Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: It’s Here! CMMC SPRS Scoring is Live!!!
Quick Take
On this episode of Compliance Unfiltered, its time to chat about the CMMC SPRS score!
The CMMC-AB now recognizes the SPRS score as the industry standard scoring metric. Adam tells all about what the SPRS score is, and how the heck you interpret those negative numbers.
Curious if your organization can just do the assessment yourselves? Wondering how SPRS Scoring fits in to the CMMC world in general? The CU guys have got you covered! Plus, Adam shares special news about SPRS Scoring and the TCT Portal!
All on this week’s Compliance Unfiltered.
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside a man who’s the Mr. Miyagi to your compliance bonsai tree. Mr. Adam Goslin, how the heck are you, sir? I’m doing great. I feel like I need some wax on, wax off going on over here or something. Don’t we all, sir? Don’t we all? Today, we’re going to have a conversation about some CMMC business. There’s a lot of it to attend to today. So I figured I’ll throw it over to you to talk a little bit more about some new things in the CMC Arena for TCT and also some fun stuff on the CMMC calendar that’s coming up, Adam.
All right. Well, TCT is going to be attending, co-sponsoring an event called CMMC Day. That is going to be on May 15th in Arlington, Virginia. So at this point in the game, a little bit about 10 days out. Oh, no, 10 days out, seven days out. So anyway, we’re going to be posting this tomorrow. So hopefully, if we’ve got listeners that are in the area,that want to come join the party, you can certainly swing by. And swing by the TCT booth and Todd and I will both be there. It’ll be fun. one thing that we haven’t told the listeners about yet, but we were talking about doing some CMMC day live. So yeah, we’ll see how it all goes. It’s gonna be entertaining. We might do some recording while we’re right there at the event. So that would be super cool and just nice. I just like meeting new people, making new friends, talking to people about, you know, generally speaking, you know, the overarching, you know, kind of goal for TCT, which is making compliance management suck less. So hey, we’re here to help. Indeed. And for those faithful Compliance Unfiltered listeners, you will remember Andrew from a few episodes ago talking specifically about that CMMC day event. So that is the one we were referring to in Arlington, Virginia on Monday, May 15th. Please check it out if you have not already.
Well, speaking of CMMC specifically, Lots of things have changed on the horizon of CMMC over the course of the last couple of years. We’ve been following the trends, had our fingers as close to the pulse as one can with his dodgy as it’s has been. But things have started, the ship has started to write over the course of the last year or so. We’re starting to see some uniformity come out of the CMMC space, Adam. And so much of that revolves around the SPURS score. Now, well, some of the episode might be remedial for some here. It will be instructional for others, just kind of starting to get their arms around this space. So what exactly is a SPURS score? SPURS, it’s that SPURS stands for. Come on you SPURS. Yeah, the SPURS stands for the Supplier Performance Risk System. So it’s a, it is a system which basically gives, it’s a web enabled enterprise application, gathering, processing, and displaying evidence about the performance of DOD suppliers to folks that are in the DOD. You know, one of the elements that goes in as an input into this system is the notion of the vendor’s SPURS score. Basically a numerical grade that goes and gets entered into that DOD SPURS application. And it’s a component that affords a score to the vendor so that the DOD can go through, look and assess the stance of the supplier. The DOD is using the SPURS score as a major component for their supplier evaluations. And those SPURS scores, interestingly enough, and this is where it gets really super freaking confusing, is the SPURS scores range from negative 203 up to 110. So 110, yeah, 110, hey, listen, I didn’t make up the scoring yield mechanism, I just get the honor of, you know, talking about it, if you will. So, you know, the way it works is your top end score is 110. Everybody effectively starts at negative 203. And then as you complete various elements of the of the CMMC framework, your score moves from 203 up, up, up as you’re, you know, kind of noting items as being in place, those will start to basically not count as negative numbers, and thereby your score goes from, let’s say, did a five point item, it’d go from negative 203 to negative 198, you know, and etc. Excuse me, I’ve got this horrible, like, I feel fine, but I’ve had this horrible tickle for days now. It’s really irritating. So anyway, apologies. But, you know, so as you’re going through the elements within CMMC carry one, three or five points at a shot, the better your score, the better you can improve your chances of getting your contract. You know, there are a small handful of items, I believe it’s two, where you can get partial credit when you partially implemented something. But that means that the vast majority of the things that are on this list are elements of you’ve got it or you do not. So, you know, if you don’t have something, you know, completely implemented, you’re not getting credit. There’s also a couple of elements that, you know, and where NAS won’t be counted against you, etc. But long story short, is that you’ve got to go in and you’ve got to go in and basically take your crack at filling out, you know, all the details so you can figure out where does your score settle into.
