October 17, 2024 • 23 mins
CMMC may be all the rage now, but your SPRS score is also important and has been for the past few years. Cyber Compliance Community Contributor Wayne Boline joins Cuick Trac's Derek White to discuss what you need to know about SPRS and the myths and facts that come with it.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Welcome to the Quick 10 Podcast, brought to you by Quick Track, focusing on all things
(00:07):
FedCon and cyber defense from different perspectives and different personalities, all in 10-ish
minutes.
Here's your host, Derek White.
All right, everybody.
Welcome back to another episode of the Quick 10 Podcast.
I'm your host, Derek White.
(00:27):
With me today, I've got Wayne Bolin, cyber compliance community contributor.
Wayne, thanks for being here, man.
Great to be here.
I look forward to it.
Today, we are going to talk about all things SPRS, at least as much as we can in the abbreviated
time that we do for these podcasts.
(00:48):
Very much a topic that I know personally for you is a huge deal.
You present on this a lot.
I really wanted to just have you on, have you talk about SPRS here and now kind of stuff
and separate maybe the conversations that these podcasts have covered over the last
couple of months regarding things like CMMC, but the here, the now, the what's going on.
(01:11):
A lot of people are going to have a lot of questions and navigate.
You see this front hand, we see this front hand, but you really have that experience
here to walk through it.
Flora is kind of yours here, Wayne, just to kind of tell us a little bit about what you
do when it comes to this topic and what points you hit on.
Then from there, we'll just talk through a few different things that might be relevant
(01:33):
for people that are listening.
Yeah.
To be honest, I really have no idea how I became so attached to SPRS in this 70-19-20
rule, because prior to this, I have a background in incident response and things.
My boss at one point, I think in 2019, asked me to lead a compliance team and I'm like,
(01:53):
compliance, who wants to do that?
I did that for a while and just when this rule came out, I just dove in.
I have no idea why, but I've become really versed in it.
It's probably the only rule I've read front to back, printed, beat up, yellow, highlighted.
It's just crazy, but here we are.
So I've become an expert on it.
(02:15):
For those who don't know, SPRS stands for supplier performance risk system.
One of the things I cover in the very beginning of the presentation I speak to is SPRS has
been around for a long time and is much more broad than us Johnny-come-lately cyber self-assessment
sort of thing.
(02:35):
There's a lot of other things that supply chain type folks on the government and industry
side have been using this for way before we come in.
Our little carve out for posting these cyber self-assessments is a very small part of the
overall supplier risk part of this government.
(02:56):
So they're very good about providing documentation.
If you're a user of this, make use of the documentation.
SPRS is access through what's called PI, P-I-E, which is a government, basically a platform
that hosts a whole lot of different applications the government uses.
(03:18):
So you get to PI and then SPRS is one of the options.
So generally I start with the very basic route of what drives you to having to post a SPRS
self-assessment.
And at the base is something we know and love and that's DFAR 712.
(03:39):
DFAR 712, I'm not going to regurgitate it, but basically says covered contractor system,
adequate security, blah, blah, blah, basically boils down to being compliant with NIST 800171.
However, 18 months or so ago when I was first building this presentation, I tried to figure
(04:02):
out what is there that actually says you have to be compliant?
Because I've always foot stomped 712 isn't enough.
712 goes in all the contracts and a lot of people would tell you if you have 712 in your
contract, you must be NIST 800171 compliant.
And that is not true.
And that's when I come across the DOD procurement toolbox, FAQ revision three.
(04:26):
And I think we're going to put, you're going to post that link in the notes.
For sure.
Yep.
So, 712-6 has an extract, which basically you get out of jail free card, and it says
you only have to implement the security requirements of 800171 if your contract includes the DFAR
clause, and you are provided covered defense information by the DOD and you are processing,
(04:50):
storing, or transmitting that covered defense information on your information system slash
network.
So you can have DFAR 712 in your contract all day long, but if you're not getting any
CUI, it does not apply.
Now I've used the phrase and too much chagrin to certain people in the community.
I like to call this a self-deleting clause.
(05:13):
What that means is there's a whole cookie cutter list of clauses of going government
contracts that we receive.
If you don't get CUI, it's just kind of self-deletes itself and you can ignore it.
It does not apply.
And I'm so glad I found this FAQ question 6 that validates my thinking.
(05:33):
Prior to that, I really had nothing to stand on.
So people need to check that out and grab that if it needed to.
Well, not to mention the 712 questionnaires and stuff, right?
