DISCLAIMER: This is an attempt to help regular DoD contractors by describing very simple ways to perform the process. Get assistance from your contract officer or SPRS / PIEE helpdesk if you have questions!
For official instructions, see the following sources:
Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)
NIST SP 800-171 Assessment Methodology, Version 1.2.1 (see Annex B)
SPRS 800-171 Quick Entry Guide
DoD Acquisition & Sustainment website with additional guidance for contract officers
PIEE Vendor “Getting started” step by step registration
PIEE Helpdesk: +1 866-618-5988. The menu options that worked for us were 2 – Vendor user, 1 -Account Activations, 3 – Account activation technical support.
You need to keep working with the PIEE Helpdesk until you see the SPRS icon on your screen when you log on. After that, for SPRS-specific questions, the helpdesk number is 207-438-1690.
Q: If my organization doesn’t have CUI on our systems, should we submit something?
What is CUI? It is a category of very sensitive, but unclassified, information called “Controlled Unclassified Information”.
If you don’t know what CUI is, reference this article: CMMC Glossary, Terms, and Definitions. Who’s who in CMMC
I’ve had a few contractors ask me what to do if they don’t have Controlled Unclassified Information (CUI).
If a self-assessment is required in order to win a contract, and you don’t have a self-assessment in the system because you don’t have CUI, does that mean you will lose the contract? High risk!
Arguments against submitting a self-assessment if you don’t handle CUI
Robert Metzger (Attorney | Co-author MITRE “Deliver Uncompromised”) gives this advice:
Another argument is that according to the NIST SP 800-171 DoD Self Assessment Methodology, you cannot perform a self assessment without having a System Security Plan that describes your system. Based on that, contractors that don’t have a SSP should not even submit a failing score.
NIST SP 800-171 DoD Self Assessment Methodology
More information about System Security Plans can be found here.
Arguments for submitting a self-assessment if you don’t handle CUI
Katie Arrington (Chief Information Security Officer to the Assistant Secretary of Defense for Acquisit:ion) seems to say that all contractors with the DFARS 252.204-7012 rule need to record a self assessment in SPRS to be considered for contract.
She gives an example of two small companies bidding on a contract. Both submitted their self assessments, but one has a score of 80 and one has a perfect score. Just having the self-assessment makes you “technically acceptable”. The company with the lower score would have a lower bid [overhead] because their security costs less. On a Lowest Price Technically Acceptable (LPTA) contract, both companies are technically acceptable and the one with a score of 80 wins due to LPTA.
Please reference this Coffee & Conversation with Katie Arrington from November 17 2020. Timestamps 3:30 and 13:00 and 23:19.
February 2021 update – No distinction based on CUI
Over the last four months, we have watched the actual deployment and interpretation of the new DFARS rules. Department of Defense Procurement and Contract Officers are applying the clauses to all non-COTS and all non-micro purchases.
The requirement for NIST SP 800-171 DoD Self Assessment IS being enforced no matter if you have CUI or not.
This memorandum document released by the Navy describes how the requirement will be added to all contracts except for COTS and micro purchases.
Even if you don’t have CUI, you should probably submit a self-assessment.
My concern is that a contract officer might accidentally disqualify a company for not having an assessment, without realizing that the missing assessment is because the company doesn’t plan to handle CUI. There is also the possibility that the contract officer might feel that the company does need to handle CUI in order to perform the contract. Communication is key!
It sounds like submitting a self assessment is the lowest risk option, even if NIST SP 800-171 does not apply to you.
firstname.lastname@example.org has no guidance
One of my clients tried to reach out to email@example.com and got a reply that “we cannot answer policy questions from this office…. suggestion to email your DCMA representative or their general mailbox. In this case, you might also wish to check with the prime contractor to get direction.”
Q: How do I perform a self-assessment and get a score to submit?
Check out our page on DFARS 252.204-7012 which has links to the resources you need to build your security program and do a self-assessment. Note: If you do not have a cybersecurity expert on staff (or a consultant), you do not have the pre-requisite knowledge to perform this. Get help.
Optional: Send me an email if you would like recommendations for consulting solutions.
Steps to Submit directly to SPRS using an account on PIEE
If you submit directly to your own account in SPRS, you will be able to avoid delays on the DoD side as they try to manually move thousands of assessments into SPRS.
Navigate your web browser to Procurement Integrated Enterprise Environment (PIEE)
If you already have an account for PIEE, you can skip the below registration steps. Log on and add the SPRS Cyber Vendor User role. ComplyUP has provided steps for existing accounts here.
