Firms throughout the country have been scrambling to self-assess and upload their NIST cybersecurity score in order to compete and win Defense Contracts and subcontracts. Additionally, contractors with access to technical data through the Defense Logistics Agency will lose their access on August 16 unless they are in compliance with the interim rule and have a score uploaded.
This article helps unravel the latest requirement.
The DoD Interim Rule requires companies (DoD prime contractors and subcontractors) to perform a cybersecurity self-assessment utilizing the NIST 800-171A controls and post your score to an internet website called SPRS (Supplier Performance Risk System (disa.mil)), which is within PIEE (Procurement Integrated Enterprise Environment (eb.mil).
The Department of Defense’s (DoD) Interim rule went into effect on December 1, 2020. DoD did this because of the importance of cybersecurity, protecting the supply chain, the loss of propriety information to foreign states, and the CMMC (Cybersecurity Maturity Model Certification) taking 5 years to fully implement, which goes to into effect October 1, 2025.
You will need to establish an account in PIEE to record your score in SPRS. In order to record your score, you will need to answer six questions (possibly seven questions depending on your company’s organization) in SPRS. Your score is good for three years, after which time you will need to perform another self-assessment until the CMMC is implemented. If you would like a no-cost M.S. Excel tool to perform your self-assessment, you may contact Washington PTAC and request the tool or you can register with Project Spectrum (Project Spectrum) for assistance and they have a tool to perform your self-assessment.
There are three exceptions to having to perform this self-assessment. They are:
- You will not provide as a result of a contract or do not have CUI (Controlled Unclassified Information) in your possession (DoDI 5200.48, “Controlled Unclassified Information (CUI),” Effective March 6, 2020 (whs.mil), or
- You sell below the micro-purchase threshold, which is $10,000, or
- You sell COTS (Commercial of the Shelf) products. (101 Definitions. | Acquisition.GOV)
To further discuss if the self-assessment interim rule applies to you or you need further assistance, your local PTAC can help. Visit www.washingtonptac.org to find your local advisor.