They just get thrown in these boilerplate questions and that causes a lot of confusion
for those that haven't seen CUI and haven't had it detailed in their terms and conditions
(05:53):
and say, well, what does everybody do when there's a million contract clauses?
They go through it, they reach out for resources and start putting stuff into place.
And to your point, yes.
Then all of a sudden it's like, oh, maybe I don't need that.
Who's telling them that?
Yes, you're right.
That is a really good Q&A definition of that for sure.
So then operating from that and assumption that you get CUI and you have the 712 clause,
(06:17):
then in order to actually do the SPURS self-assessment and enter that in SPURS, you need to have
the 7019 and 7020, which came out together.
And I have a heck of a time keeping those straight as far as which one requires you
to make yourself available for DIP CAC assessments and all that stuff versus what makes you load
(06:40):
the SPURS into SPURS.
But everybody can read 7019 and 7020.
Generally they're put out together.
And then those clauses require you to then perform that self-assessment posted.
I have a few minutes later that I'll kind of touch on that so I won't get ahead of myself.
(07:02):
Yeah, you're right.
For those that this is new to 7019, 7020, we've been around since way before that.
So it was a big shift to all of a sudden say, hey, you're going to enter this score into
a system that the government manages.
And be available for when they say we want to show up, which unfortunately had to, I
(07:24):
guess, kind of be labeled as a clause because I guess technically some people could have
said, nah, we're not going to do that.
So it's an accountability push on our side.
That's how I would kind of explain it is, I mean, if you are required to do these things
because you handle that type of data, then you should be ready for that and you should
be doing this stuff.
And if there's not a mechanism for finding out if that's true or not, or at least hold
(07:47):
somebody's feet to the fire to make sure that it's accurate, then we know how that looks.
That's how it used to be.
Yeah.
Now I'm going to make a statement with no definitive evidence whatsoever, but my thinking
is these two clauses were created to be a bridge between 7012 and 7021 CMMC because,
you know, when they were pitching CMMC, they said CMMC is driven because people were signing
(08:13):
7012 and just ignoring it where 70, you know, the SPURS requirement to do the self assessment
and load it is a step higher than 7012 where you just signed the contract and that says
you're compliant by a simple signature versus 7021, which is a third party assessment.
(08:34):
This is kind of the bridge in the middle.
And I'm being really big on conspiracy theories, it also adds additional evidence for a false
claims act because, you know, just signing a 7012, that's kind of weak if you want to
prosecute a company for false claims.
If you have a self assessment and you enter the score in a government database, that's
(08:58):
a little more ammunition to use for a false claims act.
Yeah, and then go ahead.
Yep.
This self assessment is based on the DODAN, the DOD assessment methodology, probably should
include that link too.
For sure.
Yep.
I want to assume everybody knows where that is, but the DOD assessment methodology has
(09:20):
a background purpose, talks a lot of information about what's behind the methodology.
Then it has a step by step for each control and the score.
And that's the calculus you use to perform the self assessment and come up with that
score.
However, I foot stomp this big time.
(09:41):
If you're not using this 801 71 alpha to help with that, you could end up with a big swing
in the mix because the scoring matrix or whatever you want to call it, it's very weak on content.
It basically names the control and then tells you what score you get or how much you would
(10:02):
lose.
And then I have an assessment guidance from that, that I talk about to show people that
shows the level of detail you can get when you're using 171 to help you.
And then it typically has discussions in there.
So if you're somebody trying to do it yourself without IT support and you really kind of
(10:22):
lost that narrative and that 171 may be very helpful.
Yeah, for sure.
And obviously we should probably disclaim too that everything that we're talking about
is personal opinion here, not the organization's opinion.
So yeah, no, but yes, that's, that's, that's right.
(10:44):
Yes.
It's like, that's how, you know, sporting fans should be thinking about their teams
and stuff too.
So that's all I'm going to say about the actual self assessment process, because that's not
what I think is the most important part of my presentation.
And that is you can have the best process for self assessing the best self assessment
(11:06):
score in the world.
But if you don't do and address the logistics of spurs and its relationship with sam.gov,
you're never going to get that in there.
And what that is, is for those not familiar, sam.gov is the government database where if
you are a new company and you want to get a cage code, which is necessary to do contracting
(11:28):
work with the DOD, each contractor will have a cage code in it.
And everything about assessments, cyber assessments, whether it's a DIPAC or a SPUR self assessment
revolves around that cage code.
That cage code starts in sam.gov.
That's where you enter financial information, tax information, you identify contracts, POC,
electronic business, POC, all that.
