Hello, welcome to the NIST 800-171 learning path. My name is Dave Hatter, I'm your instructor for this class and this is coarse seven, putting it all together. So in this course, we'll do a review of the content we've covered thus far and we'll do a little project where we build out the body of evidence including assistant security plan and a plan of action of milestones for one of the requirements families. So you can see what that would look like in preparation for submitting your score to SPRS and possible compliance with level three of the CMMC. But let's dig into this event. So this all came about, thanks to Executive Order 13556, 13556 established a governmentwide Controlled Unclassified Information or CUI program to standardize the way the executive branch handles unclassified information that requires protection. Again, the emphasis there on unclassified information but it requires protection, we don't want it to fall into the hands of our enemies, etc.,right? So Executive Order 13556 designated NARA, the National Archives and Records Administration, as the executive agent to implement the CUI program. And basically, again, it's 13556 would set the groundwork for all of this. So let's take a look at the definition of controlled unclassified information. That's one of the places where people often get tripped up is trying to understand what is CUI? Do I have CUI? Now ideally, the contract will stipulate very clearly that CUI is in there and you'll know this needs to apply to you. But again, the more you can understand CUI in concept and application the better off you'll be. So according to Executive Order 13556, CUI is, quote, information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies. But it's not classified under Executive Order Classified National Security Information, December 29, 2009 or any predecessor or successor order, or the Atomic Energy Act of 1954 as amended. Again, that's a direct quote lifted from Executive Order 13556. And it calls out information that's not classified yet needs to be protected, all right? So, let's talk a little bit more about CUI. The CUI registry at NARA is a great resource to understand what CUI is and what you need to do to protect it. Again, one of the difficult things sometimes is determining, do you have CUI? So you can visit the CUI registry to get great insight into what CUI is. The CUI registry identifies approved CUI categories and subcategories with description of each and the basis for controls. It defines procedures for the use of CUI including but not limited to marking, safeguarding, transporting, disseminating, reusing, and disposing of CUI and you'll find it at archives.gov/cui/registry/category-list.h- tml. I strongly encourage you to take a look at the CUI registry. I think it will be very helpful as you not only work through this process, but just in general when you're reviewing contracts to determine if they have CUI but that might not be clearly designated. Let's hope that's not the case moving forward. In theory, as you'll see in these next few slides, contract should specify this, but you know how that works, right? So let's dive into the three-part plan to protect CUI. So Executive Order 13556 set the groundwork for this and then there's three other pieces that come together to ensure that CUI gets the protection that it deserves. First off, you have the federal CUI rule, 32 CFR Part 2002, which established the required controls and markings for government-wide. You've got our old buddy here, NIST 800-171 which defines security requirements for protecting CUI and non federal information systems and organizations. And just a reminder, again, this applies to non federal information systems, right? The government has their own standards for this. This is for us folks out here in the civilian world who have systems that are going to contain CUI. And then we have the Federal Acquisition Regulation of FAR clause to apply the requirements of the federal CUI rule and NIST 800-171 to contractors. So, before we go any further, I just want to reiterate, we talked about this a few courses back and how important it is when you're looking at the need to comply with these things to scope your system. Ideally, you will have CUI identified and marked and there's a few places as possible. The smaller the scope is for where the CUI exist, the easier it's going to be to comply with the security requirements of NIST 800-171. And if you're trying to get to level three of the CMMC, the other requirements that that brings on board and especially if you're looking at level four, level five. So, again, as you're thinking about this, as we're going through this, be thinking about how can I determine where the CUI is and limit the scope of the system. So, some thoughts about that are isolate CUI into its own security domain by applying architectural design concepts. Security domains may employ physical separation, logical separation or a combination of both. And ideally, you're going to use the same CUI infrastructure for multiple government contracts or agreements if you have multiple agreements, so that again, you can limit the amount of work that you have to do. It can be very difficult, especially in older environments with legacy systems to make everything stand up to the requirements of NIST 800-171. So to the extent, you can limit the exposure of CUI in your systems. You can save yourself a lot of cost and time. So, let's take a look at DFARS and NIST 800-171. As you know, 800-171 is the framework that's designed to help manufacturers In particular. But anyone that has CUI comply with DFARS clauses 252.2047008, 