If you don’t have an account yet, click on Register button (top right)
Accept (or don’t) the Privacy Act Statement and Terms and Conditions
Pick Vendor (the other options seem to be for PIEE administrators like contract officers)
If you have a Common Access Card or certificate, feel free to choose those. For most people, just enter the username and password you prefer.
Enter security questions…
Enter your name and contact information. This will be reviewed as part of your submission, so make sure it matches reality. I expect that it helps if your Organization matches the CAGE code you enter later.
Enter quality information for the Company fields. Supervisor is not required, though it might be helpful when your submission is reviewed.
This next bit is the tricky part.
ADD A ROLE
A) First registration in PIEE??
If you are the first person in your company to register a PIEE account, you need to set up a Contract Administrator first.
In Step 1, click the down-arrow and select PIEE. Then select the Contract Administrator role. At the bottom, click Group Lookup and type your CAGE code in, then click the Location button to look it up and accept the results. If the system does not find your CAGE code, call the PIEE helpdesk.
You should see your CAGE code displayed next to Contract Administrator role. Click Next.
Skip the Cyber vendor steps below and go straight to JUSTIFICATION.
Note, once you get your account activated, you will need to return to your account settings and add the SPRS Cyber Vendor role using the steps below.
B) Cyber Vendor Role – if your company already has an account.
In Step 1, click the down-arrow and select SPRS – Supplier Performance Risk System
In step 2, pick SPRS Cyber Vendor User
In step 3, click +Add Roles . A line will appear at the bottom with a Location Code* field. Enter the CAGE code for your organization (this should match the CAGE code associated with the contract that you are submitting for)
Update: If your CAGE code is not recognized, review the steps in this PIEE step-by-step instruction page. Most companies need to perform Step 3 (and later steps) if the message “There are no Contractor Administrators in the system for the Location Code” displays.
If you have multiple CAGE Codes related to DoD contracts, repeat Step 3 +Add Roles to add additional lines and enter the CAGE codes.
Enter justification for an account. Attachments would be used for justification and/or identification purposes. Do not attach your self assessment here.
Registration Summary displays.
I dropped out at this point because I wasn’t putting in an actual registration. Hopefully you can make it through the next step (Agreement) on your own.
Your Contractor Administrator has to approve for SPRS to display
UPDATED July 6, 2021
The next step is your Contractor Administrator for the CAGE Code will need to approve your role.
If you are a larger business, you can look this person up by going to the PIEE Find Government / Contractor Account Administrator page. You ONLY need to fill out the location code with your CAGE. Leave the other filters empty.
If you are the only person with a PIEE account at your business, try waiting an hour or two (business hours only). The helpdesk should approve your account, assuming your justification makes sense. If it takes longer, then you should call the PIEE helpdesk at +1 866-618-5988. The menu options that worked for us were 2 – Vendor user, 1 -Account Activations, 3 – Account activation technical support.
A quick conversation with the PIEE helpdesk and identification of the account and CAGE code got us approved. The SPRS icon will now display when we log on to PIEE.
Now that I have access to SPRS, how do I submit my self-assessment?
This NIST SP 800-171 Quick Entry Guide from SPRS has instructions to submit the assessment.
I can’t create an SPRS account. Now what?
In some cases, you won’t be able to create an SPRS account. It seems to be highly dependent upon your organization’s CAGE code and whether that CAGE code has been registered in use on a DoD contract before.
If your CAGE code is not recognized, review the steps in this PIEE step-by-step instruction page. Most companies need to perform Step 3 (and later steps) if the message “There are no Contractor Administrators in the system for the Location Code” displays.
The alternative method is to submit your self-assessment to the firstname.lastname@example.org email address. Your submission should be sent via an encrypted email. How do you do this?
Vincent Scott from Defense CyberSecurity Group sent the following:
Wondering how to send an encrypted email to submit your DFAR 7019/20 Basic Self Assessment? If you do not have their certificate it cannot be done. I did email them and request a certificate. They sent me one. Recommend that as an approach.
Additional information from Vincent Scott:
New note on email submission of Basic Self Assessment. I found that the signature I received back was not for the group box, but for the individual who replied on behalf of the group box WEBPTSMH.email@example.com . This would not allow me to send an encrypted email because of the signature address mismatch. I asked the Navy individual manning the inbox for help. She did some research and replied that it was NOT POSSIBLE to have a certificate for a group email box. Ergo it is NOT POSSIBLE to send an encrypted email to the group box, only an individual. I now recommend emailing the inbox, if you are email submitting, asking for the digital signature, and replying encrypted to the individual on the signature rather than the email prescribed in the rule.
