If you’d like to know more about how DFARS, NIST 800-171, SPRS, and CMMC all work together, you’ve come to the right place. In this blog, we’ll discuss how these regulations, standards and tools all work together for thorough DoD compliance.
Interplay of DFARS vs NIST 800-171 vs SPRS vs CMMC
Defense Federal Acquisition Regulation Supplement (DFARS), established in 2015 by the U.S. Department of Defense, outlines DoD regulations. DFARS is focused on protecting the confidentiality of Controlled Unclassified Information (CUI). In order to be awarded new DoD contracts, a contractor or supplier must be in compliance with this set of cybersecurity regulations. As of June 2022, DFARS 7019 clause notes that compliance to NIST 800-171 controls and the submission of NIST 800-171 SPRS score are requirements.
NIST 800-171, published by the National Institute of Standards and Technology, is a set of controls that outline exactly what must be in place to ensure that a sufficient information security program is established. NIST 800-171, holistic and in line with leading security standards, focuses on ensuring appropriate coverage of controls across the entire cyber ecosystem. NIST 800-171 is required by DFARS, as DFARS regulations rely on NIST 800-171.
The Supplier Performance Risk System (SPRS) is a self-certification scoring method based on the NIST 800-171 control framework. The SPRS provides contracting officials with a score of the overall risk of the supplier. SPRS scores must be supplied to the DoD using the designated systems. Current scores must be maintained ̶ they cannot be more than 3 years old.
CMMC 2.0 brings DFARS, SPRS, and NIST 800-171 together. CMMC is a unifying standard for security implementation across the Defense Industrial Base (DIB). CMMC ensures that DIB companies establish appropriate cybersecurity practices and processes to protect FCI and CUI. CMMC applies to DIB organizations whose unclassified networks possess, store, process, or transmit FCI and CUI.
CMMC 2.0 Assessment Guide
CMMC Assessment version 1.0 includes 5 levels, and CMMC Assessment version 2.0 includes 3 levels. ControlCase has further broken level 2 down into two sections:
- Level 1 (FCI Only): Self Assessment (optionally assisted by ControlCase)
- Level 2a (CUI in addition to FCI): The information that you manage is not critical to national security – Self Assessment (optionally assisted by ControlCase)
- Level 2b (CUI in addition to FCI): The information that you manage is critical to national security – C3PAO Assessment (once every three years)
- Level 3 (CUI in addition to FCI): The information you manage involves highest priority. Most critical defense programs – Government Audit (once every three years)
Steps for a Company to Achieve DoD Compliance
To initiate the process of obtaining DoD compliance, complete a self-assessment against the NIST 800-171 framework and determine your score.
For entities with FCI and CUI within their unclassified networks, use the following steps:
- Document your CUI SSP.
- Perform an assessment of all NIST 800-171 controls, as documented in your CUI SSP, that include formal evidence collection and reporting.
- Calculate your NIST 800-171 score, as required by DFARS 7019.
- Document any deficiencies with remediation steps in a Plan of Action and Milestones (POA&M) document.
- Complete affirmation using the SPRS.
- Maintain evidence of your NIST 800-171 compliance to avoid DoJ False Claims Act investigations.
ControlCase Continuous Compliance Services
Continuous Compliance services help companies reduce time, cost, and burden while maintaining regular control of security. Making compliance a continuous process instead of a point-in-time solution allows protection to remain thorough and current.
ControlCase, a CMMC Registered Provider Organization, can assist companies with self-assessment and controlled assessment against NIST 800-171, and SRPS scoring. In addition to federal regulations, ControlCase is a formal auditor for other standards such as PCI and ISO.