Common SPRS Score Mistakes that DoD Contractors Make

Preparing for CMMC and reporting your SPRS Score to DoD requires following the right process. In this article, we'll identify many common mistakes that DoD contractors make in determining their score. We will also provide recommendations to ensure an accurate SPRS Score that will help you get ready to meet stringent CMMC requirements.

For many contracts, the Department of Defense (DoD) requires contractors, sub-contractors, and suppliers to submit an attestation of cybersecurity compliance in the form of a Supplier Performance Risk System (SPRS) Score. Many Prime Contractors, teaming partners, and even customers are also requiring this score.

The DoD Assessment Methodology (DoDAM) that must be followed to generate the SPRS Score has a complex and confusing assessment process, especially for those without extensive DoD compliance and audit experience. This leads businesses to make significant mistakes when attempting to conduct an in-house self-assessment to determine their score.

The requirement for an SPRS Score is a result of the DFARS 252.204-7012 (DFARS 7012)¹ contractual clause and its DFARS Interim Rule (September 2020).²

The draft Proposed Rule for CMMC 2.0 was released December 26, 2023 and is expected to be final in Summer 2024. However, the SPRS Score will continue to be reported to DoD and there is no change to how it is calculated.

In submitting an SPRS Score to DoD, misrepresentation of compliance and security violations that reveal non-compliance can result in the Government taking adverse actions.³ These may include criminal and civil penalties under the False Claims Act (FCA)⁴, loss of contracts, fines, and/or suspension of the ability to continue doing business with the U.S. Government.

An accurate SPRS Score based on a proper assessment gives you a clear view of where your business really is with compliance, where your business needs to be, and the path to get there. It shows due diligence that your business is acting in good faith to meet compliance requirements and protect sensitive Government data / Controlled Unclassified Information (CUI). An accurate SPRS Score also supports important strategic decisions on investments of time, effort, and money to improve your cybersecurity and prepare for compliance requirements like CMMC.

Common Mistakes

• Not Evaluating Assessment Objectives
  • The DoD Assessment Methodology requires following the assessment process in the NIST SP 800-171A Assessment Guide (incorporated fully into the CMMC 2.0 Level 2 Assessment Guide).
  • This means evaluating all 320 total assessment objectives within the 110 controls.
  • It is invalid to evaluate a control as “Implemented” (Met) without fully meeting all of its assessment objectives.
    
  
  
• Miscalculating the Score
  • The SPRS Score is subtractive. It begins at a perfect score of 110 points, then subtracts the Control Weight (5 points, 3 points, or 1 point) of each control not met.
  • The range for an SPRS Score is -203 points to +110 points.
  • Peerless finds that most first-time assessments have a negative score due to incomplete controls. However, the SPRS Score can often quickly be made positive by implementing the right solutions.
    

• Giving Yourself Credit for Incomplete / Partial Controls
  • The DoD Assessment Methodology requires an all-or-nothing approach to scoring each of the 110 controls.
  • Controls must have all their assessment objectives fully implemented to receive credit.
  • Partially Implemented controls subtract the full weight (point value) of the control, the same as Not Implemented controls.
  • DoD only permits Official Partial Credit for two controls: 3.5.3 and 3.13.11.
    
  • If the specific requirements to qualify for Official Partial Credit status in the DoD Assessment Methodology are met, fewer points are deducted for these controls.
  • Peerless finds that most first-time assessments result in a negative SPRS Score due to incomplete controls. With the right recommendations, SPRS Scores can quickly and easily become positive.
  
  
• Marking Controls as Not Applicable (N/A)
  • DoD only permits Not Applicable (N/A) status for five controls (3.1.12, 3.1.13, 3.1.16, 3.1.17, and 3.1.18).
  • If the specific requirements to qualify for N/A status in the DoD Assessment Methodology are met, points are not deducted for these controls.
    
