DOCUMENT
1400 - 1430 (Peeling) SPRS NIST Industry Day FINAL.pptx
OVERVIEW
Original Source
Contract Opportunity
Related Opportunity
Related Agency
Posted
June 7, 2021
Type
.pptx
Size
2.52MB
DOCUMENT PREVIEW
EXTRACTED TEXT
DLA Distribution Industry Day SPRS/NIST SP 800-171
Overview
What is SPRS and why/how is it used?
Where does SPRS get its data? What Information is collected?
How can contractors access SPRS and view their scores?
NIST SP 800-171 implementation
Why does Cybersecurity/NIST matter to you?
What requirements are/are not covered?
Accessing NIST within SPRS
Helpful ResourcesWhat is SPRS?
Supplier Performance Risk System (https://www.sprs.csd.disa.mil)
Web-enabled, Department of Defense enterprise-wide application DFARS primary retrieval system for supplier performance information (formerly PPIRS-SR)
Required evaluation factor for ALL solicitations for Supplies AND Services (inc. commercial), regardless of dollar value
Provides three* risk analysis tools designed to be used in supplier performance evaluations for supplies and services:
Price Supplier
*NIST cyber score may be added as an additional evaluation factor, when/where applicable
SPRS Regulatory Requirements
FAR 9.105-1(c)
SPRS data is utilized in making Responsibility Determinations
FAR 12.206 Commercial Items
Use of past performance data (inc. SPRS) for every evaluation/award
FAR 13.106-2(b)(3)(d) Simplified Acquisitions
SPRS may be used in evaluation of other factors for simplified acquisitions
FAR 15.305 Negotiated Acquisitions
Proposal evaluation may consider information obtained from any other sources
DFARS 217.207 Options
SPRS for incumbent contractor must be verified prior to exercising an option
Where does SPRS get its information?For Auto Awards
SPRS data is updated daily
How does SPRS work?Collects quality and
delivery data to
calculate delivery
scores and quality
classifications by
CAGE and commodity
Quality and Delivery Scores
Price Risk
Item Risk
Supplier Risk
Calculates average price paid for an
item and the
expected range for
future buys
Bids/Offers are classified as high, low, or within range
Probability that a product or service will introduce counterfeit or nonconforming material entering the DoD supply chain
Based on criticality of use and history of
counterfeiting or
non-conformance
Scores vendors
based on 3 years
of supplier
performance data
for all efforts (overall
assessment)
Vendors without SPRS history are regarded as netural in past performance evaluations
SPRS Why is SPRS Important to you?
ALL solicitations (streamlined, combined synopsis/solicitation, formal, etc) and responsibility determinations will utilize overall SPRS scores and/or the individual various risk elements as part of the past performance and responsibility determinations.
Contractors may only view their own classifications in SPRS; you are STRONGLY ENCOURAGED to review your SPRS scores by using the Contractor Summary Report
DLA generally pulls Performance Information by PSC/FSC. Individual records are accessible via hyperlink.
SPRS and NIST Whats the connection? SPRS is the one-stop gateway to Past Performance Information and NIST SP 800-171 assessments for all of DoD
Per DoD Instruction 5000.79, Supplier and Product Performance Information (PI) will be shared for supplies and services across DoD.
CAGE codes are the primary identifier used in the collection of PI.
With the passage of recent DFARS clauses, DoD is considering cybersecurity as a responsibility determination and as an additional on-going performance risk factor.
Consoliditation within SPRS reduces redundancies and conflicts between different contracts and agencies, reducing contractors administrative burden and providing supply chain illumination.
Cybersecurity/NIST
Why is cybersecurity/NIST element important to you?
Its the Law per DFARS 252.204-7019, contractors must have a current (within 3 years) NIST SP 800-171 assessment in order to be considered for award.
NIST SP 800-171 has automatic subcontractor flow down.
Its the first step toward meeting Cybersecurity Maturation Model Certification (CMMC), scheduled for implementation in Fall 2025.
Basic Cyber Hygiene has been required for Federal Contract Information (FCI) via FAR 52.204-21 the 15 controls required for meeting this clause cross-map to NIST SP 800-171.
Controlled Unclassified Information (CUI) residing on contractor IT systems is increasingly being targeted by adversaries and bad actors.
DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
Mandatory for all contracts except for contracts solely for the acquisition of COTS items
Requires contractors/subcontractors to:
Safeguard covered defense information that is resident on or transiting through a contractors internal information system or network.
Report cyber incidents that affect covered defense information or that affect the contractors ability to perform requirements designated as operationally critical support.
Submit malicious software discovered and isolated in connection with a reported cyber incident to the DoD Cyber Crime Center.
