DFARS 7012: How to Submit Your SPRS Score by Email 

Defense contractors need to self-assess their compliance with NIST SP 800-171 into the Supply Performance Risk System (SPRS). However, some contractors experience difficulties gaining access to the system through the Procurement Integrated Enterprise Environment (PIIE). If that’s your case, we have good news: you can also submit your SPRS score via email. In today’s post, we tell you how to do it.  

What Is an SPRS Self-Assessment Score?

As you probably know, DFARS 252.204-7012 requires the safeguarding of Covered Defense Information (CDI) by implementing the controls found in NIST SP 800-171. 

However, additional security requirements were introduced through DFARS clauses 252.204-7019 and 252.204-7020. 

 

DFARS 7019 (Notice of NIST SP 800-171 DoD Assessment Requirements) Requires contractors to conduct a self-assessment concerning their compliance with NIST SP 800-171 controls and report their scores in the Supply Performance Risk System (SPRS). 

For its part, DFARS 7020 (NIST SP 800-171 DoD assessment requirements) states that  

Defense contractors may submit their NIST SP 800-171 self-assessment score to SPRS via email.  

No doubt, this can be handy, as signing in to the SPRS through the Procurement Integrated Enterprise Environment (PIIE) can be difficult. But how to do it? In the next section, we’ll tackle that part of the equation.  

How to Submit Your SPRS Score by Email

Below is a step-by-step description of how to submit your SPRS score by email. If you need help with any part of the process, don’t hesitate to contact us.  

Get an accurate NIST 800-171 Self-Assessment and Score

To obtain your self-assessment score, we encourage you to work with professionals familiar with the DoD Assessment Methodology for NIST SP 800-171. Failing to follow the correct methodology can lead to errors which in turn can result in fines and even criminal charges.  

Determine your Scope of Assessment

Depending on the structure of your organization, your score will fall into one of the following three categories: 

1. Enterprise: Covers a company’s entire network under the CAGE codes listed 
2. Enclave: For standalone environments under the CAGE code as a business unit (for example, hosted resources) 
3. Contracts: For contract-specific System Security Plan (SSP) reviews 

Set Your Expected Completion Date

Your “Plan of Action Completion Date” is the date when you expect to achieve a perfect score of 110. Keep in mind that full implementation can require extensive work, so make sure to check with a professional to determine a date that makes sense.  

Find Your CAGE Codes

A Commercial and Government Entity Code, or CAGE, is a five-character ID number assigned by the Defense Logistics Agency to various government and defense suppliers. CAGE codes help identify a given facility at a specific location. 

You can find your CAGE codes by filling out this form. Just write your company’s legal name and click on “Search.”  

Describe the System Security Plan Format

Offer a brief description of the SSP format and system architecture. 

Submit Your Self-Assessment Score by Email

Once you have obtained an accurate self-assessment score send it by email to [email protected]  

Make sure to use the subject line “SPRS Self-Assessment Score Submission” and follow this format: 

1. Cybersecurity Standard Being Assessed. NIST SP 800-171 rev. 2 
2. Organization Conducting the assessment. The name of your organization 
3. Assessment Date. Use the format MM/DD/YYYY 
4. Assessment Score. The value must be between -203 and 110 (if your score is already 110, write N/A) 
5. Scope of Assessment. Enterprise, Enclave, or Contracts (see above for details) 
6. Plan of Action Completion Date. Expected date to obtain a perfect score of 110. 
7. CAGE code(s). Use the codes covered by the assessment. 
8. Name of System Security Plan (SSP) 
9. SSP Version/Revision 
10. SSP date 

A Note About Email Encryption

Although DFARS 252.204-7020 formally requires contractors to submit their summary level scores by encrypted email, the SPRS Customer Support Desk has stated that they do not require encryption. 

If you decide to adhere to the letter of DFARS 252.204-7020, keep the following in mind: 

1. You will need to request an encryption certificate by email to [email protected]  
2. Each encryption certificate only allows you to send an encrypted email to the person who sent you the certificate. 
3. Choosing to request an encryption certificate can delay your submission by several days, depending on the workload on the Customer Support Desk 
4. If you have never sent an encrypted email to the DoD before, chances are good that you will require technical assistance. 

Wait for Your Email Confirmation

After sending your self-assessment score by email, you will receive a confirmation, also by email. If you don’t receive a confirmation from the SPRS Customer Support Desk within five business days, you can request a status update by replying to the original email. 

Remember that alternatively, you can always use the Procurement Integrated Enterprise Environment (PIIE) to submit your self-assessment score. You can register your account here.  

Need To Achieve CMMC Compliance? We Are Here To Help

Whether it’s CMMC, NIST SP 800-171, DFARS, or ITAR, we help organizations achieve compliance with all applicable cybersecurity regulations at any level so that they can win and maintain Department of Defense (DoD) contracts. 

Brea Networks, LLC is a fully Registered Provider Organization (RPO) and is a Microsoft partner with full Microsoft GCC High licensing and migration solutions. 

Contact our CMMC Registered Practitioners today by clicking here. 

Brea Networks, LLC / CMMCCompliance.us 

451 W. Lambert Rd Suite 214 

Brea, CA 92821 

Tel: (714) 592-0063