Last September, suppliers to The Department of Defence (DoD) were informed about the DFARS Interim Rule that was being used to collect NIST 800-171 scores from all suppliers, to be submitted through the Supplier Performance Risk System (SPRS).
The DFARS Interim Rule became law at the beginning of December 2021, meaning that those suppliers not submitting their assessment scores would potentially lose out financially.
Here’s our quick guide on how to submit a CMMC Assessment to SPRS.
Guide to SPRS Assessment Submission
- Visit the PIEE website to register
- Accept Privacy Act Statement and Ts&Cs
- Go to options and select VENDOR
- Enter security question details
- Enter name and contact info
- Enter supervisor and company contact info
- Access the SPRS from the drop-down menu
- Select SPRS Cyber Vendor User
- Add roles. Enter the CAGE code of your company in the location field. Add a line for each CAGE code.
- Enter account justification
- Complete the Agreement.
NOTE: If you do not have a CAGE code, you will not be able to submit your assessment through the portal then you will need to submit it via encrypted email to firstname.lastname@example.org
- Once you have registered, the admin linked to your account will need to approve it.
- Input your CAGE code under LOCATION CODE, complete the security CAPTCHA and submit.
- The next screen will automatically fill in the Administrator and CAGE code for you and who you need to contact for approval. If there is not Administrator linked, contact PIEE support.
Once your account is set up and approved by the CAGE Administrator, you can submit your score.
- Login to your PIEE account and select the SPRS then NIST SP 800-171 Assessment.
- Select the company name and level and select ADD NEW ASSESSMENT
- Enter assessment details and SAVE
How can I self-assess and produce a score?
It certainly is possible to do a self-assessment if you have cybersecurity experts in-house. However, if you don’t have these skills, then you will likely need to get outside help from a CMMC consultant to perform and submit a CMMC assessment. It is too important a process to get wrong.
Does my company need to submit an assessment if there is no CUI in our records or systems?
Controlled Unclassified Information (CUI) is sensitive information, but not at a classified level. If you don’t hold any of this information, you might think there is no point in submitting a CMMC Assessment.
While there was some confusion at the beginning about whether it was necessary to submit when you held no CUI, it has since been confirmed that the requirements for all companies to complete the NIST SP 800-171 Self Assessment are being applied to all companies, whether they hold CUI or not.
So, if you want to be able to do any business at all with the DoD or its main suppliers, you will need to submit your assessment in line with the regulations.