10/6/20 UPDATE: Although the CMMC Interim Rule instructs contractors to email results to DoD1, we have received reports that users are being told to manually enter the information into SPRS themselves. Click here for DoD sourced screenshots of the SPRS submission process.
1 (2) If the Offeror does not have summary level scores of a current NIST SP 800-171 DoD Assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) posted in SPRS, the Offeror may conduct and submit a Basic Assessment to webptsmh@navy.mil for posting to SPRS in the format identified in paragraph (d) of this provision.
1 (2) If the Offeror does not have summary level scores of a current NIST SP 800-171 DoD Assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) posted in SPRS, the Offeror may conduct and submit a Basic Assessment to webptsmh@navy.mil for posting to SPRS in the format identified in paragraph (d) of this provision.
The email below follows the format outlined in 252.204-7019 and is suitable to be copied, pasted into an email and sent as-is once all fields are completed.
TO: webptsmh@navy.mil
SUBJECT: NIST SP 800-171 DoD Assessment –
To Whom It May Concern:
In accordance with Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (85 FR 61505, Case 2019-D041), a basic assessment of the has been conducted by against NIST SP 800-171 Rev 1 utilizing the NIST SP 800-171 DoD Assessment Methodology (rev 1.2.1). The results of this assessment are provided below for inclusion in the Supplier Performance Risk System (SPRS).
Thank you,
SUBJECT: NIST SP 800-171 DoD Assessment –
To Whom It May Concern:
In accordance with Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (85 FR 61505, Case 2019-D041), a basic assessment of the has been conducted by against NIST SP 800-171 Rev 1 utilizing the NIST SP 800-171 DoD Assessment Methodology (rev 1.2.1). The results of this assessment are provided below for inclusion in the Supplier Performance Risk System (SPRS).
| System security plan | CAGE codes supported by this plan | Brief description of the plan architecture | Date of assessment | Total score | Date score of 110 will be achieved |
NIST 800-171 DoD Assessment
Methodology Scoring Tool
As of November 30, 2020, the CMMC Interim Rule (DFARS Case 2019-D041) requires all contractors and subcontractors to maintain a Basic NIST SP 800-171 DoD Assessment using the NIST SP 800-171 DoD Assessment Methodology in the Supplier Performance Risk System (SPRS) prior to contract award.
What you need to do
- Create a NIST 800-171 System Security Plan
- Score the System Security Plan using the DoD Assessment Methodology
- Email the score to the DoD UPDATE (10/6/20)
The Free ComplyUp NIST 800-171 DoD Assessment Methodology Scoring Tool makes this super easy. Just click a box for each requirement, and the tool spits out a customized email ready to be sent to DoD. Once received, DoD will enter your results into the Supplier Performance Risk System. Nothing to it.