7012, 7019, and 7020. DFAR 7012 and 7020 clause will be in all DoD solicitations, contracts, task orders, and delivery orders, at least it should be. The flowdown requirement for contractors requires tiered subcontractors to have an assessment in the Supplier Performance Risk System, SPRS. So, again, that's part of the DoD interim rule, we'll get to that in a minute. But if you're a subcontractor working for a prime that has CUI in their contract, you are required to submit your score, and again, NIST 800-171 is the basis of that. So these things go hand-in-hand and that's one of the reasons why this is important for you. Contractors must validate compliance with 7019 prior to awarding a subcontractor purchase order of any kind. So what that's basically saying is before the prime can give you a contract as a subcontractor, they have to validate your compliance, right? And that's in part due to your score in SPRS. And then contractors must include the contents of DFAR 1719 and subcontract agreements thus binding you as a subcontractor to it. So let's talk a little bit about applicability of NIST 800-171. As we've already said, DoD contracts are subject to the requirements of the Defense Federal Acquisition Regulation Supplement or DFARS and the NIST Special Publication 800-171 requirements. CUI requirements apply only the components of non federal information systems that process, store or transmit CUI, or provide security protection for such components. Now again, let's go back to the scoping concept for a second. These requirements only apply to non federal information systems, the process store or transmit CUI. So, if you can scope your system so that that is as minimal as possible, again, it will vastly reduce your workload. And then requirements are intended for use by federal agencies and contractual vehicles or other agreements established between those agencies and non federal organizations. Let's talk about some assumptions Okay, non-federal organizations. These are assumptions NIST is making about your compliance with the requirements of 800-171. As a non-federal organization they assume you already have information technology infrastructure that you're not developing. Or acquiring systems explicitly for the purposes of processing, storing, or transmitting CUI. They assume you already have some type of safeguarding measures in place some ability to have a basic cybersecurity posture, right? And that some of that may be sufficient to satisfy the CUI protection requirements of 800-171. They understand that you may not have everything necessary to satisfy every CUI requirement. And they basically say they get that you can implement a variety of potential security solutions to meet the requirements. The requirements are not prescriptive, right? They give you a set of requirements. They don't tell you exactly what you have to do to meet those requirements. That's flexible and they leave it up to you to determine that. So let's talk a little bit about the 800-171 requirements. Hopefully, by now this is old hat, there's a 110 security requirements across the 14 families have missed 800-171. Each requirement has a well defined structure consisting of basic security requirements and derive security requirements. The basic security requirements come from FIPS 200, and the derived security requirements come from NIST special publication 853. The requirements are non-prescriptive, I mentioned that before. They're not telling you exactly what you have to do, but they do give you guidance on how to get there. The requirements can be implemented by a non-federal organization, and a variety of ways including by your own internal team. With a Managed Service Provider, or some hybrid approach where your team and an MSP each does some part of it. There's a variety of different ways you can achieve these things. And one of the things they point out is you may be able to be in compliance with any given requirement with an alternative, but equally effective measure. And then each requirement has a discussion section that helps explain it. And this is a direct quote from 801-171. Quote, the discussion section associated with each CUI requirement is informative, not normative. It is not intended to extend the scope of requirement, or to influence the solutions organizations may use to satisfy requirement. Again, it's not prescriptive. In addition, the use of examples is notional, not exhaustive and not reflective of potential options available to organizations, unquote. Again, that's a direct quote from 801-171. And remember, these requirements only apply to nonfederal information systems that process, store, or transmit, CUI. If you don't have CUI don't have to meet these requirements. Now, I think your organization would be vastly more secure if you were in compliance with all 110 requirements of the 801-171. But it's not necessary if you don't have systems that processed, store, or transmit CUI. So as I mentioned before, there are 14 requirements families that are listed here as a quick review. They are access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance. Media protection, personnel security, physical protectionm risk assessment, security assessment, systems and communications protection, and system and information integrity. You can go back to the previous courses to get into each of the 110 requirements that make up those 14 requirements families in detail. So, in order to be in compliance with this 801-171, you have some deliverables, you need a body of evidence. In the body of evidence, basically documents how you've implemented controls to satisfy 110 requirements. And