This newest addition details requirements for reporting your score within the Supplier Performance Risk System (SPRS) as well as what contracting officers must do when awards or denials based on these results come up–so you can have peace beforehand knowing exactly where those risks lie.
The assessment methodology is based on the 110 security requirements from NIST 800-171, with each requirement having a different number of points assigned to it. The scope is only covered contractor information systems, so isolated networks are out of scope.
Organizations attest to whether they meet, do not meet, or if that control is not applicable to them. For those controls they do not meet, they deduct that number from their total of 110 points. For an example guide, download our NIST 800-171 questionnaire here.
Organizations are required to report their NIST 800-171 compliance score in SPRS. After posting to SPRS, the report will only be available to DoD personnel and the organization that submitted it. Firms will have to report a Basic, Medium, or High level assessment, depending on the contract requirements.
A Basic self assessment means that organizations are able to conduct and submit a basic assessment themselves to SPRS, while Medium and High assessments are assessed by the Department of Defense. Organizations will have to have these scores properly reported in SPRS, and have a new assessment at least every three years.