that mean you will lose the contract? High risk!
What I am recommending people do in this situation is to formally notify their primes, partners, and the DoD that they don’t have any CUI on their information system and they do not plan to have CUI on it in the future.
In your shoes, I’d actually send an email to email@example.com with this statement and asking what to do. Hopefully they will put in an entry for you that says it doesn’t apply to your company.
Please — if you know more — comment at the bottom of this article or send me an email. Please help out others!
Steps to Submit directly to SPRS using an account on PIEE
If you submit directly to your own account in SPRS, you will be able to avoid delays on the DoD side as they try to manually move thousands of assessments into SPRS.
This seems to work for companies that already have DoD contracts. It may not work if you don’t have a contract yet (your CAGE code won’t be recognized).
Navigate your web browser to Procurement Integrated Enterprise Environment (PIEE)
If you already have an account for PIEE, you can skip the below registration steps. Log on and add the SPRS Cyber Vendor User role. ComplyUP has provided steps for existing accounts here.
If you don’t have an account yet, click on Register button (top right)
Accept (or don’t) the Privacy Act Statement and Terms and Conditions
Pick Vendor (the other options seem to be for PIEE administrators like contract officers)
If you have a Common Access Card or certificate, feel free to choose those. For most people, just enter the username and password you prefer.
Enter security questions…
Enter your name and contact information. This will be reviewed as part of your submission, so make sure it matches reality. I expect that it helps if your Organization matches the CAGE code you enter later.
Enter quality information for the Company fields. Supervisor is not required, though it might be helpful when your submission is reviewed.
This next bit is the tricky part. In Step 1, click the down-arrow and select SPRS – Supplier Performance Risk System
In step 2, pick SPRS Cyber Vendor User
In step 3, click +Add Roles . A line will appear at the bottom with a Location Code* field. Enter the CAGE code for your organization (this should match the CAGE code associated with the contract that you are submitting for)
If you have multiple CAGE Codes related to DoD contracts, repeat Step 3 +Add Roles to add additional lines and enter the CAGE codes.
Enter justification for an account. Attachments would be used for justification and/or identification purposes. Do not attach your self assessment here.
Registration Summary displays.
I dropped out at this point because I wasn’t putting in an actual registration. Hopefully you can make it through the next step (Agreement) on your own.
I have heard from contractors that have performed this process in the last two weeks and their registration was approved promptly.
Now that I have access to SPRS, how do I submit my self-assessment?
This NIST SP 800-171 Quick Entry Guide from SPRS has instructions to submit the assessment.
I can’t create an SPRS account. Now what?
In some cases, you won’t be able to create an SPRS account. It seems to be highly dependent upon your organization’s CAGE code and whether that CAGE code has been registered in use on a DoD contract before.
If your company has never won a contract, you probably won’t be able to create an SPRS account.
The alternative method is to submit your self-assessment to the firstname.lastname@example.org email address. Your submission should be sent via an encrypted email. How do you do this?
Wondering how to send an encrypted email to submit your DFAR 7019/20 Basic Self Assessment? If you do not have their certificate it cannot be done. I did email them and request a certificate. They sent me one. Recommend that as an approach.
Additional information from Vincent Scott:
New note on email submission of Basic Self Assessment. I found that the signature I received back was not for the group box, but for the individual who replied on behalf of the group box WEBPTSMH.email@example.com . This would not allow me to send an encrypted email because of the signature address mismatch. I asked the Navy individual manning the inbox for help. She did some research and replied that it was NOT POSSIBLE to have a certificate for a group email box. Ergo it is NOT POSSIBLE to send an encrypted email to the group box, only an individual. I now recommend emailing the inbox, if you are email submitting, asking for the digital signature, and replying encrypted to the individual on the signature rather than the email prescribed in the rule.
Amira’s note: Once you get an email from firstname.lastname@example.org with their public key certificate, you may need to install and trust the DoD root certificates on your computer in order to send back the encrypted email. This DoD website has resources for root certificates.