there should basically be three major items in your body of evidence, organizational policies or procedures. Remember, some of these requirements are not technical. They're literally saying you need some type of policy or something, right? So, you'll have policies and procedures, you have a system security plan that shows for each one of the requirements, whether you're in compliance or not. And ideally, includes artifacts that evidence that will show why you're in compliance. And then for those requirements you have not satisfied, you'll have a plan of action of milestones that describes when and how you plan to satisfy that requirement. So let's talk a little bit about policies, right? We just talked about policies as part of the body of evidence. So, according to Merriam-Webster's Dictionary, policy as a high-level overall plan embracing the general goals and acceptable procedures especially if a government body or governmental body, sorry. It's requirements established by senior management. It provides direction to employees and contractors that's enforceable under US labor laws and HR direction. It provides strategy and direction to guide decisions by lower-level management. Designed to achieve positive outcomes. It's a statement of expectation, or statements of expectation enforced by standards and further implemented by procedures. Policies are living documents that should change to reflect conditions, and their mandatory, right? So that's a high-level overview of what policies are. Here's a list of some common security policies. Again, this is a review, we covered this in earlier courses. I'm not going to go into these in detail. I did want to call out here though, and I mentioned this in the earlier course. There are organizations like sands and others have free policy templates that are available. This can seem rather daunting when you look at this long list and think, my gosh, I'm going to have to write a policy for each one of these things, or create each one of these policies. Keep in mind there are many templates available. There are also private companies who have done a lot of this work that they often are not providing it for free. But the good news is you can get a leg up, and reduce your workload by taking advantage of the many templates that are already out there. You can see the ones that have asterisks, there are templates available to you. So again, I'm not going to read this a list, but don't let it scare you it's not nearly as difficult as it looks. So another deliverable that we care about is part of our body of evidence and is absolutely required before you can submit your score to SPRS is your ystem Security Plan or SSP. And basically your system security plan is a blueprint of your systems. The idea is you're going to develop, document and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with other connected systems. So again, it's your blueprint, in the case of NIST 801-171, You're going to have your 110 requirement. And as a reminder NIST has a temple for this, you can use if you want to start with that. You're going to have your 110 requirements, your're going to indicate which ones are satisfied, which ones are not satisfied. And for those that are satisfied, indicate artifacts that show evidence of satisfaction with that requirement. Or being in compliance with that control depending on the particular terminology you want to use. And for those that are not satisfied, you're going to have your plan of action milestones, if we'll get to here in a minute. So why do we need a System Security Plan? Well, it's part of compliance, right? It's required by NIST 801-171. In particular, requirement 3.12.4 mandates that you must have a system security plan. The DoD says that you can't submit your self-assessment to SPRS without one, and it's required for CMMLlevel 2 or higher. So if you're shooting for the Cybersecurity Maturity Model Certification Level 2 or higher, you must have a System Security Plan. Again, it helps us document systems containing CUI, and shows which requirements of the 110 of this data 171 satisfied in which we haven't. And it's something that can be given to an assessor is part of the assessment process. So what do you need to do to create an SSP? Well, we're gonnaget back to this as part of our project, and go through this in more detail than we did in the previous course. But ultimately, as a reminder, there is no formal standard. This has a free template. In my opinion, it's sufficient for most purposes. You can see there's a link to the free template there. A big part of this and I would recommend that you start out by a Read the, read the SP 871 document, download the 871, a Document that has the assessment objectives. Remember there are 320 assessment objectives and when you look at the assessment objectives, we cover that in the previous course and there's a link in the resources there. When you look at the assessment objectives, they give you some real insight into the types of artifacts that will help you show evidence of satisfaction of any given requirement. C ollect, there are evidence and artifacts, know going into it what you need and how you're going to collect that and build that into your system security plan. So the last liberal we're going to talk about here is the plan of action of milestones or poem. And this is essentially for all of the requirements that you have not met your plan for how you're going to meet them with milestones along the way, dates of completion etcetera. You know, it's, it's your roadmap, how are you going to ultimately be in compliance with all 110 requirements of missed 871 