What does this mean? In simple terms if you have not:
1. Assessed your cybersecurity against NIST 800-171,
2. Scored it using the NIST required method, and
3. Reported it via the DoD Supplier Performance Risk System (SPRS)
Your organization will NOT be considered for new / renewal contract awards starting 16 August 2021.
Placing this in the larger context, the DLA is requiring Defense Industrial Base (DIB) contractors to prepare for the Cybersecurity Maturity Model Certification (CMMC) now. By requiring the SPRS score as a condition to have the opportunity for new work and with the SPRS reporting requirements added 30 November 2020 to the Interim Cyber DFARS, it makes it very difficult for an organization in the defense sector to not report their SPRS score.
While it is important to note there is no requirement that the SPRS score must meet or exceed a minimum score threshold, it is reasonable to think that a score of 107, for example, will be looked upon more favorably than a -192. In the past, an organization could attest they were meeting NIST 800-171, and working their POAM. Now they must quantify in starkly measurable terms that allows the Contract Officers and others within the DoD to have a clear understanding of your internal cybersecurity posture.
The question becomes 'how does your organization's SPRS score represent your cyber worthiness'? Will it show that your company can protect the interest of the USA, or will it indicate something less? Don't let a poor score reduce your chances of obtaining new awards.
B. Riley Advisory Services has experienced Cybersecurity Leaders who have been working with the DOD, DIB, NIST, Primes and Suppliers since before the original cyber DFARS. For help, or more information, click here.