If requested, submit media and additional information for damage assessment.
Covered Defense Information (CDI) Defined
Unclassified controlled technical information (CTI) or other information as described in the CUI Registry that requires safeguarding or dissemination controls, AND is either
Marked or otherwise identified in the contract, task order, or delivery order and provided to a contractor by or on behalf of, DoD in support of the performance of the contract; OR
Collected, developed, received, transmitted, used, or stored by, or on behalf of, the contractor in support of the performance of the contract. Consult the Statement of Work (SOW), CDRLs, and/or Contracting Officer to know if CDI is required for contract performance
NIST SP 800-171 Assessment Scoring
To be eligible for NIST-covered awards, a contractor must complete the first level called a Basic Assessment.
If all security requirements are implemented, a contractor is awarded a score of 110, consistent with the total number of NIST SP 800-171 security requirements.
For each security requirement not met, the associated value is subtracted from 110. The score of 110 is reduced by each requirement not implemented, which may result in a negative score.
Certain requirements have more impact on the security of the network and its data than others.
Contractors may revise their NIST assessments in SPRS at any time. NIST Assessment Requirements are incorporated via DFARS
252-204-7019 (Provision) & 252.204-7020 (Clause)
SPRS/NIST is accessed through PIEE (https://piee.eb.mil)
Assessing SPRS/NIST
The SPRS home page has dedicated links for Supplier scores and NIST SP 800-171 Assessments
Accessing SPRS/NIST
The NIST link allows vendors to enter/edit their summary-level cyber score (must have SPRS Cyber Vendor user role).
Higher level assessments, if performed by DoD, will also appear here
Once recorded in SPRS, NIST scores are available to all DoD Components to be used in NIST SP 800-171 determinations
Resources
PIEE SPRS Web Based Training
Provides interactive training on SPRS, including an explanation of roles and their associated permissions
https://pieetraining.eb.mil/wbt/xhtml/wbt/sprs/index.xhtml
SPRS Users Guide for Awardees/Contractors
Comprensive manual covering system access, navigation, reporting functions and methodology, and reference material
https://www.sprs.csd.disa.mil/pdf/SPRS_Awardee.pdf
NIST SP 800-171 SPRS Information Page
Landing page providing training, tutorials, FAQs, and contacts pertaining to NIST SP 800-171 implementation
https://www.sprs.csd.disa.mil/nistsp.htm
NIST SP 800-171 Rev. 2
Official site of the current version of NIST SP 800-171
https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
Questions?Backup Information System Security Requirements
17
Overview
What is SPRS and why/how is it used?
Where does SPRS get its data? What Information is collected?
How can contractors access SPRS and view their scores?
NIST SP 800-171 implementation
Why does Cybersecurity/NIST matter to you?
What requirements are/are not covered?
Accessing NIST within SPRS
Helpful ResourcesWhat is SPRS?
Supplier Performance Risk System (https://www.sprs.csd.disa.mil)
Web-enabled, Department of Defense enterprise-wide application DFARS primary retrieval system for supplier performance information (formerly PPIRS-SR)
Required evaluation factor for ALL solicitations for Supplies AND Services (inc. commercial), regardless of dollar value
Provides three* risk analysis tools designed to be used in supplier performance evaluations for supplies and services:
Price Supplier
*NIST cyber score may be added as an additional evaluation factor, when/where applicable
SPRS Regulatory Requirements
FAR 9.105-1(c)
SPRS data is utilized in making Responsibility Determinations
FAR 12.206 Commercial Items
Use of past performance data (inc. SPRS) for every evaluation/award
FAR 13.106-2(b)(3)(d) Simplified Acquisitions
SPRS may be used in evaluation of other factors for simplified acquisitions
FAR 15.305 Negotiated Acquisitions
Proposal evaluation may consider information obtained from any other sources
DFARS 217.207 Options
SPRS for incumbent contractor must be verified prior to exercising an option
Where does SPRS get its information?For Auto Awards
SPRS data is updated daily
How does SPRS work?Collects quality and
delivery data to
calculate delivery
scores and quality
classifications by
CAGE and commodity
Quality and Delivery Scores
Price Risk
Item Risk
Supplier Risk
Calculates average price paid for an
item and the
expected range for
future buys
Bids/Offers are classified as high, low, or within range
Probability that a product or service will introduce counterfeit or nonconforming material entering the DoD supply chain
Based on criticality of use and history of
counterfeiting or
non-conformance
Scores vendors
based on 3 years
of supplier
performance data
for all efforts (overall
assessment)
Vendors without SPRS history are regarded as netural in past performance evaluations
SPRS Why is SPRS Important to you?