  • The assessment objectives of the remaining controls must be fully met, whether or not they apply to your information systems or operations.
  • Meeting such assessment objectives may require an administrative approach (ex. documenting a formal explanation, policy, process, procedures) and/or a technical approach (ex. implementation, enforcement).
  
  
• Marking Controls as Alternative Measures, Temporary Deficiency, Enduring Exception, or Risk Acceptance
  • Control status will almost always be one of the following:
    • Implemented (Met)
    • Partially Implemented (Partially Met / Not Met)
              [Lose all points.]
    • Official Partial Credit (Partially Met / Not Met)
              [Only permitted for controls 3.5.3 and 3.13.11.]
    • Not Applicable (N/A)
              [Only permitted for controls 3.1.12, 3.1.13, 3.1.16, 3.1.17, and 3.1.18.]
  • The other control statuses mentioned in the DoD Assessment Methodology should only be used with caution and thorough understanding. They will not be permitted by DoD without documenting sufficient justification and/or formal approvals.
    • Alternative Measures
    • Temporary Deficiency
    • Enduring Exception
    • Risk Acceptance
  • We strongly recommend contacting DoD compliance experts like Peerless to advise where it might be appropriate to use one of these other statuses and how to best document justification for each specific use.
    
    
• Improper Scope / Compliance Boundary
  • Proper evaluation of controls and your overall compliance with DFARS 7012 requires a clear determination of what is in-scope and out-of-scope.
  • The compliance boundary of your information system must be clearly defined, described, and diagrammed; along with every other system connecting to, supporting, or exchanging data with it.
  • Scope review must include not only your internal network and enclaves, but also anything associated with them. For example: cloud providers, vendors, Software as a Service (SaaS) products, physical facilities, network infrastructure, and external systems that connect to your system or with which you exchange data.
  • Many contractors lack the expertise to make accurate scope determinations, missing things that are in-scope and including things that are out-of-scope.
  • Improper scoping results in not only an inaccurate SPRS Score but also expensive surprises, such as the urgent need to change solutions and vendors.
  
  
• Lack of Policy Documentation
  • Many assessment objectives cannot be met by technical solutions alone.
  • At least 60 of the 110 controls (164 points) contain assessment objectives that require policy-related documentation.
  • This means some controls are impossible to meet without sufficiently documented policies, processes, and procedures.
    
  
  
• Not Having a Proper SSP or POA&M
  • The System Security Plan (SSP) is a required document that is mandatory to submit an SPRS Score. It describes your system and the implementation of controls.
  • The Plan of Action & Milestones (POA&M) is a required document that tracks remediation of controls that are not fully implemented.
  • The SSP must clearly describe your information system and sensitive data, indicate the evaluated status for all 110 controls, and provide details on how those controls' 320 assessment objectives have been implemented.
  • The SPRS system does not store SSPs or POA&Ms; however, the Government can request to review them at any time. Prime contractors and partners may also request your SSP and POA&M for review.
  • The Defense Contract Management Agency (DCMA) has been conducting random spot-checks of contractors’ SSPs and SPRS Scores to determine due diligence and SPRS Score accuracy.
  • The SSP and POA&M Templates from NIST SP 800-171 are not recommended because it was never updated to meet the DoD Assessment Methodology requirements and DoD / Federal audit expectations. Peerless has found that many SSP Templates have these shortcomings.
    

• Reliance on Control Explanations or Layman’s Terms
  • Controls can only be evaluated as Implemented (Met) if the required assessment process has been followed and all the control assessment objectives have been fully met.
  • Unofficial control explanations, examples, summaries, simplifications, and layman’s terms should not be used, as they are sometimes incorrect and will almost never fully address the required assessment objectives.
  • While they can be useful in trying to understand some of the controls in plain language, they should never be relied on to evaluate controls.

