by Ian MacRae
President and CEO, E-N Computers
25+ years experience solving business IT problems in Virginia and Washington, D.C.
As a contractor subject to CMMC, correctly calculating your SPRS score can be stressful. You must honestly analyze the status of your security measures and then submit them to the federal government. A low score can limit your ability to win contracts, while posting inaccurate scores — whether intentionally or not — can also have serious consequences.
E-N Computers is a Registered Practitioner Organization with three Registered Practitioners: me, Thomas Kinsinger, and Jonathan Lambert. I am also a Certified CMMC Professional (CCP) working toward my assessor certification (CCA).
QUICK ANSWER:
How should your SPRS score be calculated and what will it cost?
A gap analysis is the most effective way to get an accurate SPRS score. In a CMMC Level 2 gap analysis, we will determine what systems are in scope, document your current position, and identify gaps. You’ll walk away with a System Security Plan (SSP) and a Plan of Action & Milestones (POA&M) auto-generated by our GRC software of choice, FutureFeed. The cost of our gap analysis is around $3,000 for a three to four month long engagement, plus $6,000/year for your FutureFeed subscription.
Table of Contents
What is an SPRS score?
Your SPRS score represents how compliant you are with the security controls in NIST SP 800-171. SPRS stands for Supplier Performance Risk System, the web app the Department of Defense uses to track this data.
An SPRS score can range from -203 to 110. Under the current scoring system, you start at 110 and lose points for each unmet control. There are 110 controls, but you can lose more than one point per control. High impact controls are worth more points. It’s quite common to have a negative score on your first assessment. One of our clients did a significant amount of work to reach a score of six!
You don’t need a perfect score right away. It’s more important to submit an accurate score and assessment. Failure to do so can make you liable under the False Claims Act, resulting in loss of contracts and fines. For example, the Department of Justice brought a case against Aerojet Rocketdyne for misrepresenting its compliance with cybersecurity requirements. The case was settled out of court for $9 million.
To achieve CMMC certification, you’ll have to reach a minimum score of 88 and a Plan of Action and Milestones (POA&M) for the remaining items. There are also restrictions on what can be included as part of the POA&M. We urge contractors and subcontractors subject to CMMC to start now; CMMC requirements will begin to roll out in contracts starting in 2025 and it can take a year or more to become compliant.
Can I do a self-assessment?
You can do a self-assessment, but it’s not the best move. In SPRS, each score is accompanied by a confidence rating. Self-assessments are given a “Low” confidence rating because companies that self-assess tend to rate themselves higher than they should. This is usually because they did not:
- Properly scope the assessment. They may not assess systems that they should, or they may assess it against the wrong set of controls.
- Evaluate each system against each control.
- Understand what is needed to meet the control requirement.
The best way to get an accurate assessment of your security posture is to work with a Registered Practitioner (RP). RPs are experienced consultants that have received specialized training on CMMC and passed an exam. We offer an outside view with a more comprehensive understanding of what to look for. We can also help you avoid applying expensive technical solutions.
Complete a gap analysis to get your SPRS score
A gap analysis fulfills the assessment requirement for SPRS. It compares your technical implementation and policies against a standard framework to identify weaknesses. In a gap analysis, you will:
- Define the scope. This means you will identify which systems and staff handle Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
- Document your current position per control per system that is in scope. Many organizations use a mix of on-premises and cloud technologies for email, file sharing, and identity management. Your compliance must be documented for each of these that touches government data.
- Identify where you need to close gaps. Because a gap analysis is only meant to be a snapshot in time, we grade each control as “Met” or “Not Met”. Those “Not Met” items are your gaps that need to be remediated.
Here’s an example of what the assessment overview looks like in FutureFeed, our preferred GRC software.
Legend
- Green: Met
- Red: Not Met
- Blue: Unknown
- Gray: Not applicable
CMMC Level 1 controls
CMMC Level 2 controls
What is the difference between gap analysis and a regular CMMC consultation?
There are at least two key differences between gap analysis and a regular CMMC consultation engagement.
- Length of the engagement: Gap analysis is a short-term project, usually three to four months. A full CMMC consultation can easily be 12 to 18 months.
- Deliverables and focus: Gap analysis provides you with an SPRS score, documentation to support that score, System Security Plan (SSP), and Plan of Action and Milestones (POA&M). Minimal coaching is provided since the focus is on assessment rather than remediation. CMMC consulting offers comprehensive guidance on policies and technical implementation details and preparation for what to expect during your official assessment.
For example, one requirement is that you have an Acceptable Use Policy (AUP) that dictates the behavior of employees that interact with your data and systems. In a gap analysis, we ask for your policy, you produce what you have, and we document it. If you don’t have one, we mark it as “Not Met”. In a consulting engagement, we help you draft an AUP or revise an existing one to make it more robust.
Who should be involved, and what will they do?