ALL solicitations (streamlined, combined synopsis/solicitation, formal, etc) and responsibility determinations will utilize overall SPRS scores and/or the individual various risk elements as part of the past performance and responsibility determinations.
Contractors may only view their own classifications in SPRS; you are STRONGLY ENCOURAGED to review your SPRS scores by using the Contractor Summary Report
DLA generally pulls Performance Information by PSC/FSC. Individual records are accessible via hyperlink.
SPRS and NIST Whats the connection? SPRS is the one-stop gateway to Past Performance Information and NIST SP 800-171 assessments for all of DoD
Per DoD Instruction 5000.79, Supplier and Product Performance Information (PI) will be shared for supplies and services across DoD.
CAGE codes are the primary identifier used in the collection of PI.
With the passage of recent DFARS clauses, DoD is considering cybersecurity as a responsibility determination and as an additional on-going performance risk factor.
Consoliditation within SPRS reduces redundancies and conflicts between different contracts and agencies, reducing contractors administrative burden and providing supply chain illumination.
Cybersecurity/NIST
Why is cybersecurity/NIST element important to you?
Its the Law per DFARS 252.204-7019, contractors must have a current (within 3 years) NIST SP 800-171 assessment in order to be considered for award.
NIST SP 800-171 has automatic subcontractor flow down.
Its the first step toward meeting Cybersecurity Maturation Model Certification (CMMC), scheduled for implementation in Fall 2025.
Basic Cyber Hygiene has been required for Federal Contract Information (FCI) via FAR 52.204-21 the 15 controls required for meeting this clause cross-map to NIST SP 800-171.
Controlled Unclassified Information (CUI) residing on contractor IT systems is increasingly being targeted by adversaries and bad actors.
DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
Mandatory for all contracts except for contracts solely for the acquisition of COTS items
Requires contractors/subcontractors to:
Safeguard covered defense information that is resident on or transiting through a contractors internal information system or network.
Report cyber incidents that affect covered defense information or that affect the contractors ability to perform requirements designated as operationally critical support.
Submit malicious software discovered and isolated in connection with a reported cyber incident to the DoD Cyber Crime Center.
If requested, submit media and additional information for damage assessment.
Covered Defense Information (CDI) Defined
Unclassified controlled technical information (CTI) or other information as described in the CUI Registry that requires safeguarding or dissemination controls, AND is either
Marked or otherwise identified in the contract, task order, or delivery order and provided to a contractor by or on behalf of, DoD in support of the performance of the contract; OR
Collected, developed, received, transmitted, used, or stored by, or on behalf of, the contractor in support of the performance of the contract. Consult the Statement of Work (SOW), CDRLs, and/or Contracting Officer to know if CDI is required for contract performance
NIST SP 800-171 Assessment Scoring
To be eligible for NIST-covered awards, a contractor must complete the first level called a Basic Assessment.
If all security requirements are implemented, a contractor is awarded a score of 110, consistent with the total number of NIST SP 800-171 security requirements.
For each security requirement not met, the associated value is subtracted from 110. The score of 110 is reduced by each requirement not implemented, which may result in a negative score.
Certain requirements have more impact on the security of the network and its data than others.
Contractors may revise their NIST assessments in SPRS at any time. NIST Assessment Requirements are incorporated via DFARS
252-204-7019 (Provision) & 252.204-7020 (Clause)
SPRS/NIST is accessed through PIEE (https://piee.eb.mil)
Assessing SPRS/NIST
The SPRS home page has dedicated links for Supplier scores and NIST SP 800-171 Assessments
Accessing SPRS/NIST
The NIST link allows vendors to enter/edit their summary-level cyber score (must have SPRS Cyber Vendor user role).
Higher level assessments, if performed by DoD, will also appear here
Once recorded in SPRS, NIST scores are available to all DoD Components to be used in NIST SP 800-171 determinations
Resources
PIEE SPRS Web Based Training
Provides interactive training on SPRS, including an explanation of roles and their associated permissions
https://pieetraining.eb.mil/wbt/xhtml/wbt/sprs/index.xhtml
SPRS Users Guide for Awardees/Contractors
Comprensive manual covering system access, navigation, reporting functions and methodology, and reference material
https://www.sprs.csd.disa.mil/pdf/SPRS_Awardee.pdf
NIST SP 800-171 SPRS Information Page
Landing page providing training, tutorials, FAQs, and contacts pertaining to NIST SP 800-171 implementation
https://www.sprs.csd.disa.mil/nistsp.htm
NIST SP 800-171 Rev. 2
Official site of the current version of NIST SP 800-171
https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
Questions?Backup Information System Security Requirements
17
Show All