• Skip to primary navigation
  • Skip to main content
  • Skip to footer
ControlCase No Tag LOGO md

ControlCase

IT Certifications, Continuous Compliance and Cybersecurity Services Provider

  • Company
    • About Us
    • Careers
    • Locations
    • Team
  • Industries
    • Business Process Outsourcing
    • Cloud Service Providers
    • Retail
    • Telecom | Entertainment
  • Certifications
    • PCI DSS Certification
    • CSA STAR Certification
    • GDPR Assessment
    • HIPAA Assessment
    • HITRUST Certification
    • ISO 27001 Certification
    • FedRAMP 3PAO Services and NIST 800-53
    • CMMC Compliance: NIST 800-171
    • MARS-E Assessment
    • P2PE Certification
    • PA DSS Certification
    • SOC2 Report
  • Solutions
    • Continuous Compliance Solution
    • One Audit
    • Card Data Discovery Software
    • Data Security Rating
  • Testing
    • Application Reviews
    • Application Security Training
    • Code Reviews
    • Card Data Discovery
    • External Vulnerability Scans
    • Firewall Security Reviews
    • Internal Vulnerability Scans
    • Log Monitoring
    • Penetration Testing
  • Resources
    • Events
    • News
    • Webinars
    • Courses
    • Newsletters
    • Blog
  • Contact Us

DFARS, NIST 800-171, SPRS, and CMMC 2.0 Explainer for DIB Contractors

You are here: Home / Blog / DFARS, NIST 800-171, SPRS, and CMMC 2.0 Explainer for DIB Contractors

If you’d like to know more about how DFARS, NIST 800-171, SPRS, and CMMC all work together, you’ve come to the right place. In this blog, we’ll discuss how these regulations, standards and tools all work together for thorough DoD compliance. 

Interplay of DFARS vs NIST 800-171 vs SPRS vs CMMC

 

Defense Federal Acquisition Regulation Supplement (DFARS), established in 2015 by the U.S. Department of Defense, outlines DoD regulations. DFARS is focused on protecting the confidentiality of Controlled Unclassified Information (CUI). In order to be awarded new DoD contracts, a contractor or supplier must be in compliance with this set of cybersecurity regulations. As of June 2022, DFARS 7019 clause notes that compliance to NIST 800-171 controls and the submission of NIST 800-171 SPRS score are requirements. 

NIST 800-171, published by the National Institute of Standards and Technology, is a set of controls that outline exactly what must be in place to ensure that a sufficient information security program is established. NIST 800-171, holistic and in line with leading security standards, focuses on ensuring appropriate coverage of controls across the entire cyber ecosystem. NIST 800-171 is required by DFARS, as DFARS regulations rely on NIST 800-171. 

The Supplier Performance Risk System (SPRS) is a self-certification scoring method based on the NIST 800-171 control framework. The SPRS provides contracting officials with a score of the overall risk of the supplier. SPRS scores must be supplied to the DoD using the designated systems. Current scores must be maintained ̶  they cannot be more than 3 years old. 

CMMC 2.0 brings DFARS, SPRS, and NIST 800-171 together. CMMC is a unifying standard for security implementation across the Defense Industrial Base (DIB). CMMC ensures that DIB companies establish appropriate cybersecurity practices and processes to protect FCI and CUI. CMMC applies to DIB organizations whose unclassified networks possess, store, process, or transmit FCI and CUI.  

  

CMMC 2.0 Assessment Guide

CMMC Assessment version 1.0 includes 5 levels, and CMMC Assessment version 2.0 includes 3 levels. ControlCase has further broken level 2 down into two sections: 

  • Level 1 (FCI Only): Self Assessment (optionally assisted by ControlCase) 
  • Level 2a (CUI in addition to FCI): The information that you manage is not critical to national security – Self Assessment (optionally assisted by ControlCase) 
  • Level 2b (CUI in addition to FCI): The information that you manage is critical to national security – C3PAO Assessment (once every three years) 
  • Level 3 (CUI in addition to FCI): The information you manage involves highest priority. Most critical defense programs – Government Audit (once every three years) 

 

Steps for a Company to Achieve DoD Compliance

To initiate the process of obtaining DoD compliance, complete a self-assessment against the NIST 800-171 framework and determine your score.