Amira’s note: Once you get an email from firstname.lastname@example.org with their public key certificate, you may need to install and trust the DoD root certificates on your computer in order to send back the encrypted email. This DoD website has resources for root certificates.
More tips for submitting via email
From Wayne Boline (Raytheon Technologies): “Don’t try send the information via one of the secure portals where the recipient has to go to a https site and retrieve the message. That won’t be accepted.”
From Timothy Fawcett:
“I submitted my results for the #nist800171 assessment, according to “Annex B,” by email yesterday (email@example.com). I got a response back from the SPRS people requesting I change the format. If you have not been able to submit your results through SPRS and are emailing your results please see the excerpt from the email from SPRS:”
Hello – your NIST Assessment results are not in the complete correct format. Please use the example below for submission.
To post your Basic Assessment results, please reply with the following:
1. Date of Assessment
2. Assessment score (< or = 110)
3. Scope of Assessment (choose one: Enterprise, Enclave, Contract) definitions from system:
Contracts – Contract specific SSP review
Enterprise – Entire company’s network under the CAGEs listed
Enclave – Standalone under Enterprise CAGE as business unit (test enclave, hosted resources, etc.)
4. Plan of Action completion date (the specific calendar date at which you predict to attain a score of 110)
5. Included CAGEs (CAGEs you are reporting that are covered by the SSP)
Your submission must be in the format above and complete for each CAGE.
Do we need to submit our System Security Plan or POA&M?
At this point, there seems to be broad agreement that no documents need to be submitted with your self-assessment. The DoD only wants the exact information that is specified in the DFARS 252.204-7019 and 7020 rules (see picture at top of page).
How are multiple CAGE codes or multiple contracts handled?
Vince Scott from Defense CyberSecurity Group sent the following:
Q: If multiple CAGE codes or multiple contracts use the same information system, how do we explain this in the submission?
“(ii) If multiple system security plans are addressed in the email described at paragraph (d)(1)(i) of this section, the Offeror shall use the following format for the report:
Since this allows for “cage code supported” I would use this format for multiple plans or multiple cage codes, from an email submission perspective. I am planning to enter ours into SPRS this week, so I will let you know how that goes.
Update: I am hearing from multiple sources that the above table (which is from the DFARS Interim Rule) isn’t an acceptable format for submitting your score to firstname.lastname@example.org
This format below may be better. Please comment if you know more.
Can subcontractors get access to SPRS, or only primes? Are primes supposed to submit on behalf of subcontractors?
It appears that subcontractors can get access to SPRS and can submit their own self-assessments.
What if my organization’s score is below 110?
You are in good company. Unless you have full time cybersecurity professionals on-staff and dedicated to compliance, your score is probably between -1 and -100. Go ahead and submit the true score.
Then start fixing your environment, update your system security plan, perform another assessment, and upload your improved score to SPRS. You can keep adding new self-assessments over time until you reach 110.
Should clouds used to store, process, or transmit CUI be included in the self-assessment?
Because NIST SP 800-171 only applies to internal contractor networks, and the DoD self-assessment asks for NIST SP 800-171 rather than the overall DFARS 252.204-7012 rule, some people may interpret their cloud as being out of scope.
This is incorrect. According to the DoD Acquisition Cyber FAQs, not only is the DoD expecting your cloud to be authorized at FedRAMP moderate or equivalent, but you are still responsible for some secure configurations. Examples: Managing user accounts and roles. Enforcing strong passwords and lockout settings. Verifying your personnel are screened. For more information, see our blog about CMMC, CUI, and Cloud Vendors – do you need FedRAMP?
Q127: How will Software as a Service solutions be scored with the NIST SP 800-171 DoD Assessment? For example: Integration with Office 365, which holds a FedRAMP moderate certificate, may create an issue as the vendor will not share specific details with clients.
A127: For cloud-based solutions (e.g., SaaS, Office 365), if authorized at FedRAMP moderate or equivalent, the solutions are assumed to meet NIST SP 800-171 requirements. However, typically certain configuration settings remain the responsibility of the subscriber/client, and when they are related to specific NIST SP 800-171 requirements, they are subject to assessment and scoring.
More answers to be added over time. Please comment or email us if you have any tips or guidance!
Remaining questions about submitting a self-assessment
- If we manage to send an encrypted email correctly, how long will it take for it to be posted into SPRS?
Please subscribe to our newsletter for useful information about CMMC and DFARS compliance and becoming a professional in this space. Please send me a connection on LinkedIn for community discussions about the CMMC and 800-171.