B two. Basically, again, it helps you address delays and media requirements. It builds your roadmap, ideally you're going to have an expected completion date and interim milestones because part of what you're trying to show here, especially As we get further and further away from the initial call for 871 and the protection of CUI cyberattacks continue to rise. So by having expected completion dates, interim milestones, it shows that you're serious about trying to complete these things because again, one of the reasons why we got to where we are today is plan of action of milestones that we're never done so, but more on that here in a minute. Why do we need a poem? Well, it is also required as part of the Nist 801 71 requirements in particular requirement 3.12 point two. And it's something that's given to an assessor, you can see here a screenshot of that particular requirement and the assessment objectives this came from the assessment document. Again, I can't state enough how helpful it will be for you to get that because it shows you what an assessor would be looking for. So what you need to do to create the poem will like the system security plan. There is no prescribed format. This does have a template. The templates in word. I think it's a little funky personally, I prefer to use an Excel document for this, I think it makes a little bit easier to manage. But basically, if you download the word, template from this, you can use that to create, just basically use that as a template for your spreadsheet. I like to add a few other columns into it but it's a good starting point and again It's free. You can download it out there at the next 801 71 web page where you would get the document itself and like the system security plan, you know these things are going to require some technical knowledge to do These and I would strongly encourage you to take a look at that assessment objectives. Understand your 320 assessment objectives as you build out this plan of action of milestones so you it's going to give you insight into how to construct this in a way that it appears that you understand what you're doing, you're on the path to meeting these. And frankly help you ensure that you're putting in the work to satisfy these requirements with the least amount of work on your end because you understand what an assessor would be looking for. So as I mentioned, the cybersecurity maturity model certification has come along since The introduction of this 800 1 71. An executive order 13 5 56 that called for the protection of C U I. And largely Because the NIST 801 71 standard was not being met right contractors just weren't doing what they needed to do as I mentioned before you had plan of action of milestones that just went on forever. They were never completed. So let's talk a little bit about the cybersecurity maturity model certification. It's a unified standard designed to reduce the exfiltration of controlled unclassified information of CUI from the defense industrial base. This was prompted by data breaches impacting national security and data breaches originating with nonfederal organizations. Again, this is all geared around nonfederal organizations that have CUI the latest version, version one point two was published in March of 2020. It combines various standards and best Practices and it's based largely on this 801 71. So the good news is if you can get toward the point where you've satisfied all 110 requirements of missed 800 1 71 you're almost there. Right? Level three which is what most contractors will probably need to meet again. It's going to depend On your contract but that's where most contractors are probably going to need to be. You're almost all the way there for level three. Right. There is an additional 20 requirements on top of 110 from this 871 but you're almost there. So how do we get here? Well, I've already touched on this a bit. NIST 871 is a self attestation standard, I download these documents, they get through my systems and I say yes, I'm compliant with this. I'm not compliant with that satisfy this partially satisfy that. Right. But there really wasn't any teeth to it. There was really no way to enforce that, right and folks knew that right. D O D Mandated contractors meet these requirements but there are a few audits and little accountability, self attestation. The perpetual plan of action milestones that never got met and again little little to no on the risk created no basically no incentive for N F O. S to fully Implement All 110 of these requirements. So the government basically said enough is enough and came up with these cybersecurity maturity model certification which adds in the audit component and add some teeth to this so that folks eventually have to get in compliance with CMMC if they want to get contracts from the government. [COUGH] Excuse me. So let's talk about why you should care about C MMC nonfederal organizations With contracts containing the fars to 52 2047012 must have at least a current basic assessment against this. 871 in order to receive a contract award after November 30 2020. So we've already passed this deadline. Now if you're looking to get contracts from D O D You need to have a basic assessment on file on SPRS request for proposals or contracts may contain clauses or your prime may ask you to report your CMMC score. NFS that are non compliant with the required level will not be able to retain D O D Contracts. Let me reiterate that N F O s that are not compliant with the required level of C M M C. There are five levels we'll get to that in a minute. Will not be able to retain D O D Contracts by 2026 D O D will require