Alright. So you're trying to, you know, work with the Department of Defense. You're trying to get into the whole world of government contracts, and, suddenly, you're you're hit with this, like, wall of acronyms. Right. TFARS, NIST, SP SPRS. Mhmm. What do all these things even mean? And more importantly, what do they mean I need to do? Yeah. And this can be especially overwhelming when it comes to cybersecurity, which is a, you know Absolutely. A huge deal. Cybersecurity is paramount, and it's it's not just checking a box. Right. You know, it's about protecting controlled unclassified information Yeah. And the integrity of the defense industrial based supply chain. Absolutely. So today, we are going to do a deep dive into a really important document about all of this. K. The NIST SP eight hundred one seventy one DOD assessment requirements. Right. Specifically, defarse clause two five two point two zero four seven zero twenty. Got it. So we're gonna really pull apart this government document and see what it means for you, the listener. Yeah. Our goal here is to move beyond all this jargon and figure out what these different types of assessments are. How do they apply to your work with the DOD? Okay. And what is the significance of this thing called SPRS, the Supplier Performance Risk System? By the end of this deep dive, you should have a much better understanding of what the DOD is looking for in terms of cybersecurity. Okay. Specifically, what types of assessments they're using Uh-huh. And when these assessments apply to you. Alright. So let's get started by looking at the different types of assessments that are outlined in this clause. Okay. Cool. So first up, we have the basic assessment. Right. And the most important thing to remember here is that this is a self assessment. That's right. So you, the contractor, you're evaluating your own system security plan, your SSP, for any covered contractor information system. Right. And covered contractor information system is actually defined in a different DFARS clause, two five two point two zero four seven zero one well. Okay. Basically, it means any information system that you're using that processes, stores, or transmits what's called covered defense information. So think of it as, like, sensitive nonpublic information related to a DOD contract that needs to be protected. Right. So, basically, anything that is, you know Not public knowledge. Not public knowledge that needs to be kept safe and secure. Exactly. Okay. So for these systems that are handling this kind of information, you're gonna conduct this self evaluation of your SSP using the NIST SP eight hundred one seven one DOD assessment methodology. Right. So what's the real takeaway about this basic assessment? The big thing to remember is that this is a self assessment, so it has a low confidence level. Okay. You're grading your own homework, basically. Right. Right. So it's basically like, hey. You know, fill out this form. Tell us that you're doing everything right. Right. Exactly. And we'll kinda take your word for it for now. Exactly. And that makes sense. You know? There needs to be some level of trust. Right. But, obviously, they need to verify. Yeah. So then we bump it up a notch, and we go to the medium assessment. And now this is where things change a little bit because this assessment is conducted by the government. That's right. So the government's gonna take a look at the basic assessment that you've already done. Okay. They're also gonna do a pretty thorough review of your security documentation. Uh-huh. And they're gonna have some in-depth discussions with you to really make sure they understand what you're doing. So they're gonna make sure that you're not, you know, lying on your self assessment, basically. Well, yeah. They wanna make sure that it's accurate Right. And that there's nothing that's been missed. Okay. So with this, you know, extra level of government oversight, the confidence level increases. Right. So the medium assessment has a medium confidence level. Okay. Because they've actually looked at it Got it. And reviewed it and talked to you about it. Alright. So then we go up to the top level, which is the high assessment. Okay. And this one sounds pretty intense. It is definitely the most rigorous of the three. Okay. The highest assessment is also done by the government. Mhmm. But it uses a different standard NIST eight hundred one seventy one a. Okay. So NIST eight hundred one seventy one lays out the security requirements themselves. But eight hundred one seventy one a is the assessment methodology that the government is gonna use Okay. To make sure that you're actually implementing those controls correctly. So it's like one seventy one is the what and then one seventy one a is the how. Exactly. Got it. You got it. Okay. So what exactly does this high assessment entail? They're gonna do everything that's in the medium assessment. Okay. So they're gonna look at your basic assessment, your documentation, and they're gonna have discussions with you. Mhmm. But they're gonna go a step further, and they're gonna actually verify Okay. And examine and observe demonstrations of your security controls in action. So they're really gonna get down in the weeds and make sure that you're Yes. You're not just saying you're doing it, but you're actually doing it. That's right. They wanna validate that you're actually implementing the NIST eight hundred one seventy one security requirements. Wow. Okay. So I'm guessing the confidence level here is the highest. Absolutely. The high assessment has a high confidence level. Okay. It's the most rigorous assessment. Gotcha. So it provides the highest level