The DFARS Interim Rule requires Department of Defense (DoD) contractors whose contracts contain the new version of DFARS Clause 252.204-7012 to submit their scores to the Supplier Performance Risk System (SPRS).
Technically, your score does not need to be submitted until contract award, and presumably contract evaluation. However, many prime contractors and business partners are pushing for early score submissions in response to the DFARS Interim Rule.
Like many other DoD contractors, you may be having difficulty obtaining SPRS access through the Procurement Integrated Enterprise Environment (PIEE). Instead of waiting, you can email your DoD Self-Assessment score to the Supplier Performance Risk System (SPRS).
This article will walk through the current email submission process, as this process and format are different than what was documented in the Interim Rule and various other sources online.
Conduct the assessment and obtain your score using Cybersecurity professionals that carefully follow the required DoD Assessment Methodology for NIST Special Publication (SP) 800-171A.
Peerless offers a completely free DoD Self-Assessment and Scoring Tool with links to all the resources you need to perform the assessment and obtain your score.
In order to be complete, accurate, and demonstrate due diligence, the self-assessment needs to be conducted using Cybersecurity professionals experienced in the assessment of compliance controls. We strongly discourage contractors from attempting to guess at the implementation of controls, as that may be considered a misrepresentation to the Government and a violation of the False Claims Act. Penalties for this may include loss of contracts, loss of ability to bid on future contracts, fines, and even criminal charges.
Your score is not permanent. There is no limit to how often you can update your score via email submission or the SPRS website. However, you must notify the Contracting Officer of any changes in score for contract bids and existing contracts that include the new version of DFARS Clause 252.204-7012 [December 2020 onwards] or DFARS Clauses 252.204-7019 / 252.204-7020.
Your SPRS score submission will fall into one of three categories, depending upon your organizational structure, Commercial and Government Entity Program (CAGE) hierarchy, and current DoD contracts:
Per the DFARS Interim Rule, DoD expects all contractors to eventually achieve a perfect score of 110. However, there is currently no public guidance on how Contracting Officers are to evaluate scores.
The 'Plan of Action Completion Date' must be determined according to your compliance project timelines. This is the date you expect to attain a perfect score of 110, having completed full implementation of all control requirements. There is no official guidance on choosing an appropriate date; however, a perfect score of 110 requires extensive documentation and technical implementation.
We recommend choosing an expected Completion Date within one year. If at any point you determine that you will not meet that date, update it via another email submission or by editing it on the SPRS website. Note that you must notify the Contracting Officer of any changes in expected Completion Date for contract bids and existing contracts that include the new version of DFARS Clause 252.204-7012 [December 2020 onwards] or DFARS Clauses 252.204-7019 / 252.204-7020.
Your CAGE codes represent the part(s) of your organization included in the assessment and represented in the final System Security Plan (SSP) document. You can find your organization's CAGE codes online, using search terms with asterixis as wildcards. For example, entering the term "Peerless*" would find "Peerless Tech Solutions."
Encryption of your email submission is no longer required. The SPRS Customer Support Desk has advised they are not requiring encryption for email score submission. Choosing to encrypt your email submission, in accordance with the absolute letter of the DFARS Interim Rule, may delay score submission. If you do not wish to encrypt your email submission, please proceed to the next step.
If you wish to encrypt your email submission, you must first email firstname.lastname@example.org to request an encryption certificate. Depending upon request volume, this certificate may take several days to receive. Unfortunately, the certificate received will only allow you send an encrypted email of your score submission to the specific Customer Support Desk person who sent it to you.
If you have never sent an encrypted email to DoD before, doing so for the first time may require IT support. Your email client must be set up to use your encryption certificate and the email recipient's encryption certificate must be saved in your contacts. Some resources that may help in encrypting your email:
○ U.S. Naval Academy instructions on sending DoD encrypted email with Outlook.
○ Microsoft Support article on encrypting email with Outlook.
○ Google Support article on enabling S/MIME encryption, which is currently only supported by G Suite Enterprise and G Suite Education.
To submit your score, send an email (optionally encrypted and signed) to email@example.com with the subject line "SPRS Basic Assessment Submission" in the exact format specified below:
|Cybersecurity Standard Assessed:||NIST SP 800-171 rev. 2|
|Organization Conducting the Assessment:||Name of your organization, since you are responsible for the self-assessment.|
|Assessment Date:||Date of your assessment, as MM/DD/YYYY|
|Assessment Score:||Score obtained, between -203 and 110|
|Scope of Assessment:||"Enterprise", "Enclave", or "Contract".
See above for descriptions.
|Plan of Action Completion Date:||Expected date to complete all assessment POA&M items and obtain a perfect score of 110, as MM/DD/YYYY.
If the score is already 110, then "N/A".
|Included CAGE(s):||The CAGE code(s) covered by the assessment|
|Name of System Security Plan (SSP):||The name or scope of the SSP. If the SSP only applies to one network or location, it should be described here.
If the Scope of Assessment is "Enclave" or "Contract", it should be described here.
|SSP Version / Revision:||The version or revision number of the SSP.|
|SSP Date:||The date of the SSP. Should be equal to or greater than the Assessment Date.|
You will receive an email confirmation of the score submission once the SPRS Customer Support Desk processes your email. While waiting, we highly recommend obtaining access to the SPRS website for future score updates and submissions.
If you do not receive a confirmation within 5 business days, we suggest replying to the original email thread to request a status update on your score submission.
At Peerless, we understand the ever-changing complexities of Cybersecurity compliance and federal regulations. We can help with a self-assessment, internal audit, third-party assessment, and any other compliance needs.
We want to assist every DoD contractor with their immediate and future compliance needs as efficiently and effectively as possible.