all defense contractors To pass the CMC audit to bid on all jobs. Again, let me restate by 2026 D O D will require all defense contractors to pass a C M M C Audit to bid on jobs. This only applies to our FPs and contracts with the claws embedded in it. For now, I think at some point we'll get to a place where anyone that wants to do business with the government will need to achieve probably at least level three of the C M M C. So that's something to keep in mind and again, because it is almost entirely based at least through level three on this 871. If you can get to where You've satisfied those requirements, you'll be looking really good and I believe much, much more secure than when you started. So, CMMC 17 capability domains, 43 capabilities, all this is a review. So I'm not going to go into the detail on that that's most covered in previous courses. There are five processes across five levels to measure maturity And a grand total of 171 practices across the five levels to measure technical capabilities. So, domains are key sets of capabilities for cybersecurity, capabilities are achievements to ensure cybersecurity within each domain. And practices and processes are activities required by level to achieve a capability. You can see here are the 17 capability domains. It's the good news again, because this is mostly based on this 800-171, pardon me. A lot of overlap here with the requirements families of 800-171, I won't read all this to you. Here are the five CMMC levels. Again, this is a maturity model ideally over time you're going to continuously be moving forward to become more mature. Right, so you can see here at level one, we're saying we're performing certain processes. And that gives us basic cyber hygiene, at level two processes are documented. We're not just doing them, they're actually documented and we've achieved an intermediate level of cyber hygiene. And we're adding more requirements in at each of these steps. At level three, our processes are managed and we have good cyber hygiene. Level three includes all 110 requirements from this 800-171 plus 20 other requirements. And then at level four our processes are reviewed, and our practices are proactive. Again, we've added a few more requirements and then finally at level five, were optimizing processes. And our practices are advanced/progressive. Ideally we're in a place where we're able to protect against advanced persistent threats and nation state actors like China. And that gets us to the full 171 requirements, which is a pretty high bar and not easy to do honestly. So the DoD interim rule on CMMC basically came out on and said as of September 29th 2020, you have to do these things, right. As of November 30th 2020 contractors are required to self-assess, or have DoD assess compliance. And report it prior to any new DoD contract award or DoD exercise of any contract, option or extension. So this is not only new contracts, right. This is contract options or extensions. So if you're contracting with the government, the DoD, in particular, you need to care about this. You need to have a self-assessment based on this 800-171 and you need to post the scores to SPRS. You can see here, it adds a new DFARS Subpart two point I'm sorry, 204.75. Specifying policies and procedures for awarding a contract or exercising an option between November 30th, 2020, and October 1st, 2025. It requires contractors to achieve a CMMC certificate at the level specified in the solicitation at the time of the awards. So if the solicitation calls for level three, then you need to be certified at that level. Contractors must maintain a current less than three year old CMMC certificate at the specified level. Throughout the life of the contract or task or delivery order. Okay I want to spend a second and talk about this in more detail. because I think this is something that's extremely important, as you go down this road. Contractors must maintain a current less than three year old CMMC certificate. At the specified level throughout the life of the contract or task or delivery order. This isn't a fire and forget thing. You can't just do this once and call it a day, you're going to have to continuously reassess your compliance with these things. Again, you must have a current score less than three years old over the life of the contract. When I put on my cybersecurity hat, I'm glad to see that because I think. Unfortunately folks think well if I can get to this level, I'm good to go, and in reality it's new vulnerabilities come up every day. Businesses change, systems change, people change. It's important to stay on top of this. So I'm glad to see that in there, DoD contractors must immediately post assessments of their cyber security compliance on the DoD's SPRS system. Primes are required to flow down the substance of DFARS 252.204-7020 to all subcontractors, excluding commercial off the shelf suppliers. Not entirely sure how they got that curved out, but they did. Primes must ensure subcontractors have a current DoD assessment posted in SPRS. Again that's the Flow Down idea. Prior to awarding of subcontract, if a subcontractor does not have a summary level of scores of a current NIST 800-171 Assessment posted in SPRS. The sub may conduct and submit a Basic Assessment to SPRS. So when your prime comes back and says you need to do this, you can do your own Basic Assessment. Again that is a self-assessment. You can do your own Basic Assessment and post the summary level of scores in SPRS to at least get to the next level. But ultimately you will need to be fully compliant or satisfy all the requirements of 800-171. So as far as