of assurance that you have the necessary security controls in place and that they're working. Alright. So just to recap, we've got these three levels. Yeah. Basic, you do it yourself, low confidence Yep. Medium, government kinda checks your work, medium confidence That's right. And then high the government really digs deep. Mhmm. High confidence. Exactly. Okay. So who exactly do all these requirements apply to? That's a great question. I'm assuming not everyone who works with the DOD? Well, it depends. Okay. So this clause applies to any covered contractor information system that is required to comply with NIST SP eight hundred one seventy one. Okay. And that requirement to comply with NIST eight hundred one seventy one usually comes from DFARS clause two five two two point two zero four seven zero one. Okay. So, basically, if your DOD contract involves handling nonpublic information that the government considers sensitive Mhmm. You know, that covered defense information we talked about Right. Then you're most likely gonna fall into these requirements. Mhmm. Got it. So if you're working with that information, these assessment requirements are gonna apply to you. Exactly. Okay. So let's say the government decides they wanna do a medium or high assessment on my company's systems. Okay. What am I expected to do as the contractor? This is really important. Okay. You have to give the government access to your facilities, systems, and personnel Oh, okay. So they can actually conduct these assessments. So, basically, you can't be like, oh, you know, sorry. Can't come in today. Right. You have to cooperate with them. Got it. They need to be able to do their job. Okay. So we talked about the different types of assessments. Mhmm. We talked about who they apply to. Right. Now let's dig into this thing called SPRS. Right. The supplier performance risk system. The supplier performance risk system is where all this information is going to be stored. Okay. So all the summary level scores for all the assessments, whether it's basic, medium, or high Mhmm. They're all gonna be recorded in SPRS. So this is kind of like the central database? It's a central repository that gives the DOD a really good overview of the cybersecurity posture of their contractors. Okay. And so that way, they can kind of understand the risk Makes sense. Across the entire supply chain. Exactly. Alright. So let's say, my company, we do a basic assessment. Okay. How does that information get into SPRS? You're gonna submit your basic assessment score to SPRS through a specific process. Okay. Okay. And it has to be via encrypted email. Okay. So they're taking security seriously. Absolutely. Alright. So what information needs to be in this email? There's some very specific things that you need to include. Alright. Let's run through it. Okay. So you have to tell them what version of NIST s P80171 you used for your assessment. Okay. You need to tell them who did the assessment, which in this case is gonna be your own organization. Mhmm. And then for each system security plan that supports your DOD contract Okay. You need to list the relevant CAGE codes. Okay. CAGE codes. Just to remind our listeners That's right. Those are the commercial and government entity codes. Got it. And then you're gonna give them a brief description of the system security plan's architecture Okay. Especially if you have multiple SSPs. Right. That cover different parts of your environment. Makes sense. You also have to tell them when the assessment was completed Okay. The summary level score Mhmm. And the date that you anticipate achieving a score of 110. Okay. So that means implementing all of the requirements. Exactly. So just to be clear, that summary level score, we're talking about the total score That's right. Not the individual scores for each requirement. Exactly. Got it. Okay. So let's say I'm a company, and I have several different SSPs Okay. That apply to my DOD work. Is there a specific way I need to format all that information in the email? Yes. There's a very clear format that they lay out in the clause. Okay. For each SSP, you're gonna list the associated CAGE codes Mhmm. The architecture description, the date the assessment was completed, the total score Yep. And the target date for achieving a score of a 10. Okay. So very clear, very organized. That's right. They wanna make sure they can easily understand the information. That makes sense. Alright. So that's for basic assessments. Uh-huh. What about medium and high? How do those scores get into SPRS? For medium and high assessments, the DOD is gonna post those scores directly into SPSRS themselves. Okay. Because, remember, those are conducted by the government. Right. So they're gonna include a lot of the same information that you would include for a basic assessment. Okay. So the standard that was assessed against Uh-huh. The organization that did the assessment. Okay. So that would be like DCMA. Right. DCMA, the defense contract management agency. Okay. And they'll include their DODI AC, which is their Department of Defense activity address code. Oh, right. They'll include the CAGE codes for your organization Uh-huh. A brief description of the architecture of the SSP Mhmm. The date of the assessment, and the level, whether it's medium or high Okay. The summary score, and the expected date for full implementation. Got it. So it sounds like whether it's a self assessment or a government assessment, the goal is to have all this information in SPSS so the DOD can see it. Exactly. Okay. So let's say I disagree with the findings of a medium or high assessment. Yeah. Can I do anything about that? Yes. There's a process for rebuttal. Okay. So