Now, how does one interpret their SPURS score? Well, you know, should you, you know, should you be shooting for getting this, you know, perfect SPURS score? You know, the bottom line is, is that obviously the closer you are to 110, the better your position. But, you know, the fact of the matter is, it’s really going to be hard for folks to achieve a 110. It could be done, but it’s rare. You know, if you’re going through and claiming, oh no, we’re perfect, you know, type of thing, you better be able to prove it because, you know, the DOD is honestly probably going to scrutinize you more closely, you know, as a result. I think their expectation walking in is that organizations aren’t going to be perfect and there’s going to be things that they need to improve upon, etc. You know, so I haven’t seen an indication out of DOD expecting everybody to hit this perfect score or really any score. in particular, which is the interesting part to win contracts. There’s a lot more than just the SPURS score that goes into their evaluation and hiring process, not the least of which is, how much are you charging them and how good your work is. So the cybersecurity is a piece of the puzzle. So certainly, trying to get it into as good a shape as you can is a good thing, but I’d also kind of caution folks to be, you better really have your ducks in a row if you’re going to go and claim you got a 110.
No, absolutely. And it’s definitely something where they can, especially in this space, Adam, people can smell when you’re not being genuine. Now, should an organization complete the CMMC assessment by themselves. Like that, don’t worry about it, we got this covered in the house, no worries. Yeah, the self-assessment is something that can be optionally validated by a third-party assessor for many of the suppliers. But at the end of the day, the supplier’s responsible for appropriately filling out the information. So getting your SPURS score incorrect and especially overstating your score, that’s not gonna be viewed in a positive light by the DOD, you wanna make sure that you get it right. For those organizations that already have a depth of experience of years or maybe a decade plus running in the realms of like PCI DSS or ISO 27001, then going up against these controls honestly isn’t gonna be that challenging. You know, but certainly for organizations that this is kind of their first time that they’ve been in a position where they need to go up against a third-party series of requirements type of thing. And you haven’t gone through and done this before, I would really recommend to folks, hire on a consultant, bring in an assessor to help show you the way, things along those lines, because it’s gonna be really easy for organizations that don’t already have that kind of intimate familiarity with some stringent framework to be making mistakes.
And I would say, just because you have network administrators doesn’t mean that they inherently know how to be able to navigate the CMMC engagement. You know, it was one of the things that I learned early on in my security and compliance career, was to, just, you know, how little I knew about security and compliance. I’ve been in the IT space for, you know, 15 plus years, leading teams of people doing all sorts of stuff. And I’ll tell you what, it was an eye opener. And the scarier part was the frontliners, the folks that were doing the network administration or developers or in charge of infrastructure, they knew how to do their job well. And they were really good at it. But there’s a leap between doing the operational job and then doing things in a manner which will align. completely correctly to a series of cybersecurity requirements. So if you don’t already have the experience in-house, you know, of going through these with consultants and third-party assessors, honestly, I would recommend to folks, find a friend, you know, in the space and go ahead and kind of get through that as a group.
