The National Institute of Standards and Technology’s Special Publication 800-171 (NIST SP 800-171) is a framework of cybersecurity controls designed to safeguard Controlled Unclassified Information (CUI) in non-federal networks. Any government contractor that handles or stores CUI on their network needs to be compliant. This is particularly important for defense contractors, as evidence of compliance is a prerequisite for contracts from the Department of Defense (DoD) where CUI is present.
Organizations follow a process of self-assessment against the 110 controls and requirements outlined within the NIST 800-171 compliance framework. Defense contractors must also score their compliance through a points-based system and then upload a summary score through the Supplier Performance Risk System (SPRS) portal. This acts as a quick method of understanding the level of compliance of potential defense contractors.
Assessing compliance against the 110 NIST 800-171 control requirements can be resource-intensive, but there are ways of automating parts of the process. This guide explains the SPRS points system in detail and explores a tool for making the assessment process as accurate and efficient as possible.
What is the Supplier Performance Risk System (SPRS)?
The Supplier Performance Risk System (SPRS) is a Department of Defense database holding records of contractor compliance with NIST 800-171. Defense contractors perform a compliance audit of the areas within their organization’s IT network where CUI is present and then submit a summary score to the SPRS portal. The summary score represents the level of risk to CUI within a contractor’s system. The number of points reflects the implementation of each NIST 800-171 control.
The aim is to standardize the level of cybersecurity policies and controls across the entire defense supply chain. By setting a minimum level of security for CUI on non-federal systems, the risk of breaches and cybersecurity incidents is lowered. A unified approach to information security in this way helps to safeguard sensitive government data across the whole defense industrial base.
Evidence of NIST 800-171 compliance is compiled into a System Security Plan (SSP) and, if the contractor isn’t fully compliant with certain controls, it must also include a Plan of Action with Milestones (POAM) that outlines how it intends to achieve compliance. The SSP, and the POAM if required, are uploaded into SPRS, where they can be reviewed by the DoD. The contractor must upload an up-to-date score within a three-year window.
How does the SPRS points system work?
The maximum SPRS assessment score is 110, representing full compliance with each of the 110 NIST 800-171 controls. However, non-compliance or partial compliance with a control will result in points being deducted on a weighted scale, depending on the severity of the security risk. Non-compliance with a control can result in the loss of five, three, or one point. This means organizations can receive an overall minus score.
Controls worth five SPRS penalty points
Some controls have a significant effect on the safeguarding of CUI, and non-compliance with these controls will result in the loss of five points. There are 42 controls of this level within NIST 800-171. These will usually be the core elements of each of the 14 control families.
Lack of compliance with these controls results in five-point penalty deduction to the SPRS score because of the significant impact on other security controls. Non-compliance will heighten the risk of cybersecurity incidents and CUI breaches. An example would be the requirement to create and retain system audit logs. This is a major element of the ‘Audit and Accountability’ family of controls and is a serious security risk if not implemented.
Another example is the requirement for authenticating the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. This is understandably an integral part of the ‘Identification and Authentication’ family of requirements. If not implemented, the network is at heightened risk of unauthorized access.
Controls worth three SPRS penalty points
These are controls that have a significant but contained effect on network or CUI security if not implemented, and non-compliance with these controls will result in a three point penalty. These are requirements that will put CUI at risk if not followed. There are 14 controls and requirements that carry a penalty of three points for non-complliance.
An example would be the requirement to employ the principle of least privilege, including for specific security functions and privileged accounts. Sensitive information is at direct risk of being lost or compromised if this requirement is not followed. This is an important requirement within the ‘Access Control’ family of controls.
Controls worth one SPRS penalty point
Non-compliance with any of the remaining 54 controls and requirements will reduce the SPRS score by one point if not properly or only partially enacted. These controls will have more of a limited impact on network security if not embedded. However, they still lower the resilience of the network security as a whole if not properly implemented.
How to quickly assess SPRS points for network devices
Assessing compliance with NIST 800-171 and determining a SPRS score can be time-consuming, but tools can automate the process of auditing core controls to save valuable time and resources. Titania Nipper is an auditing tool that can quickly and accurately assess compliance with NIST 800-171. Nipper can be used to assess 89% of controls related to core network devices across eight control families. It allows defense contractors to compile evidence to support SPRS points claims.
Saving up to three hours per device audit, Titania Nipper helps organizations accurately highlight network vulnerabilities, strengthening contractor IT networks that handle CUI.
Download the NIST SP 800-171 Mapping Summary to understand how Nipper can streamline your SPRS points assessment today.