V. Amira Armond (CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and owner of Kieri Solutions LLC. Kieri Solutions specializes in CMMC preparation and DFARS 252.204-7012 compliance, and designing secure and resilient enterprise systems for private sector and the DoD. Amira is the chief editor for cmmcaudit.org, a public resource for news and informational articles about the Cybersecurity Maturity Model Certification.
Policy templates and tools for CMMC and 800-171
CMMC, CUI, and Cloud Vendors – do you need FedRAMP?
20 thoughts on “How to submit a NIST SP 800-171 self assessment to SPRS”
I cannot find information/instruction on how the submit a CMMC Level 1 Attestation Letter to SPRS (via PIEE or any other path). Could someone please provide advice on this matter?
Question: The policy for my organization is for no CUI to be received, stored, processed on organization systems; the current contracts mandate the organization only receive, store, process CUI on US-provisioned systems (Gov or partner systems). So the questions are, as it is not clear:
How does the organization submit any self-assessment for a system it doesn’t own?
As it will not be receiving, storing, or processing CUI on its own network, how does that affect any future contract bids?
Does the organization still complete the self-assessment against the systems in use (US Gov or partner systems) or would that be considered a false assessment, as it is not strictly an assessment of the organization itself?
Will the organization eventually be required to create its own solution, which is capable of receiving, storing, and processing CUI (even though there is absolutely no requirement to do so at this time), if it is to be a viable candidate for any future contract bids?
SPRS no longer loads for me…..
“This page can’t be displayed
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://sprs.csd.disa.mil again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator. “
Can anyone provide clarity on what value or entry is expected to be populated in the “System Security Plan (SSP) Assessed:” text box?
Thank you in advance for any help.
Bumping this comment because I also need clarity on this.
Hello Matthew and Bryn,
Take this advice at your own risk, but the way I’ve been doing it is providing a unique identifier or name for the system security plan. This generally matches the unique identifier or name for the information system assessed, in my templates.
Many of the questions do not apply to my situation. What do I do? Assuming I have only one computer not connected to a LAN, no file sharing etc.
All these things that don’t apply to my situation should Istill deduct it from my score?
The broad answer, without knowing your situation, is that the majority of the questions DO apply to your situation, but you may not even have the capability to do them correctly with your one computer. Not having a firewall doesn’t mean you are exempt from the requirement to have a firewall, for example. These questions should not be answered by someone who isn’t trained in cybersecurity, or at least is fairly senior in systems administration. This is a legitimate skillset, just like only doctors are allowed to do surgery or prescribe medications.
The exception, which you might be trying to explain, is if you have a standalone computer that isn’t connected to any network, no wireless, no Internet, no email. But then the question is, how are you getting data to-and-from this computer? Are you emailing it to your gmail account at home, loading it onto a thumb drive, moving it to your work computer, working on it, and back-and-forth, etc? That is no good either – your thumb drive and personal computer are now in-scope.
The cybersecurity self-assessment requirement is a huge problem for little companies like yours. I don’t have a solution. I hope you have not been dealing with Controlled Unclassified Information (CUI). If you haven’t been, then this shouldn’t apply to you (except for the part where your prime or the contract officer is requiring it).
For little tiny companies that have been dealing with CUI, the frank advice is that you can’t do the necessary amount of security on your own and you need to find a partner information system to use instead. Reference this article: Where is the easy button for CMMC? Technically, right now, you can still get contracts without being cyber-secure, but it is a disservice to the United States if you don’t try to improve your security.
This isn’t directly at you, but at others reading this in the same situation. Reach out for help. The CMMC-AB marketplace is a good place to find cybersecurity talent. https://cmmcab.org/marketplace
Thanks for the quick reply,
No my computer is connected to the internet, and is behind firewall (all windows computers have a firewall built in and turned on by default)
What I meant was the computer is not hooked up to a network for file sharing purposes.
The computer is connected to internet, behind software firewall (the router also has NAT). It is also virus protected, and external backup device is encrypted.
The computer is also password protected, and office is locked, and any paper documents are also locked in filecabinet inside locked office.
The email address that does business is hooked up to only this one computer (and no other devices, no cloud services, nothing else)
There are plenty of instances I seen where things dont apply to my situation. Many of the questions have to do with computers on a domain, that are controlled through active directory on a server.
There is also things regarding remote access which also does not apply to me.
I can go on and on about these questions that dont apply to me, but lets just take the few examples. Do i need to deduct the points for not having a server with a domain controller configured with active directory?
or do i need to deduct points for the question about remote access, when i dont use remote access? (and i have RDP disabled)
PS, I am an IT technician, but i am not an expert by any means of the cybersecurity assessment,
I do understand all the questions asked on the assessment.