You’ll need some executive buy-in to kick things off and to support process change once gaps are identified. We find that gap analysis runs smoothest when one or more of the following management roles are included on your CMMC assessment team:
- Operations
- Compliance
- Quality Control
- HR
- IT (should not be the only one responsible unless you are a very small organization)
We want to be straightforward here: you will do about 75% of the work, and we will do about 25%. You will provide information on your policies and technical implementation of security controls. We will provide:
- scoping guidance so that we only spend time on the data, systems, and users that matter
- Knowledge of the 17 controls needed for FCI and 110 controls needed for CUI and how they apply to each of your in-scope systems
- Experience that informs what to look for to produce an accurate score
- Limited coaching to help you avoid spending time, energy, and money on things that don’t matter.
How much does a CMMC Level 2 gap analysis cost?
We quote a CMMC Level 2 gap analysis at $3,000. It includes 12 one-hour meetings over a three-to-four-month period and is led by one of our Registered Practitioners. Based on the information your assessment team provides, we do the following:
- Document the scope of the assessment
- Assess against the NIST 800-171 framework’s 14 control families, 110 controls, and 320 objectives.
- Document policies, procedures, and assessment evidence
- Provide examples and guidance for implementing controls and policies
- Build a Plan of Action and Milestone (POA&M)
Because of the complexity of organizing documentation and related work, we require clients seeking CMMC Level 2 certification to subscribe to FutureFeed GRC software for about $6000/year, billed monthly. You’ll find FutureFeed immensely useful after the gap analysis as you continue on your CMMC journey. Here’s why we think FutureFeed is the best GRC tool for CMMC.
Total: $9,000 for gap analysis and one year of FutureFeed access
How does the cost compare to CMMC consulting?
CMMC Level 2 consulting costs about $1500 per month, depending on the size and complexity of your organization. We include the cost of FutureFeed in our consulting fees.
Can you prove it?
Some controls are easier to prove compliance for than others. For example, it’s pretty easy to prove that you have multi-factor authentication enabled in Microsoft 365. A complete and accurate inventory list is much harder to produce. You can use an automated tool that does a network scan, but these have some limitations: they have to be properly configured, they may not catch every device, and devices can end up duplicated. So, there may still be a fair amount of manual work to maintain accurate inventory.
Let’s imagine a scenario where you handle both FCI and CUI. In your organization of 100 employees, 10 people have CUI (subject to 110 controls), 30 have FCI (subject to 17 controls), and the rest are out-of-scope. Even though only 40 people handle government data, you need to maintain a complete list of assets all your employees and subcontractors use to do work, including those subject to a Bring Your Own Device (BYOD) policy.
Why do you need a list of every device? One requirement says that “system access is limited to authorized devices (including other systems)”. The only way to know if you are compliant with this is to keep an accurate list of all devices, including devices that 1099 subcontractors use to access or process government data.
Earlier, we mentioned the example of an Acceptable Use Policy (AUP). It’s not enough to say you have one; you need to be able to produce it so it can be documented. Because of the short-term nature of a gap analysis, you aren’t likely to have time to create one during the analysis. If you aren’t able to produce a document within a week, we’ll mark the requirement as “Not Met” and move on.
After the gap analysis
Gap analysis is an important part of your CMMC journey. At the beginning, it offers valuable insight into your security gaps so that you can plan remediation. It also gives you a baseline to measure against as you make improvements.
As you adjust your security program, keep your SPRS score up to date in the SPRS portal. Remember, it’s more important to keep an accurate score on file with the federal government than an inaccurate but favorable score. Keeping your score accurate and up to date will help you with the bid process, especially when the assessment is done with the help of a qualified third party.
Learn more from our CMMC articles
You can learn more about CMMC in the following articles:
If you’re looking for CMMC tools and training:
If you’re looking for a CMMC consultant or Registered Practitioner Organization:
If you’re looking for a CMMC assessor:
If you’re looking for information about CMMC that is targeted toward smaller businesses:
Need to discuss your CMMC program?
Get a free CMMC consultation
In a few minutes, get actionable insights on your IT strategy, plus a free strategic consultation.
Industries
Locations
Waynesboro, VA
Corporate HQ
215 Fifth St.
Waynesboro, VA 22980
Sales: 540-217-6261
Service: 540-885-3129
Accounting: 540-217-6260
Fax: 703-935-2665
Washington D.C.
1126 11th ST. NW
Suite 603
Washington, DC 20001-4366
Sales: 202-888-2770
Service: 866-692-9082
VA DCJS # 11-6604
Locations
Harrisonburg, VA
45 Newman Ave.
Harrisonburg, VA 22801
Sales: 540-569-3465
Service: 866-692-9082
Richmond, VA
3026A W. Cary St.
Richmond, VA 23221
Sales: 804-729-8835
Service: 866-692-9082