If you’re a contractor to the Department of Defense, you may be losing sleep over the new Cybersecurity Maturity Model Certification (CMMC). Since the Advisory Board announced the development of CMMC, the standard has gone through continual evolution and dramatic changes. Only six months ago, CMMC 2.0 was released and one of the major announcements is the inclusion of a SPRS score in CMMC.
You’re going to hear a lot about the SPRS score from now on, and it could be a significant factor that determines your ability to do business with the DoD. So if you don’t know what a SPRS score is, it’s time to get familiar with it.
Related: Take These Action Steps to Become CMMC Compliant
What Is a SPRS Score?
SPRS stands for Supplier Performance Risk System. It’s a web-enabled enterprise application that gathers, processes, and displays data about the performance of DoD suppliers. Its purpose is to analyze the risk that a supplier represents, among other things.
The SPRS score is essentially a numerical grade that gets entered into the DoD SPRS application. It’s a component of the scoring that the DoD leverages for their review and assessment of the stance of a supplier.
The DoD is now using the SPRS score as a major component of a supplier’s CMMC evaluation. Your SPRS score will fall somewhere in a range from -203 to 110. The score is based on value points that are assigned to each of the controls in the CMMC standard.
There are 110 controls, and the maximum SPRS score is 110. Those control items range across 14 areas related to the cybersecurity of your organization — for example, access control, configuration management, identification and authentication, incident response, system and information integrity, and more.
Each of the control line items in CMMC has a different value — either 1, 3, or 5. Values are based on the item’s relative importance. The 1-point items are deemed least critical and the 5-point items are most critical.
Your score starts at the lowest value (-203). As you report controls as implemented, your score goes up by the value of each item, either 1, 3, or 5 points at a time. The better your score, the better you improve your chances of receiving a contract with the DoD.
A very small handful of items can earn partial credit for being partially implemented. What that means is that for 90+ percent of the scoring system, you either have it or you don’t. If the item isn’t fully implemented, you won’t get any credit — so you need to have your act together.
Hiring the right C3PAO is only one small piece of successfully navigating the Cybersecurity Maturity Model Certification. Get fully equipped with TCT’s online guide to CMMC.
How to Interpret Your SPRS Score
Should you attempt to get a perfect SPRS score? Obviously, the closer to 110 you are, the better your position will be with the DoD.
The fact is, it is incredibly hard to achieve a 110. It can be done, but it’s rare. And if you claim to be perfectly fulfilling all 110 CMMC controls, you’d better be able to prove it, because the DoD is likely to scrutinize you more closely.
There’s no indication that the DoD expects their suppliers to hit a perfect score — or any score in particular — to win a contract. There’s a lot more than just the SPRS score that goes into the DoD’s hiring process — not the least of which is how much you’re charging them and how good your work is. Cybersecurity is just one piece of the puzzle.
Should You Complete the CMMC Assessment Yourself?
The CMMC is a self assessment that can be optionally validated by a third-party Assessor for many suppliers. But at the end of the day, you as the supplier are responsible for appropriately filling out the information. Getting your SPRS score incorrect — and especially overstating your score — will not be seen in a positive light by the DoD. Make sure you get it right.
If you already have a great depth of experience with a robust security and compliance standard — for example, ISO 27001 or PCI-DSS — then going up against these particular controls probably won’t be too challenging.
That said, if you’re approaching CMMC for the first time and you’ve never undergone a third-party security assessment before, I strongly recommend that you hire a Consultant for CMMC. It could be fairly easy to make some mistakes if this isn’t familiar territory for you.
And don’t assume that just because you have network administrators that they have the experience to go through a CMMC engagement. Cybersecurity is a niche realm that most IT personnel aren’t experienced with. Don’t get me wrong — they know how to make things function operationally, but it’s a different realm to workin a secure, compliant manner that most will not have direct experience with.
How Does the SPRS Score Fit in CMMC?
Your SPRS score provides an overall indicator of the strength of your cybersecurity stance. Think of it like a report card. But your score doesn’t tell the whole picture — it’s one of multiple outputs of a CMMC engagement. You’ll also need to supply a System Security Plan (SSP), a Plan of Action & Milestones (POA&M) for remediation activities, in addition to having the appropriate evidence and information to justify your score, as submitted.
That said, if you’re aiming for a particular maturity level under CMMC, you’ll need to have certain control items buttoned up.
There are three CMMC maturity levels and each one has a specific set of controls that fall within that level. To achieve compliance with a particular level, you’ll need to fulfill the controls associated with that level.
- Level 1 requires 17 practices from NIST 800-171
- Level 2 requires all 110 practices from NIST 800-171
- Level 3 requires all 110 controls, plus additional controls based on NIST 800-172
To achieve maturity level 2, you don’t need a SPRS score of 110, but you will need to be evaluated under all 110 controls. If any controls aren’t fulfilled, you’ll need to provide a POA&M, essentially a remediation plan, that addresses the gaps.
TCT Portal Makes CMMC Easier
If you’re feeling overwhelmed by the mere prospect of going up against CMMC, you aren’t alone. Many government suppliers have decided to cut bait and pursue other business streams because the juice doesn’t seem worth the squeeze.
But what if CMMC could be easier than you think? TCT Portal is a compliance management system that’s designed to make CMMC management suck less for government contractors and CMMC Assessors. Real-time insights, common-sense organization, and automated functions make TCT Portal an absolute no-brainer for anyone managing compliance.
The tool automates and streamlines virtually every aspect of CMMC compliance. And if you’re already going up against other standards such as PCI, SOC 2, or ISO 27001, you can map all the work you’ve already done under those certifications onto your CMMC engagement. Which means most of the heavy lifting is already done.
As CMMC continues to evolve — and it most definitely will — our team of developers is releasing updates to TCT Portal to keep in lock step with it. You’ll never have to work in a tool that can’t keep up with your needs.
Check out TCT Portal for yourself and see how it handles CMMC. Get a personalized demo today!