Yeah, no, absolutely. Now, how does SPURS scoring fit into the CMMC world at large? Well, you know, the SPURS score effectively is the overall indicator of the strength of your cybersecurity stance. The whole point of this particular framework is to evaluate, you know, where the organization stands in a cybersecurity sense. So it’s kind of like a report card. You know, your score doesn’t tell you the whole picture. You know, it’s one of multiple, one of the multiple outputs of the CMMC engagement. You’re also going to need a system security plan, which is short form to an SSP. And you’re going to need something called a plan of actions and milestones, which is commonly referred to as a POAM, P-O-A, ampersand-M, you know, for remediation activities, in addition to having all of your in sundry evidence and information to be able to justify your score. So there’s a fair amount to, you know, basically the end game, if you will, for CMMC for an organization. You know, but, you know, that said, you know, if you’re aiming for a particular maturity level, then certain controls you’re going to need to make sure you got buttoned up.
In the CMMC space, there’s, you know, kind of three maturity levels now. Level one that, you know, requires 17 of the practices out of NIST to 800-171. Level two that has 110. controls from 800-171 and level 3 includes the 110 controls plus additional controls based on the NIST 800-172. So in order to get your maturity level 2 you don’t need a SPUR score of 110 but you do need to be evaluated against all 110 controls. So if you’ve got controls which you know for your in your case can’t be you know marked off as not applicable then you’ll need to provide that aren’t in place then you’ll need to provide a POEM basically a remediation plan that addresses any of the gaps that you’ve got in your organization you know kind of a description of you know where you at now what is it that you’re going to be doing when are you going to be doing it that type of thing so certainly it makes you know it makes things it makes things entertaining as you’re kind of going through this process. And bar none, the cool part is that when we designed the TCT Portal, we designed it to really facilitate any industry standard compliance, including CMMC. So the cool part about the TCT Portal and CMMC is that, you know, it gives you a place where you can, you know, store, manage, you know, gather your evidence, have it all in one spot from the system, you can generate your SSPs, your POAMS, you know, etc. So it really becomes a really good tool for the organization to be able to leverage, you know, kind of as they’re preparing, certainly as they’re preparing for, and then getting through, you know, some form of an assessment, you know, certainly for those organizations that if they’re going up against, you know, PCI, SOC 2, ISO 27001, something along those lines, as well as CMMC. Well, the cool part is, is that then they’ve got the ability to do mappings from, you know, one cert to another, import, port, link their evidence from their existing tracks into their CMMC track, etc. And a lot of that heavy lifting is done. So, you know, for the listener that has many needs, you certainly encourage them to, to swing by the booth at CMMC day and come have a chit chat with us. We’d love to, we’d love to talk and, and show you the way.
Absolutely. Now tell us some of the exciting news that relates to SPURS scoring as it pertains to the TCT portal, Adam. Sure. So one of the things that we’ve been working on actually, and I forget if it’s going out, you know, imminently or already went, but we’re going to be putting out a press release here shortly, talking about the fact that the TCT portal now has integrated live SPURS scoring capabilities from right within the, the portal. So, um, you know, it’s, uh, it’s actually really, really cool because as the user is going through and completing their line items, I was talking earlier about, you know, if you had a five point item, you’ve now marked that as in place type of thing, uh, or implemented, if you will, um, that all of a sudden you, you wouldn’t have the negative five points counted against you that would, you know, adjust not only the score for that particular item, but also will then impact your overall SPURS score. And so as the users are going through, whether it is the organization that’s subject to CMMC, whether it’s an assessment firm happens to be using the TCT portal for, uh, for assisting with that assessment. Um, as you’re going through concluding and completing items and getting them marked off, moving them through the workflow, uh, as you’re going. The SPURS scores for the line items are getting updated. Your overall SPURS score is starting to solidify. You know, one of the big problems with, one of the big problems when you’re doing these style of engagements with as many elements that play into the scoring as we’ve got for CMMC is there’s a lot of complexity, right? You’ve got workflow, maybe it goes from the company