reporting your Basic DoD Assessment under CMMC, and part of the interim role. You can see here DFARS contract clause 252.204-7019 requires the following. When you report your basic DoD Assessments, right. You have to have the standard assessed in our case it's NIST 800-171. The organization conducting the assessment in your case for a self-assessment, it would be your organization. You need to have your CAGE codes which are Commercial Government Entity Codes, you need to have a system security plan. You need to have the date of assessment completion. You need to have a summary level score which you're going to compute based on the requirements. That I'll show you here in a minute, and we talked about it in the previous course. And then you need to also say when you think you will have all of the requirements satisfied. Ideally achieving then a score of 110 indicating that you have met all of the requirements of 800-171. There are three assessment levels, you've heard me say the term basic assessment over and over. Again that's a self-assessment. It has low confidence, it's something you're doing yourself. There's also medium assessment which is a review of the system security plan by DoD personnel that has medium confidence. And then a high assessment which is an on-site or virtual assessment by DoD personnel. Most people are going to be focused on the basic assessment and computing their scores to get into SPRS, so they can keep those contracts coming. But it's important to point out that all three levels start with the basic assessment, right. You're going to do your own basic assessment. You're going to compute that summary score, and then depending on the contract and your particular situation. You may be subject to one of these other assessments. And again, CMC is auditable. You're eventually going to have to demonstrate how you've complied with these things. So let's talk a little bit about the Interim Rule scoring. So the objective assessment of an 800-171 implementation, is the output or the scores or the output of that, I should say. If you can satisfy all 110 controls of the NIST 800-171 standard, then you will get a score of 110. Which is what you're shooting for ideally. Except for controls where scoring is built in for partial implementation, partial implementation is not credited. I highlighted that because again, this is for the most part except where explicitly defined. This is an all or nothing thing, you've either satisfied a requirement or you have not satisfied the requirement. And if you've not satisfied the requirement, you need to have a plan of action of milestones for how you're going to satisfy that requirement. The score of 110 is reduced by each requirement not implemented, a negative score is possible. This does not prioritize controls in terms of impact, but some obviously have more impact than others. And controls are weighted based on impact. So let's talk a little about the contractor self assessment, right? Debate quote and these this is all being pulled from these miss documents. The basic assessment is the contractor self-assessment of NIST 800-171 implementation status based on a review of the system security plans associated with the covered contractor Information systems and conducted in accordance with the basic assessment results in a confidence level of low and the resulting score because it's a self generated score. Again, you're doing it yourself. I think to the government's credit, obviously they're not going to put too much weight in that because if you've never done this before, you may not really understand what you're doing. And of course people could lie and cheat on this, right? And I think it's important to remember the false claims act when you're doing this because at the end of the day, it's better if you do tell the truth, there isn't a benchmark score you have to achieve as they mentioned, a negative score is possible. And I think the first time you do one of these, especially if you're a smaller company, you're probably not going to get a very good score,at leas, that's what I certainly see out there. But truthfulness is good because it helps you see where your gaps are. It helps you ultimately build a better cybersecurity posture by implementing more and more of these controls are satisfying these requirements and you will ultimately be much more secure, which is good for your business, it's good for your employees, it's good for your contracts, it's good for the government, it's good for your vendors, it's good for everyone that gets involved with your organization. So it really is good for society. For you to be more secure and satisfying these requirements certainly is no guarantee, but you are likely to be a lot more secure than when you started out and it will certainly show you where the gaps are in your organization. And then quote, summary level scores resulting from the NIST SP 800-171 DoD assessment should be documented as indicated in section 6 and annex B of this document. You can see that later. So again, it's 110-point scale. Each eight of the requirements is assigned a weighted subtractor, satisfied requirements earn points. Partially satisfied my earn a fraction of points. But again, that's the exception rather than the rule for the most part, If you have not satisfied the requirement, whatever points are assigned to that particular requirement will be subtracted. Thus, the quote "weighted subtractor" as I mentioned before, it's possible to earn a negative score. The DFARS Interim Rules requires the submission of a score, it does not specify a specific score. Doesn't say if you get below X that you