6 thoughts on “How to submit a NIST SP 800-171 self assessment to SPRS

  1. John Sciandra says:

    Hi Amira,

    I would like to add information to the question: Q: If my organization doesn’t have CUI on our systems (we use Gov or partner systems for CUI), should we submit something?

    Use the CMMC assessment levels as a guide since the majority of companies will presumably be assessed at CMMC Level 1 meaning – No CUI. At level 1 you still must protect FCI (Federal Contract Information). Things like information that is on your contract, but without handling CUI you will not have to undergo a more rigorous assessment at the higher levels.

    So to be safe – you should still respond even if you don’t handle CUI or risk not getting your contract. Katie Arrington spoke about the website called Project Spectrum where there is a free assessment tool that can also automatically upload your results into the SPRS for you. I don’t know the details but it is worth a look for those who are struggling.

    Hope this helps.

    John Sciandra

  2. Jeff says:

    Having problems getting the SPRS Supplier Performance role setup. We requested it several days ago, and still nothing. In the ROLES page, there’s a red box that says “not permitted to update your own role” .

    The person requested the SPRS role is the admin.

    Do we need to setup an Admin#2 so that Admin#2 can approve the SPRS role for Admin#1 ?

  3. Terry Parks says:

    Apparently there is no way to register as our company has never had a direct contract.
    When I tried to register I got this error when I clicked to move on from the “Rolls page”:
    “Error: The Location Code ##### cannot be added until a Contractor Administrator is established to support your organization. Primary EBPOC: xxxxxxxxxxxxxxxxxxxxxxxxx. Alternate EBPOC: xxxxxxxxxxxxxxxxxxxxxx. Please see the Vendor – Getting Started Help instructions on the WAWF Homepage for details on how to establish a Contractor Administrator.
    That page tells me to register with CCR which I cannot reach.

    • Amira Armond says:

      Hello Terry,

      If all else fails, go back to the default which is mailing your self-assessment score using an encrypted email.

      Here is an excerpt from the DoD Acquisition Cyber FAQs on the topic:

      Q129: Who can post NIST SP 800-171 DoD Assessment results to the Supplier Performance Risk System (SPRS)? What will be posted?

      A129: A contractor may submit, via encrypted email, summary level scores of Basic Assessments conducted in accordance with Section 5 and Annex B of NIST SP 800-171 DoD Assessment Methodology, available at https://www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800-171%20Assessment%20Methodology%20Version%201.1%20%203.13.2020.pdf, to webptsmh@navy.mil for posting to SPRS.

      DoD will post the following Medium and/or High NIST SP 800-171 DoD Assessment results to SPRS for each system security plan assessed:

      The standard assessed (e.g., NIST SP 800-171 Rev 1).

      Organization conducting the assessment, e.g., DCMA, or a specific organization (identified by Department of Defense Activity Address Code (DoDAAC) or Commercial and Government Entity (CAGE) Code).

      Each system security plan assessed, mapped to the specific industry CAGE code(s) associated with the information system(s) addressed by the system security plan. All corporate CAGE codes must be mapped to all appropriate system security plan(s) if the contractor has more than one system security plan and CAGE code. Additionally, a brief description of the system security plan architecture may be required if more than one plan exists.

      Date and level of the assessment, i.e., basic, medium, or high.

      Summary level score (e.g., 105 out of 110), but not the individual value assigned for each requirement.

      Date a score of 110 is expected to be achieved (i.e., all requirements implemented) based on information gathered from associated plan(s) of action developed in accordance with NIST SP 800-171.

Leave a Reply

Your email address will not be published. Required fields are marked *