I can understand what you mean about someone not an expert in IT not being able to do this properly because the questions asked are not in laymans terms by an means
how can I get to the SPRS icon on PIEE
My company’s score was well below 0. The SPRS site would not let us enter a score below zero. The phone number for assistance in SPRS is not answered, but has a message that says they don’t really check messages. Instead we should send an email to email@example.com. I’ve sent a few emails to the address and get no responses.
Hello Doug, that isn’t normal. You should be able to submit a negative score. Did the system update and change its field settings?
I have been trying to upload my CUI SSP via PIEE, having issues with OTP.
It seems that when you select send OTP it suppose to send to your registered email address. It does not, I have the Authenication APP loaded on my Cell. still no luck. Anyone experiencing this issue.
I sent an email to the help desk, no response yet. Also called the help Desk and they are overwhelmed with calls. So if anyone has a fix please share.
I would like to add information to the question: Q: If my organization doesn’t have CUI on our systems (we use Gov or partner systems for CUI), should we submit something?
Use the CMMC assessment levels as a guide since the majority of companies will presumably be assessed at CMMC Level 1 meaning – No CUI. At level 1 you still must protect FCI (Federal Contract Information). Things like information that is on your contract, but without handling CUI you will not have to undergo a more rigorous assessment at the higher levels.
So to be safe – you should still respond even if you don’t handle CUI or risk not getting your contract. Katie Arrington spoke about the website called Project Spectrum where there is a free assessment tool that can also automatically upload your results into the SPRS for you. I don’t know the details but it is worth a look for those who are struggling.
Hope this helps.
Having problems getting the SPRS Supplier Performance role setup. We requested it several days ago, and still nothing. In the ROLES page, there’s a red box that says “not permitted to update your own role” .
The person requested the SPRS role is the admin.
Do we need to setup an Admin#2 so that Admin#2 can approve the SPRS role for Admin#1 ?
Call the DISA help, they can activate the SPRS role for you. I am our Admin and that is how I got activated. You can also set up another admin.
Apparently there is no way to register as our company has never had a direct contract.
When I tried to register I got this error when I clicked to move on from the “Rolls page”:
“Error: The Location Code ##### cannot be added until a Contractor Administrator is established to support your organization. Primary EBPOC: xxxxxxxxxxxxxxxxxxxxxxxxx. Alternate EBPOC: xxxxxxxxxxxxxxxxxxxxxx. Please see the Vendor – Getting Started Help instructions on the WAWF Homepage for details on how to establish a Contractor Administrator.
That page tells me to register with CCR which I cannot reach.
If all else fails, go back to the default which is mailing your self-assessment score using an encrypted email.
Here is an excerpt from the DoD Acquisition Cyber FAQs on the topic:
Q129: Who can post NIST SP 800-171 DoD Assessment results to the Supplier Performance Risk System (SPRS)? What will be posted?
A129: A contractor may submit, via encrypted email, summary level scores of Basic Assessments conducted in accordance with Section 5 and Annex B of NIST SP 800-171 DoD Assessment Methodology, available at https://www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800-171%20Assessment%20Methodology%20Version%201.1%20%203.13.2020.pdf, to firstname.lastname@example.org for posting to SPRS.
DoD will post the following Medium and/or High NIST SP 800-171 DoD Assessment results to SPRS for each system security plan assessed:
The standard assessed (e.g., NIST SP 800-171 Rev 1).
Organization conducting the assessment, e.g., DCMA, or a specific organization (identified by Department of Defense Activity Address Code (DoDAAC) or Commercial and Government Entity (CAGE) Code).
Each system security plan assessed, mapped to the specific industry CAGE code(s) associated with the information system(s) addressed by the system security plan. All corporate CAGE codes must be mapped to all appropriate system security plan(s) if the contractor has more than one system security plan and CAGE code. Additionally, a brief description of the system security plan architecture may be required if more than one plan exists.
Date and level of the assessment, i.e., basic, medium, or high.
Summary level score (e.g., 105 out of 110), but not the individual value assigned for each requirement.
Date a score of 110 is expected to be achieved (i.e., all requirements implemented) based on information gathered from associated plan(s) of action developed in accordance with NIST SP 800-171.
It looks like that link is already changed. Do you happen to have a current one?
Doh. Looks like DoD Acquisition moved their link.
They were trying to point people at the “NIST SP 800-171 DoD Assessment Methodology” document.
If you search Google for that phrase, it reliably should find the document (make sure you go to the DoD’s Acquisition site)
Here is the correct link right now: