Submitting your NIST score 2023

Sorry, I'm new here and not sure where to post this.  But if someone could answer, that would be great!

48 CFR § 252.204-7020(d)(1), states:

Basic Assessments. A contractor may submit, via encrypted email, summary level scores of Basic Assessments conducted in accordance with the NIST SP 800–171 DoD Assessment Methodology to webptsmh@navy.mil for posting to SPRS.

https://www.law.cornell.edu/cfr/text/48/252.204-7020

If you are submitting a basic assessment, the regulation does not make a distinction between initial and subsequent assessments in how they are to be submitting.

Have you asked the prime contractor?  If they do not know offhand, then they should email the administrative contracting officer.  Agencies have acquisitions security offices that specialize in these matters.

Does your contract state specific requirements about the NIST 800-171 assessment as a deliverable?

Thank you very much for answering, I appreciate it very much.

252.204-7012, 7019, and 7020 are on every contract from our primes.  I'm not an expert on this, but anyone transmitting, receiving, or having CUI resting on their servers (Controlled Unclassified Information), which we have, has to have a NIST SP 800-171 basic self-assessment at least every three years.  And I'd have to go back and look, but I believe that they are having us flow this down to our suppliers as well.

I know that back in October of 2020, we received letters from primes with wording such as this:

Beginning November 30, 2020, Contracting Officers must include the new DFARS 252.204-7019 and DFARS 252.204-7020 clauses in all solicitations and contracts, with certain exceptions including solicitations or contracts solely for the acquisition of commercial-off-the-shelf (COTS) items. These will require the DoD supply chain to quantify their current cybersecurity compliance with NIST SP 800-171 requirements using the NIST SP 800-171 DoD Assessment Methodology. Pursuant to 252.204-7020, contractors such as [Insert Prime Contractor here] may not award a subcontract or other contractual instrument that is subject to the implementation of NIST SP 800-171 security requirements, in accordance with DFARS 252.204-7012, unless the supplier has:

1. Completed at least a Basic Assessment in accordance with NIST SP 800-171 DoD Assessment Methodology (or in the alternative the Government performed Medium or High Assessment) within the last three years for all covered contractor information systems relevant to its offer that are not part of an information technology system operated on behalf of the Government; and
2. To the extent the supplier completed a Basic Assessment, it submitted its summary level scores, and other information required by paragraph (d) of DFARS 252.204-7020, either directly into the Supplier Performance Risk System (SPRS) or via encrypted email to webptsmh@navy.mil for posting to the SPRS.

And in 252.204-7020, they are having it flowed down to subcontractors as well:

Subcontracts.

(1) The Contractor shall insert the substance of this clause, including this paragraph (g), in all subcontracts and other contractual instruments, including  subcontracts for the acquisition of commercial products or commercial services (excluding commercially available off-the-shelf items).

(2) The Contractor shall not award a subcontract or other contractual instrument, that is subject to the implementation of NIST SP 800–171 security  requirements, in accordance with DFARS clause 252.204–7012 of this contract, unless the  subcontractor has completed, within the last 3 years, at least a  BasicNIST SP 800–171 DoD Assessment, as described in https://www.acq.osd.mil/asda/dpc/cp/cyber/safeguarding.html#nistSP800171, for all covered contractor information systems relevant to its offer that are not part of an information technology service or system operated on behalf of the Government.

(3) If a subcontractor does not have summary level scores of a current NIST SP 800–171 DoD Assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) posted in SPRS, the subcontractor may conduct and submit a  Basic Assessment, in accordance with the NIST SP 800–171 DoD Assessment Methodology, to webptsmh@navy.mil for posting to SPRS along with the information required by paragraph (d) of this clause.

I'm curious how point number 3 reads.  Does that mean that subcontractors may submit scores via email as well at any time and not necessarily into SPRS?

Guardian- if you don't mind helping out a bit more, I think this from  252.204-7019 pertains to us as the Offeror.  I think 7020 pertains to the primes.

(c) Procedures.

(1) The Offeror shall verify that summary level scores of a current NIST SP 800–171 DoD Assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) are posted in the Supplier Performance Risk System (SPRS) (https://www.sprs.csd.disa.mil/) for all covered contractor information systems relevant to the offer.

(2) If the Offeror does not have summary level scores of a current NIST SP 800–171 DoD Assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) posted in SPRS, the Offeror may conduct and submit a Basic Assessment to webptsmh@navy.mil for posting to SPRS in the format identified in paragraph (d) of this provision.

I'm unsure how to read part (2).  We have scores in SPRS which will expire in November.  We are in the process of doing our assessment now to NIST 800-171 Revision 3.  So I assume the new scores of the new revision 3 would be considered "current" and at that point we would "not have summary level scores of a current NIST SP 800–171 DoD Assessment posted in SPRS" and we can submit the basic assessment of the new revision via webptsmh@navy.mil.  Does that sound right?  Sorry if I sound dumb, I'm just trying my best to figure this out.  

We've been deactivated on SAM for quite a few years and don't deal direct with the government, and I don't want to go through the whole SAM/SPRS rigamarole.  I have enough passwords as it is.

252.204-7019 is a solicitation provision.  Notice at the very bottom it reads "(End of Provision)."  252.204-7020 is a contract clause, the bottom of which reads "(End of Clause)."  Both provisions and clauses are incorporated into solicitations.  However, provisions are removed from (drop out of) the solicitation to create the ensuing contract.  Provisions sometimes have parallel clauses.  Provisions can be instructional and require the "offerors [pre-award]" to fill-in bracketed and underlined portions or check boxes to make self-certifying representatives.  Clauses are incorporated into soliticitations and remain through the contract as governing conditions following award.

If you are maintaining your assessments for an award to which you are a subcontractor, then read and follow the clause, 252.204-7020, not the provision, 252.204-7019.  They may read substantially the same.  Regardless, read and follow the information provided in the clause.  Reach out to the prime contractor.  Ask that they reach out to the Government CO for specific answers to your questions.  They should be more than willing to help you.  However, I recommend having the prime contact them after the end of the FY and with some breathing room to get through early October.  They are very busy now.

You don't sound dumb.  The "dumbest" guy in the room, who is not afraid to ask questions, is often the wisest.