Do we need to submit our System Security Plan or POA&M?
Vince Scott from Defense CyberSecurity Group sent the following:
Q: Is the message only supposed to be summary information as listed in the rule, or are any documents supposed to be attached, such as SSP or POAM?
Based on “(E) Summary level score (e.g., 95 out of 110, NOT the individual value for each requirement).”
“To submit the Basic Assessment, the contractor is required to complete 6 fields: System security plan name (if more than one system is involved); CAGE code associated with the plan; a brief description of the plan architecture; date of the assessment; total score; and the date a score of 110 will be achieved.”
I don’t think that there is a place in the system for any additional information, and they do not want additional information like your whole SSP and POAM, which require control hanging around. Not for me to say, but I am 95% certain they do NOT want additional information.
Wayne Boline (Enterprise Compliance at Raytheon) gave the same opinion (do not send SSP or POA&M).
How are multiple CAGE codes or multiple contracts handled?
Vince Scott from Defense CyberSecurity Group sent the following:
Q: If multiple CAGE codes or multiple contracts use the same information system, how do we explain this in the submission?
“(ii) If multiple system security plans are addressed in the email described at paragraph (d)(1)(i) of this section, the Offeror shall use the following format for the report:
Since this allows for “cage code supported” I would use this format for multiple plans or multiple cage codes, from an email submission perspective. I am planning to enter ours into SPRS this week, so I will let you know how that goes.
Can subcontractors get access to SPRS, or only primes? Are primes supposed to submit on behalf of subcontractors?
It appears that subcontractors can get access to SPRS and can submit their own self-assessments.
What if my organization’s score is below 110?
You are in good company. Unless you have full time cybersecurity professionals on-staff and dedicated to compliance, your score is probably between -1 and -100. Go ahead and submit the true score.
Then start fixing your environment, update your system security plan, perform another assessment, and upload your improved score to SPRS. You can keep adding new self-assessments over time until you reach 110.
Should clouds used to store, process, or transmit CUI be included in the self-assessment?
Because NIST SP 800-171 only applies to internal contractor networks, and the DoD self-assessment asks for NIST SP 800-171 rather than the overall DFARS 252.204-7012 rule, some people may interpret their cloud as being out of scope.
This is incorrect. According to the DoD Acquisition Cyber FAQs, not only is the DoD expecting your cloud to be authorized at FedRAMP moderate or equivalent, but you are still responsible for some secure configurations. Examples: Managing user accounts and roles. Enforcing strong passwords and lockout settings. Verifying your personnel are screened. For more information, see our blog about CMMC, CUI, and Cloud Vendors – do you need FedRAMP?
Q127: How will Software as a Service solutions be scored with the NIST SP 800-171 DoD Assessment? For example: Integration with Office 365, which holds a FedRAMP moderate certificate, may create an issue as the vendor will not share specific details with clients.
A127: For cloud-based solutions (e.g., SaaS, Office 365), if authorized at FedRAMP moderate or equivalent, the solutions are assumed to meet NIST SP 800-171 requirements. However, typically certain configuration settings remain the responsibility of the subscriber/client, and when they are related to specific NIST SP 800-171 requirements, they are subject to assessment and scoring.
More answers to be added over time. Please comment or email us if you have any tips or guidance!
Remaining questions about submitting a self-assessment
- If we manage to send an encrypted email correctly, how long will it take for it to be posted into SPRS?
- If multiple CAGE codes or multiple contracts use the same information system, how do we explain this in the submission?
Please subscribe to our newsletter for useful information about CMMC and DFARS compliance and becoming a professional in this space. Please send me a connection on LinkedIn for community discussions about the CMMC and 800-171.
V. Amira Armond (CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and owner of Kieri Solutions LLC. Kieri Solutions specializes in CMMC preparation and DFARS 252.204-7012 compliance, and designing secure and resilient enterprise systems for private sector and the DoD. Amira is the chief editor for cmmcaudit.org, a public resource for news and informational articles about the Cybersecurity Maturity Model Certification.