SPRS (Supplier Performance Risk System) score and CMMC / NIST 800-171
When you are awarded a U.S. government contract involving the use or creation of CUI, your principal may ask you to submit your SPRS score.
Some of your partners may also require you to submit your SPRS score, even if you don't have a contract with the U.S. government.
What is the SPRS score? Answer in this article.
Objective of the SPRS score
The SPRS score is obtained after a gap analysis between your actual security level vs. the 110 NIST 800-171 controls.
When you start the gap analysis, you start with a score of +110 points. You then lose points for each NIST 800-171 control not met.
Note that some controls carry more weight than others. Some are worth 5 points, while others are worth 3 or 1.
Not worried about having a negative SPRS score
Your SPRS score can range from +110 (full compliance with NIST 800-171) to -203 points (nothing in place).
Many organizations dread having a negative SPRS score, as this could send out the wrong signal to their partners. However, it's worth noting that it's not dramatic if your first SPRS assessment gives you a negative score, because you probably have controls that aren't in place.
On the other hand, you need to work quickly to improve your SPRS score by implementing the appropriate controls.
The SSP (System Security Plan) required to submit your SPRS score
The SSP can be likened to the organization's overall security policy. It gives an idea of the NIST 800-171 requirements met by the company.
Having a SPS is mandatory to submit your SPRS score.
Where to submit your SPRS score
Your SPRS score must be submitted on the US Department of Defense platform: https://www.sprs.csd.disa.mil/
You must have a PIEE (Procurement Integrated Enterprise Environment) account to submit your SPRS score.
How StreamScan can help you with your CMMC compliance process
Streamscan is a CMMC Registered Provider Organization (RPO) and is officially authorized to assist organizations in their CMMC process.
Contact one of our experts or call us at +1 877-208-9040 to discuss your CMMC compliance.