As we previously reported, the Department of Defense (DoD) has issued an interim rule that requires all contractors and subcontractors that store, process, generate, transmit or access “covered defense information” to conduct a self- assessment of compliance with NIST SP 800-171 using the DoD Assessment Methodology. Contractors must post their self-assessment scores on the Defense Information Systems Agency-run database, the Supplier Performance Risk System (SPRS).
Beginning December 1, 2020, where covered defense information will be involved in contract performance, DoD cannot award a prime contract, and primes cannot award subcontracts, to any company that does not have a current assessment in SPRS. Covered defense information is essentially any information provided by DoD or produced by a contractor in connection with contract performance that is subject to access or dissemination controls (e.g., export controlled data or controlled technical documents, drawings, or specifications).
We have heard anecdotally that the SPRS registration process is somewhat time consuming and requires the transfer of information from an entity’s SAM registration. Companies that wait until the last minute to begin the registration process may find themselves ineligible for awards. In particular, companies that have not previously assessed their compliance with NIST SP 800-171 (or had a third party do so) will have a significant amount of work to determine their DoD Assessment score.
The recommendations in this article provide further guidance on the assessment process and next steps for contractors and subcontractors.