before the DOD post those scores to SPRS, they're gonna give you the preliminary score. Okay. And you have a chance to submit a rebuttal. So, basically, they're gonna say, hey. We think you got this score. Right. And you can say, woah. Woah. Woah. Hold on a second. Exactly. Okay. And the details of that process are in the SPSS user's guide Okay. Which is really important to familiarize yourself with. Alright. So how long do I have to submit this rebuttal? You get fourteen business days. Okay. That seems reasonable. Yeah. Alright. So once all these assessment scores are in SPRS Mhmm. Who can see them? Are they public? No. This information is not public. Yeah. It's only accessible to authorized DOD personnel. Okay. And it's protected in accordance with DOD instruction Mhmm. 5,000.79. Okay. And what about me as the contractor? Can I see my own company's score? Yes. You can access SPS to see your own scores. Okay. And, again, the SPS users guide for Ortiz contractors will tell you exactly how to do that. Got it. How to access the system and how to find your scores. Alright. I'm looking at the clause here. Mhmm. And it says that high assessments might result in additional documentation Right. Beyond just the score. That's an important point. So what's that about? A high assessment is very thorough. Okay. So it might generate a lot of detailed findings and documentation Okay. That goes beyond just that numerical score. Alright. And that information is going to be treated as CUI controlled unclassified information. Okay. And it's for internal DOD use only. So it's not gonna be shared outside the DOD. Exactly. Got it. And they're gonna protect it from unauthorized disclosure. Okay. And the clause even mentions that FOIA exemptions might apply. Right. The Freedom of Information Act. That's right. So, like, exemption four, which protects trade secrets and confidential commercial information. Okay. So they're really taking the protection of this information seriously. So this is really information that the DOD is using for their own purposes. Yeah. For their internal risk management. To kind of assess the situation. Exactly. Okay. So now let's talk about subcontractors. Right. How do these assessment requirements flow down to the companies that are working under the prime? This is really important. Yeah. Because a lot of times, you know, the primes are big companies Right. And they're working with a bunch of smaller companies. Exactly. So how does this all work? So prime contractors have to include the substance of this clause Okay. In all of their subcontracts Okay. Except for CO tests subcontract. Right. CO tests commercially available off the shelf. Exactly. So if you're just buying something off the shelf, you don't need to worry about this. Okay. But if you're having a subcontractor develop something for you or provide a service, then you need to make sure they're aware of these requirements. So if I'm a prime, I need to make sure my subs are aware of this Absolutely. And potentially need to comply. Yes. And in fact, if a subcontractor is subject to NIST SP eight hundred one seventy one under the prime contract Okay. You as the prime, you're not allowed to award that subcontract unless the sub has completed at least a basic assessment within the last three years. Oh, wow. Okay. So that's Yeah. That's pretty serious. It is there's an exception if the sub's information system is part of a government operated IT service. Okay. So there are some exceptions, but in general? In general, they need to have that assessment done. Alright. So what if I'm a sub and I don't have a current SPRS score? If you don't have a score that's less than three years old Uh-huh. You can do a basic assessment yourself. Okay. And then you can submit that score to SDRS. And then I'm good to go. And then you're good to go. Okay. So this is all about making sure that everyone in the supply chain is on the same page. Exactly. When it comes to cybersecurity. The DOD wants everyone to have a good cybersecurity posture. That makes sense. Alright. So let's recap. Alright. We did a deep dive into NIST SP eight hundred one seventy one DOD assessment requirements Uh-huh. As outlined in DFARS clause two fifty two point two zero four seven zero twenty. Right. We talked about the three types of assessments, basic, medium, and high Yep. Different levels of confidence That's right. Then how this all feeds into SPRS, the supplier performance risk system system Exactly. Which is the central database where the DOD is tracking all of this. Right. So this isn't just about checking a box. No. It's not. This is really about protecting sensitive information That's right. And ensuring the integrity of the defense industrial base. Absolutely. It's about trust. Yes. It's about making sure that everyone's doing their part Exactly. To keep this information safe. And it impacts your ability to get DOD contracts. Absolutely. So it's really important to understand this. So if you're working in the DIB make sure you understand these different types of assessments. Yep. How to submit information to SPSS and what your obligations are when it comes to subcontractors. Absolutely. So here's a thought to leave you with. Okay. We've got this multi tiered approach to cybersecurity Uh-huh. And this SPRS system that provides visibility across the entire DIB. Right. How do you think this is going to shape the overall cybersecurity of the defense industrial base in the years to come? That's a great question. Is this gonna lead to a stronger, more secure DIB? It's definitely something to think about. Thanks for joining us for this deep dive. Thanks for having me. We'll see you next time.