24 thoughts on “How to submit a NIST SP 800-171 self assessment to SPRS

  1. Mia Evans says:

    Thanks for helping me understand that it is needed to have a security system plan that describes your system before applying for an NIST 800-171 certification according to the self-assessment methodology. It must be important to have a professional to help you out in these processes, since it is better to prevent errors than rectify them afterward. I can imagine how you can save time and money by doing so, while you also focus on running your company instead of handling things that you are not an expert of.

  2. Colin Marshall says:

    Question: The policy for my organization is for no CUI to be received, stored, processed on organization systems; the current contracts mandate the organization only receive, store, process CUI on US-provisioned systems (Gov or partner systems). So the questions are, as it is not clear:

    How does the organization submit any self-assessment for a system it doesn’t own?

    As it will not be receiving, storing, or processing CUI on its own network, how does that affect any future contract bids?

    Does the organization still complete the self-assessment against the systems in use (US Gov or partner systems) or would that be considered a false assessment, as it is not strictly an assessment of the organization itself?

    Will the organization eventually be required to create its own solution, which is capable of receiving, storing, and processing CUI (even though there is absolutely no requirement to do so at this time), if it is to be a viable candidate for any future contract bids?

    • Barb F. says:

      It’s been a couple of years since Colin’s post and still no clarity on this type of situation. We also have this situation and there still isn’t any relevant information that I can find about how to answer those self-assessment questions. We’re a subcontractor to the Prime, the Prime stores all the CUI on their organizational systems. We would only use our laptops to connect via a VPN provided by the Prime to view the data on their system. We cannot download the CUI. We performed a self-assessment using that scenario and turned it into the Prime, their security group is saying we fail and cannot view CUI. We performed our self assessment at a Contract level. I keep hearing gov wants small business to get more contracts, but this cybersecurity assessment requirement is pretty onerous and not something easily done by a small company. I understand the security need, but what is being asked is extremely difficult to do in its entirety. And getting outside assistance? The costs are prohibitive for small companies. There has got to be a better way.

  3. Adam Lief says:

    SPRS no longer loads for me…..

    “This page can’t be displayed

    Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://sprs.csd.disa.mil again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator. “

  4. Matthew says:

    Can anyone provide clarity on what value or entry is expected to be populated in the “System Security Plan (SSP) Assessed:” text box?

    Thank you in advance for any help.

    • Amira Armond says:

      Hello Matthew and Bryn,

      Take this advice at your own risk, but the way I’ve been doing it is providing a unique identifier or name for the system security plan. This generally matches the unique identifier or name for the information system assessed, in my templates.

    • Hugo says:

      That field and the following two which ask about revision and date refer to the name, rev, and date of your internal system security plan.

  5. Ken says:

    Many of the questions do not apply to my situation. What do I do? Assuming I have only one computer not connected to a LAN, no file sharing etc.
    All these things that don’t apply to my situation should Istill deduct it from my score?

    • Amira Armond says:

      Hi Ken,

      The broad answer, without knowing your situation, is that the majority of the questions DO apply to your situation, but you may not even have the capability to do them correctly with your one computer. Not having a firewall doesn’t mean you are exempt from the requirement to have a firewall, for example. These questions should not be answered by someone who isn’t trained in cybersecurity, or at least is fairly senior in systems administration. This is a legitimate skillset, just like only doctors are allowed to do surgery or prescribe medications.

      The exception, which you might be trying to explain, is if you have a standalone computer that isn’t connected to any network, no wireless, no Internet, no email. But then the question is, how are you getting data to-and-from this computer? Are you emailing it to your gmail account at home, loading it onto a thumb drive, moving it to your work computer, working on it, and back-and-forth, etc? That is no good either – your thumb drive and personal computer are now in-scope.

      The cybersecurity self-assessment requirement is a huge problem for little companies like yours. I don’t have a solution. I hope you have not been dealing with Controlled Unclassified Information (CUI). If you haven’t been, then this shouldn’t apply to you (except for the part where your prime or the contract officer is requiring it).

      For little tiny companies that have been dealing with CUI, the frank advice is that you can’t do the necessary amount of security on your own and you need to find a partner information system to use instead. Reference this article: Where is the easy button for CMMC? Technically, right now, you can still get contracts without being cyber-secure, but it is a disservice to the United States if you don’t try to improve your security.

      This isn’t directly at you, but at others reading this in the same situation. Reach out for help. The CMMC-AB marketplace is a good place to find cybersecurity talent. https://cmmcab.org/marketplace

      • Ken says:

        Thanks for the quick reply,
        No my computer is connected to the internet, and is behind firewall (all windows computers have a firewall built in and turned on by default)
        What I meant was the computer is not hooked up to a network for file sharing purposes.
        The computer is connected to internet, behind software firewall (the router also has NAT). It is also virus protected, and external backup device is encrypted.
        The computer is also password protected, and office is locked, and any paper documents are also locked in filecabinet inside locked office.
        The email address that does business is hooked up to only this one computer (and no other devices, no cloud services, nothing else)
        There are plenty of instances I seen where things dont apply to my situation. Many of the questions have to do with computers on a domain, that are controlled through active directory on a server.
        There is also things regarding remote access which also does not apply to me.
        I can go on and on about these questions that dont apply to me, but lets just take the few examples. Do i need to deduct the points for not having a server with a domain controller configured with active directory?
        or do i need to deduct points for the question about remote access, when i dont use remote access? (and i have RDP disabled)
        PS, I am an IT technician, but i am not an expert by any means of the cybersecurity assessment,
        I do understand all the questions asked on the assessment.
        I can understand what you mean about someone not an expert in IT not being able to do this properly because the questions asked are not in laymans terms by an means