subject to compliance up to a consultant. From there, it goes up to an assessor. From there goes the assessor’s QA department, then goes to complete. Well, at any point in the game, I mean, the company going through it can push it up to the next stage of the workflow, but upon review, it might come back down. Well, you know, I don’t really think this is in place or, hey, we’re gonna need some additional evidence or, you know, it doesn’t look like this is in place. Are you sure? You know, that type of thing. So you could have line items that’ll be going, no, oh, you just gained five points up. Never mind, you lost five points. So if you gained them again, no, we lost them again. You know, and that’s one of 110 different, you know, kind of moving pieces and parts up and down this workflow. So you’ve got a ton moving simultaneously. And the fact that the score is coming up live is it’s just really, really helpful that you can readily see where’s all of our stuff in the workflow as things start to settle into the concluded state, you’ll start to see that overall SPURS score stabilize, you know, certainly out of the gate at first as you’re concluding items and moving them up, etc, you know, you’re seeing a ton of movement, but what organizations will start to see, especially as things start to settle down, start to land into their final states, etc, as you’ll see that SPURS score start to, you know, start to kind of solidify, you know, as they’re going through, you know, kind of going through that process. So we were super excited about the fact that as you’re going through, as you’re attaching your evidence, etc, that you’re able to kind of keep your finger on that pulse of your SPURS score.
Because honestly, for vendors that are in this space that are trying to win these contracts, it’s gonna be a big deal. Because if you think about it, right? If all else is the same, the price is the same, the offering is the same, you got these two vendors going at it, if one vendor sitting there with a great score, one sitting there with a horrible score, well, that’s gonna play its part. So, you know, having them with the ability to immediately, intrinsically see that score is really gonna be a big deal.
Absolutely, parting shots and thoughts for the folks this week, Adam. Well, you know, I’ve said it since the dawn of time. It’s one of the reasons why we started TCT, you know, is the notion that, organizations need to own their own data. And what I mean by that is they need to own their own compliance data. You want your own repository so that you’ve got your own compliance management system.
Things happen, right? Maybe we need to go up against two or three other certifications and the existing assessor doesn’t do those other certifications so it makes sense to move. Maybe you’re not happy with your existing assessor. Maybe you’ve got an internal policy that you’re gonna switch assessors every fill in the blank years, whatever it may be. Things happen in this space. Companies get bought out and things change, you know, whatnot. You don’t want to lose your rock solid repository of efficiency for your own company because of the fact that you’re basically being subservient to the systems of your consultant or assessor or whatever it may be. So when I say own your own data, get your own license of a compliance management system. I’d recommend TCT Portal, but you know, make your choice about which one you want to go in with. And honestly, and I mean this in all sincerity, go TCT Portal, sweet, love to have you, but go with one, go with one. Have your own freaking system that you put your own stuff into because it doesn’t make any sense to evaporate all of that knowledge and tracking and history, you know, etc, because it’s invaluable when you’re going through your next round. It’s invaluable as you’re even trying to maintain the certification you’ve achieved. And certainly for organizations with many compliance standards, you know, I can’t even underscore how big of a deal having your own compliance management system is going to make your world. If you’re going up against several different compliance standards, you know, and certainly for the suppliers, vendors being able to, you know, tell the impact of their SPURS scoring as they’re going through navigating the waters of CMMC. That’s freaking game changer right there because that means that they really know what’s going on. They can see the tweaks, the modifications live as it’s happening and the impact or the effect it’s having on their scores. It’s all just in absolute clarity in this one singular space, the system, the compliance management system. It’s a big deal and being able to be able to tell the impacts of some of the decisions that the assessors make, whether we do or don’t want to address a particular item and its impact on the scoring, all of that just comes right out of the system. It’s a really big deal.
Absolutely. And that right there, that’s some good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less.
