NIST 800-171 Basic Assessment Reporting To SPRS

ComplianceForge Support ComplianceForge Support CMMC | DFARS
November 12th, 2020 1 minute read

Listen to article
Audio generated by DropInBlog's Blog Voice AI™ may have slight pronunciation nuances. Learn more

For those organizations in scope for NIST 800-171, the self-imposed November 30, 2020 deadline is fast approaching for many subcontractors to submit the results of their “basic assessment” to Supplier Performance Risk System (SPRS). There is a good overview of the process at https://www.cmmcaudit.org/how-to-submit-a-nist-sp-800-171-self-assessment-to-sprs/. In summary, a contractor has to report the following self-assessment results to SPRS:

  1. The name(s) of the System Security Plan (SSP) (this might just be “[project name] SSP”);
  2. CAGE code associated with the contract;
  3. A brief description;
  4. Date of the self-assessment;
  5. The total score (out of 110); and
  6. The projected date that your organization will attain a score of 110.

The CMMC Center of Awesomeness (CMMC-COA) has a free Excel-based tool to help you calculate your “basic assessment” score. It is part of the CMMC-COA spreadsheet that is available at https://www.cmmc-coa.com/

« Back to Blog

Related Articles

Cybersecurity Management Threat

12 minute read

March 16th, 2021

Essential Guide to CMMC & NIST SP 800-171 Compliance

14 minute read

January 26th, 2022

MSP Dumpster Fire - CMMC Compliance

21 minute read

January 27th, 2022

NIST SP 800‑53 R5 Control Families

This release includes a total of 1,189 controls, organized into 20 families:

  1. Access Control
  2. Awareness & Training
  3. Audit & Accountability
  4. Assessment, Authorization & Monitoring
  5. Configuration Management
  6. Contingency Planning
  7. Identification & Authentication
  8. Incident Response
  9. Maintenance
  10. Media Protection
  11. Physical & Environmental Protection
  12. Planning
  13. Program Management
  14. Personnel Security
  15. Personally Identifiable Information (PII) Processing & Transparency
  16. Risk Assessment
  17. System & Services Acquisition
  18. System & Communications Protection
  19. System & Information Integrity
  20. Supply Chain Risk Management

This count includes deprecated controls that have been removed or folded into others. Some controls are not categorized under baselines—low, moderate, high, or privacy—per NIST SP 800‑53B.

ComplianceForge provides full 1:1 mapping of all 20 families and their controls in its CDPP documentation.

!