Don’t Get Yourself in Hot Water with the Federal Government
CyberCompass has completed several NIST 800-171 assessments as part of Cybersecurity Maturity Model Certification Level 2.0 (CMMC 2.0) for Defense Industrial Base (DIB) companies and found previously submitted SPRS Supplier Performance Risk System) Scores were overstated by over 200% and could be liable under the “False Claims Act.”
Many of our clients were shocked to learn that their previous positive score dropped to a negative score. We found (and continue to discover) that our clients have put themselves in a place a “false security” and did not realize they were not following the correct evaluation criteria when doing their self-assessments.
Clarification of the confusion: Not 110 but over 260 requirements in your SPRS Score
In 2019, Department of Defense contractors began having to comply with new requirements for their organizations to account for their implementation of the NIST 800-171 cybersecurity standards by conducting an-assessment and recording the results in the Supplier Performance Risk System by adding and deducting points for each control that had been implemented or not, the so-called SPRS score.
When the requirement was developed many organizations found a template or the NIST 800-171 reference, reviewed the controls, and created a response based on the text of the 110 required controls. Unfortunately, the text of the controls does not provide a comprehensive picture of what is truly required to consider the control implemented. The details for what each of the NIST 800-171 controls require are found in a supplemental NIST document, 800-171A. For each control there are typically multiple requirements to be met before it can be considered implemented, and for some controls there can be over a dozen. When looked at from this angle, the 110 controls of NIST 800-171 is really more than 260 specific requirements that have be met.
Why does the wrong SPRS Score matter?
In October of 2021 the Department of Justice announced that it would use the “False Claims Act” to pursue civil actions against contractors that put government data or systems at risk by “knowingly misrepresenting their cybersecurity practices or protocols.” If your organization’s SPRS score is based on the language of the controls, and not the specific requirements that need to be met for each, an audit or breach could make you subject to action by the federal government.
Contact CyberCompass at firstname.lastname@example.org about your SPRS score and how we can help you get an accurate score and peace of mind.