For entities with FCI and CUI within their unclassified networks, use the following steps:

  • Document your CUI SSP. 
  • Perform an assessment of all NIST 800-171 controls, as documented in your CUI SSP, that include formal evidence collection and reporting. 
  • Calculate your NIST 800-171 score, as required by DFARS 7019. 
  • Document any deficiencies with remediation steps in a Plan of Action and Milestones (POA&M) document. 
  • Complete affirmation using the SPRS.
  • Maintain evidence of your NIST 800-171 compliance to avoid DoJ False Claims Act investigations.

ControlCase Continuous Compliance Services

Continuous Compliance services help companies reduce time, cost, and burden while maintaining regular control of security. Making compliance a continuous process instead of a point-in-time solution allows protection to remain thorough and current. 

ControlCase, a CMMC Registered Provider Organization, can assist companies with self-assessment and controlled assessment against NIST 800-171, and SRPS scoring. In addition to federal regulations, ControlCase is a formal auditor for other standards such as PCI and ISO. 

 

 

 

Related Blog

DFARS, CMMC, SPRS Explainer for DIB Contractors
The agenda will include: • ControlCase Introduction • how do the acronyms interplay? • what is DFARS? • what is an SPRS Score? • what is CMMC? • what is a SPRS Score? • what do you need to do now? • what’s coming in the future? • why ControlCase?
CMMC Compliance Webinar
In this 45 minute webinar ControlCase will discuss the following: What is CMMC 2.0? Who does CMMC 2.0 apply to? What is the accreditation body (CMMC-AB)?
CMMC Compliance
In this 45 minute webinar ControlCase will discuss the following: What is CMMC 2.0? Who does CMMC 2.0 apply to? What is the accreditation body (CMMC-AB)?
CMMC Certification Webinar
CMMC Certification Webinar Presented by Kishor Vaswani, this webinar details the Cybersecurity Maturity Model from an overall perspective. Join us October 14, 2021 at 11:00 AM in 4 global time zones to learn more about CMMC Certification.

About Us

ControlCase is a global provider of technology-driven compliance and security solutions. ControlCase is committed to partnering with clients to develop strategic information security and compliance programs that are simplified, cost effective and comprehensive in both on-premise and cloud environments.

ControlCase provides the best experts, customer experience and technology for regulations including PCI DSS, GDPR, SOC2, HIPAA, ISO 27001/2, CCPA, SWIFT, Microsoft SSPA, CSA STAR, SCA, PA DSS, PCI P2PE, PCI PIN, PCI 3DS, PCI Secure Software, PCI Secure SLC.

https://controlcase.com

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

Footer

Connect

Corporate Headquarters
12015 Lee Jackson Memorial Hwy, Suite 520, Fairfax, VA 22033

Send us a message

Call Us

About Us

ControlCase is a United States based company, headquartered in Fairfax, Virginia with locations in North America, Europe, Latin America, Asia/Pacific and the Middle East to serve our clients globally.

Quick Links

  • Company
  • Team
  • Careers
  • Locations
  • Covid-19 Notice

Certifications, Assessments and Reports

  • PCI DSS Certification
  • CSA STAR Certification
  • GDPR Assessment
  • HIPAA Assessment
  • HITRUST Certification
  • ISO 27001 Certification
  • FedRAMP and 3PAO Services
  • MARS-E Assessment
  • P2PE Certification
  • PA DSS Certification
  • SOC2 Report

© ControlCase LLC 2023 | Privacy Policy | Impartiality Statement | Legal Notices