won't be eligible for contracts. It just says you must submit a score. Although, I think you can probably say with relative safety that the lower the score is the more scrutiny you're going to come under in terms of awarding of contracts and obviously higher scores are better. You may need multiple assessments depending on the organizational size and or the number of contracts that you have. This is a screenshot of a spreadsheet that I created to keep track of this and computer score. You can see here a column value and score. So here's your possible points for a given control and then here's the score earned on that and you can see in some cases they are negative, right? Again, this is just to illustrate what that might look like. So I've referred to this several times before SPRS, right? so what is it? Right? It's the supplier performance reporting system by DoD. It's been around for a long time but recently they added the capability for contractors to report their basic assessment scores. And basically for the context of this course it's SPRS the way you can think of it as a place for you to report your your basic assessment score including the date, the scope, the plan of action completion date and your CAGE codes, you have to be granted access to use the system. It does have a single sign on capability and you're going to need to request access to it through the Procurement Integrated Enterprise Environment, the PIEE. You can use the system to view your own data and those were the SPRS cyber vendor role can manage their basic assessment. And you must be registered again through the PIEE and approved for access to SPRS. So that's something else you're going to want to consider as you go through this process knowing that you need to submit the score. You should go ahead and request access to the system sooner rather than later so that you don't eventually become hamstrung because it may take a while to get access to the system. Why do you care about SPRS? Well, we've already sort of covered this. DFARS 204.73 Safeguarding Covered Defense Information and Cyber Incident Reporting, directs contracting officers to verify offers NIST 800- 71 assessment is on record. So you must have a score on record in SPRS. DFARS is 252.204-7019. Notice of this special publication 800-171 DoD Assessment Requirements requires offers to ensure results of their current NIST 800-171 Assessments are posted in SPRS. So again they're telling you you got to do it and they're telling contracting officers they must verify it. And then DFARS clause 252.204-7020 from NIST special publication 800-171 DoD Assessment Requirements, requires contractors to ensure applicable subcontractors have the results of a current assessment posted an SPR prior to an award. So before the prime can give you as a subcontractor and award on that contract they must verify that you have posted your SPRS score. So again very critical if you plan to do business with DoD. The information that's required again the date of the assessment, summary score out of 110, the scope of the basic assessment identify which includes identifying each system security plans supporting a contract and all your CAGE codes, right? Must be mapped to the appropriate system security plans and then of also critical importance. When are you projecting that you will achieve a score of 110 indicating you've satisfied all the requirements of this 800-171? Ultimately, when it comes time to submit your score to SPRS as I mentioned before I would strongly recommend that you go ahead and get an account set up and start the process through PIEE before you do all this work and then find out it may take a long time to get this configured. So as it says here your score does not need to be submitted until contract award technically. Again you gotta get yourself set up. You're going to need the SPRS Cyber Vendor User role to manage your basic assessment and this can be time consuming. It can be somewhat tricky and difficult. You may not know what your CAGE codes are. You may need to look that up, that sort of thing so that might create some friction and slow you down. If you've never had a contract before and you don't have your CAGE code again you're going to want to do all of this anyway. But you can also email your self assessment to this email account W- E- B- P- T- S- M- H @navy.mil. Again, webptsmh@navy.mil or fanatically speaking whiskey, echo, bravo, papa, tango sierra, mike hotel @navy.mil. And if you are going to send your basic assessment via email, ensure that you encrypted first. Remember the assessments themselves are CUI, you need to protect this information. This is sensitive information not only from a government perspective but also to any bad actors that could get their hands on this data. So you're going to want to treat this information as sensitive and protect it very carefully. Make sure if you're going to email it you encrypted first and we're almost to the end of our review here, we've covered just about everything we've talked about up to this point. Here's a few resources. You can download the DoD Assessment methodology. Again, I strongly encourage you to do that From there as well as the NIST 800-171 A that shows you the assessors objectives. Here's a link for PIEE, a link to get your CAGE code and then a link to SPRS. So that's everything for our review. And I will wrap this up and see you in the next video where we'll work through a project to create some policies and the system security plan and a plan of action of milestones for our sample company reared and steel. I look forward to seeing you shortly in the next video, thanks.
