SPRS, CMMC, FIPS Validation, and the Latest DFARS

I’ve written snippets of several potential blog posts on the Cybersecurity Maturity Model Certification, only to be thwarted each time by the shifting landscape. This time, the Supplier Performance Risk System (SPRS) needs discussion in particular. I always try to balance timeliness with the goal of creating “evergreen” content, the kind of blog post that will still be helpful a month later, a quarter later, even a year or two later… but even as I write this, new information is coming out, so here it is. The planned fifteen ‘pathfinder’ DoD contracts slated to include CMMC for the first time have been released… but it’s only seven. There are some cool use cases though!

U.S. Navy
Integrated Common Processor
F/A-18E/F Full Mod of the SBAR and Shut off Valve
DDG-51 Lead Yard Services / Follow Yard Services

U.S. Air Force
Mobility Air Force Tactical Data Links
Consolidated Broadband Global Area Network Follow-On
Azure Cloud Solution

Missile Defense Agency
Technical Advisory and Assistance Contract

Here is what you need to know today and moving ahead.

Officials for CMMC continue to train assessors and work through their action items, while another initiative based on NIST 800-171 has recently been fired up to help bridge the gap. Multiple Defense Federal Acquisition Regulation Supplement (DFARS) rules have been published in this area, including the proposed rule DFARS 2019-D009 and the interim rule DFARS 2019-D041, to expand the role and use of the Supplier Performance Risk System (SPRS). Essentially, Defense Industrial Base (DIB) companies are being directed to step up their NIST 800-171 self-assessments in anticipation of CMMC. A new scoring methodology has been established and the DFARS calls for it to be completed and provided via the self-serve SPRS.

The updated self-assessment and scoring are not intended to supplant CMMC, in fact the DFARS rule is explicit that it should not be duplicative and instead should support the inclusion of CMMC as a requirement in future contracts. From where I’m sitting, this makes a lot of sense. It will tighten up the expectations for self-assessments and dovetail nicely with the efforts of C3PAOs (CMMC Third Party Assessment Organizations) to officially memorialize the same checklist when they are ready to do so.

The key ingredient is 800-171, of course. It is the basis for measurement, whether in self-certification or by independent assessors. Many folks forget the actual name of the publication, but NIST SP 800-171 is “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”. That’s a big task, and reminds me of classic sayings like “How do you eat an elephant? One bite at a time.”

Practitioners should not be surprised that a document published by NIST repeatedly relies on FIPS-validated encryption to protect Controlled Unclassified Information (CUI) in every circumstance. NIST 800-175A, the Guideline for Using Cryptographic Standards in the Federal Government: Directives, Mandates and Policies, is a valuable resource for reference and it does the same. They are intentionally assembling building blocks that fit together, not competing and contradicting each other.

So let’s cut to the chase - 800-171 has security requirements that specifically call for validated crypto. 3.13.11 is the most blunt, which reads:

3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

That’s pretty direct. I’m currently working on a whitepaper that will delve into 800-171 requirements in more detail, but it is a constant in this sea of change. NIST 800-171 calls for FIPS validated encryption, so CMMC will require it at Level 3 and SPRS will ding you points for not having it. Note that CMMC doesn’t allow for POA&Ms, so you need to have that FIPS 140 validation complete and in place to receive your certification.

This is where we shine. SafeLogic’s CryptoComply + RapidCert tandem solution will have you immediately compliant and validated within 8 weeks. Nobody else can do that, so if you’re like most of the DIB and still need FIPS 140 validation to move forward, come talk to SafeLogic. We’re ready.