Are You a Contractor Working with the Department of Defense?
Compliance with NIST 800-171 is a requirement for all organizations that work with the federal government.
Federal contractors are expected to properly handle and secure Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within their IT networks.
Organizations must assess their IT systems and internal process and report their compliance through the Supplier Performance Risk System (SPRS). The government now requires that all companies doing work for the DoD must accurately report their SPRS scores to be awarded contracts.
This requirement applies to both prime contractors and subcontractors performing work in support of DoD contracts.
What Do You Need To Do?
It is a requirement for federal contractors to submit a score to the Supplier Performance Risk System (SPRS) which reflects the level of their current system security compliance. The score is generated by using the NIST SP 800-171 DoD Assessment Methodology while reviewing your System Security Plan and reflects how many of the requirements you’ve implemented.
Defense contractors must report a self-assessment score to the government through the SPRS system in order to perform any work for the government.
What Else Do You Need?
A System Security Plan
The System Security Plan is the foundation of NIST 800-171 compliance. The SSP provides a comprehensive overview of an organization’s IT systems and its security policies and procedures.
Defense contractors must submit a System Security Plan (SSP) as evidence of NIST 800-171 compliance.
Plans of Action & Milestones
Any NIST 800-171 requirements not met by a DoD contractor should be outlined in a Plan of Actions and Milestones (POA&M) document. The POAM sets out key milestones and timelines for achieving full compliance. This must be submitted prior to and must be submitted before the contract begins. The POAM can be updated as the organization addresses areas of non-compliance and as their cybersecurity practices mature.
Defense contractors must submit POA&Ms detailing their plan to remediate areas of non-compliance.
Both the System Security Plan (SSP) and Plans of Action & Milestones (POAMs) are vital evidence of compliance required by the government and supports the NIST 800-171 self-assessment score updated in SPRS.
Ongoing Compliance
Once your assessment is done, plans to remediate deficient requirements are in place, and you’ve submitted your score, you now move into the on-going compliance phase of your cybersecurity program.
You security posture will need to be constantly monitored, your documentation updated (at least annually), and your score updated in SPRS on a continuous basis (at least once every 3 years). This is to ensure your organization continues to prioritize cybersecurity and protect sensitive government information throughout your business.
Defense contractors must continuously re-evaluate their security compliance and submit their SPRS scores every 3 years.
How Can MC3 Technologies Help?
We are a Cyber AB certified CMMC Registered Practitioner Organization (RPO), accredited to provide CMMC services to the defense industrial base.
We provide you with a full-range of services to help you to meet todays federal requirements and prepare for future CMMC Level 1 or 2 requirements. We know your goal is to continue doing business with the federal government and we will ensure this is efficient.
We will help you understand the requirements, generate your SPRS scores, and produce the documentation you’ll need to keep your business running smoothly.
We work in collaboration with you, and your IT providers, to provide a practical security strategy that fits your needs. We’re here to guide you through the remediation of vulnerabilities to protect your business.