• Following the NIST Handbook 162
  • The NIST Handbook 162 must not be used as the basis for a self-assessment and SPRS Score.
  • It can be useful to help understand some of the controls in plain language, but it does not cover the required assessment objectives and can be very misleading in its simplicity.
  • NIST withdrew the NIST Handbook 162 because it conflicts with the official Assessment Guide.

• Lack of DoD Compliance Expertise
  • There is no substitute for hands-on experience with DoD assessments, expert interpretation of control requirements, and meeting the expectations of DoD / Federal auditors. In the future, this will include CMMC Third-Party Assessment Organizations (C3PAOs).
  • The DoD Assessment Methodology and its required CMMC 2.0 / NIST SP 800-171 Assessment Guides can be very complex. Almost no guidance has been provided by DoD as to how control objectives should be interpreted or met.
  • Interpreting the requirements of each control’s assessment objectives needs multiple levels of specialized knowledge and experience:
          Information Technology
           ↪   Cybersecurity
                  ↪   General Compliance
                         ↪   DoD Compliance and Audits
  • If your employees, consultants, and third-party partners do not have those layers of experience, we highly recommend that you leverage the help of a company like Peerless that applies highly specialized experience across cybersecurity, compliance, engineering, and managed services (MSP).

How to Get an Accurate SPRS Score

• Conduct a proper third-party Gap Assessment / Gap Analysis to evaluate the controls, generate the SPRS Score, and create your System Security Plan (SSP).
  • This will result in a much more accurate score and demonstrates due diligence to Prime contractors, partners, and the DoD.
  • Beware of companies that do not follow the required DoD Assessment Methodology, are too quick-and-easy, or are too cheap to be true. A good assessment company should demonstrate industry experience and provide hours of control evaluation by a qualified, professional compliance analyst.
  • Peerless offers very affordable, expert assessments at two levels:
    • The Abridged Assessment is designed for companies needing the bare minimum of a quick, highly conservative estimate of their compliance, a System Security Plan (SSP), and an SPRS Scoresheet. We also offer thorough Policy Templates for an immediate score improvement.
    • The Full Assessment is in-depth, providing a more extensive System Security Plan (SSP); detailed Plan of Action & Milestones (POA&M); SPRS Scoresheet; Policy Templates; and an outbrief meeting to present assessment findings and recommendations for your business that cover the SPRS Score in addition to other common DoD / Federal regulations and cybersecurity best practices.

OR...

• Carefully follow the steps and read the detailed explanations in our completely FREE and comprehensive DoD SPRS Scoring and Self-Assessment Tool.
  • Not only does this free tool properly calculate your score, it also provides automated error checking for most common mistakes.

• Avoid tools that oversimplify the process, such as websites and spreadsheets that don’t offer explanations or even refer to the required assessment objectives within each control.
  • These tools can be misleading about what DoD requires and sometimes do not accurately calculate the SPRS Score given proper inputs.
    
  
  
• Manually check your score against the DoD Assessment Methodology, Annex A (Scoring Template) before submission to the SPRS system.
  • Tools that clearly show the calculation for each control make it much easier to manually check the score.

• Ensure you have policy documents that thoroughly cover the CMMC 2.0 / NIST SP 800-171A assessment objectives.
  • Peerless offers inexpensive Policy Templates written from the ground up to address all 110 CMMC 2.0 / NIST SP 800-171 controls and their 320 assessment objectives.

• Leverage help from engineers and consultants that are experienced in DoD compliance.
  • Peerless has engineering, cybersecurity, and compliance teams with the expertise to advise on, design, implement, and manage compliant solutions for DoD contractors.
  • One of our specialties is migrating DoD and Federal contractors from on-premises architectures and Commercial clouds to compliant U.S. Government clouds.

• Partner with a Managed Service Provider (MSP) that is experienced in DoD compliance.
  • Peerless offers MSP that specializes in the compliance needs of DoD contractors.
  • We only employ U.S. Citizens and operate out of a U.S. Government cloud.