  6. doug white says:

    My company’s score was well below 0. The SPRS site would not let us enter a score below zero. The phone number for assistance in SPRS is not answered, but has a message that says they don’t really check messages. Instead we should send an email to webptsmh@navy.mil. I’ve sent a few emails to the address and get no responses.

    • Amira Armond says:

      Hello Doug, that isn’t normal. You should be able to submit a negative score. Did the system update and change its field settings?

  7. Charles says:

    I have been trying to upload my CUI SSP via PIEE, having issues with OTP.
    It seems that when you select send OTP it suppose to send to your registered email address. It does not, I have the Authenication APP loaded on my Cell. still no luck. Anyone experiencing this issue.
    I sent an email to the help desk, no response yet. Also called the help Desk and they are overwhelmed with calls. So if anyone has a fix please share.

  8. John Sciandra says:

    Hi Amira,

    I would like to add information to the question: Q: If my organization doesn’t have CUI on our systems (we use Gov or partner systems for CUI), should we submit something?

    Use the CMMC assessment levels as a guide since the majority of companies will presumably be assessed at CMMC Level 1 meaning – No CUI. At level 1 you still must protect FCI (Federal Contract Information). Things like information that is on your contract, but without handling CUI you will not have to undergo a more rigorous assessment at the higher levels.

    So to be safe – you should still respond even if you don’t handle CUI or risk not getting your contract. Katie Arrington spoke about the website called Project Spectrum where there is a free assessment tool that can also automatically upload your results into the SPRS for you. I don’t know the details but it is worth a look for those who are struggling.

    Hope this helps.

    John Sciandra

  9. Jeff says:

    Having problems getting the SPRS Supplier Performance role setup. We requested it several days ago, and still nothing. In the ROLES page, there’s a red box that says “not permitted to update your own role” .

    The person requested the SPRS role is the admin.

    Do we need to setup an Admin#2 so that Admin#2 can approve the SPRS role for Admin#1 ?

    • D. Horn says:

      Call the DISA help, they can activate the SPRS role for you. I am our Admin and that is how I got activated. You can also set up another admin.

  10. Terry Parks says:

    Apparently there is no way to register as our company has never had a direct contract.
    When I tried to register I got this error when I clicked to move on from the “Rolls page”:
    “Error: The Location Code ##### cannot be added until a Contractor Administrator is established to support your organization. Primary EBPOC: xxxxxxxxxxxxxxxxxxxxxxxxx. Alternate EBPOC: xxxxxxxxxxxxxxxxxxxxxx. Please see the Vendor – Getting Started Help instructions on the WAWF Homepage for details on how to establish a Contractor Administrator.
    That page tells me to register with CCR which I cannot reach.
    Advise?

    • Amira Armond says:

      Hello Terry,

      If all else fails, go back to the default which is mailing your self-assessment score using an encrypted email.

      Here is an excerpt from the DoD Acquisition Cyber FAQs on the topic:
      https://dodprocurementtoolbox.com/faqs/cybersecurity

      Q129: Who can post NIST SP 800-171 DoD Assessment results to the Supplier Performance Risk System (SPRS)? What will be posted?

      A129: A contractor may submit, via encrypted email, summary level scores of Basic Assessments conducted in accordance with Section 5 and Annex B of NIST SP 800-171 DoD Assessment Methodology, available at https://www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800-171%20Assessment%20Methodology%20Version%201.1%20%203.13.2020.pdf, to webptsmh@navy.mil for posting to SPRS.

      DoD will post the following Medium and/or High NIST SP 800-171 DoD Assessment results to SPRS for each system security plan assessed:

      The standard assessed (e.g., NIST SP 800-171 Rev 1).

      Organization conducting the assessment, e.g., DCMA, or a specific organization (identified by Department of Defense Activity Address Code (DoDAAC) or Commercial and Government Entity (CAGE) Code).

      Each system security plan assessed, mapped to the specific industry CAGE code(s) associated with the information system(s) addressed by the system security plan. All corporate CAGE codes must be mapped to all appropriate system security plan(s) if the contractor has more than one system security plan and CAGE code. Additionally, a brief description of the system security plan architecture may be required if more than one plan exists.

      Date and level of the assessment, i.e., basic, medium, or high.

      Summary level score (e.g., 105 out of 110), but not the individual value assigned for each requirement.

      Date a score of 110 is expected to be achieved (i.e., all requirements implemented) based on information gathered from associated plan(s) of action developed in accordance with NIST SP 800-171.

Leave a Reply

Your email address will not be published. Required fields are marked *