(11:51):
And that is a POC mess at times.
So there are two key fields in there that are critical to get the cage code that your
company or codes that your company is identified as over to the spurs database.
There's a immediate owner and highest level owner field.
(12:13):
And if those fields are not populated, your cage code will never populate over to spurs.
And you can never do it in your hierarchy and you can never make an entry.
So it's critical that you have somebody identified to keep that up to date.
And you need to keep it up to date on a regular basis because in about the last 18 months,
(12:36):
the government's made it a lot more difficult to make modifications to sam.gov.
And again, another unfounded thought on why that's true, it feels like maybe there were
some of our adversaries making shell companies and doing some nefarious activity.
And they just decided rightfully so that they need to make it a little more rigid and difficult
(12:59):
to make changes to those records in there because how many things cascade down are directly
related to that.
So step one is you got to be on top of your sam.gov cage registration presence and keep
that current.
Yeah, and this is why we want everyone to be more foundational because it's just got
(13:22):
to be from the top down and organization.
That's all organizational stuff.
That's all things that are important anyway.
Let's get to the myth side.
Some of the things that you've been talking about.
I got one more list of best practices that I like to tell people about.
Yeah, please do.
One of those is controlling access to spurs because those scores that are in spurs are
(13:46):
attestation from your company and the Dibcat can get in there and poke around and say,
you know, this score sounds a little high or something.
Maybe we need to go check out company X.
You need to be really careful about maintaining access.
Now this is more applicable to medium and large organizations that have a lot of cage
codes, a lot of people involved than a small company that may have a handful of cage codes
(14:12):
in a single individual.
But I like to maintain control to the minimum amount of people possible.
Consider building an offline database with the information from spurs.
It's easy to export, put it in a Tableau database, then allow your company contracting legal
cyber people if they want to know what your score is for any given cage code to use that
(14:36):
offline database and look that up and just keep the fingers out of the kitchen in the
master database so that you won't run into problems.
You need to carefully document the score and select the appropriate individual to enter
the score.
And then most importantly, you need to create a process for data review that ensures accuracy
(14:57):
and currency of that entry.
And that process needs to have senior level leadership knowledgeable of that and aware
what that score is given the implications of a false score.
But we'll jump ahead now to...
Yeah.
Well, then I know a couple of things that you're gonna say here.
(15:21):
Some of these are a little bit dated because they're from 18 months ago and people become
more familiar with spurs and everything.
But when I first...
This is the kind of information that caused me to create this in the first place because
there was just so much misinformation floating around after.
And at the time, one of the big myths was you're required to have a spurs score now.
(15:44):
When it first come out, there were people shrieking to the top of the mountain that
you gotta go get your spurs score done and entered in the database right now.
Well, no, you don't.
You didn't have to until you got the clause in a contract.
Which is 17, 19, and 20.
Yeah.
Yep.
And it's good to have it calculated and ready to go, but do you really want to enter it
(16:06):
in there before it's required?
I say not.
There's nothing to gain except exposing yourself.
So my guidance was you wait until it's required by contract.
Spurs score is required even if you have zero CUI.
I think we covered that pretty well in the beginning.
That's not true.
Although there were people telling me if you got 70, 12, you gotta have a spurs score.
(16:30):
No, no.
There is a failing spurs score.
Not true.
The rule, the spirit of the rule says you have to have a score.
Doesn't matter what it is.
And to the best of our knowledge, the contracting officers are not using that score as a competitive
aspect of evaluating contract bids.
(16:52):
Hopefully that's true and there's no unbeknown bias or anything.
But the only failing score is no score.
Early on there was a lot of kerfuffle around you have to load your SSP and POAMs along
with your spurs score.
Well, no, you don't.
There is no capability to even do that.
So that is never possible.
Even saw an article that said you had to have an ECA or cap card to access PI and get into
(17:18):
spurs.
While that's a capability, that's not a requirement.
And then there's this concept that I saw people saying you must have a spurs score to do any
work with the DOD, which is not correct.
We covered that back when you said you had that CUI for that clause to apply.
Another one good one is does your company have a spurs score loaded?
(17:38):
Well, I have a whole lot of spurs loaded.
You need to specify what cage code is associated with this all spurs or has got to be associated
with cage.
And then the final one was somebody was really confused.
Your ExoStar score is not your spurs score and that's not going to work.
So the two are not the same.
(18:01):
And a biggie that I speak to as a standalone, there are people who say if you have no SSP,
it's like an immediate negative 200 change.
Not true.
If you look at 3.12.4 in the DOD assessment methodology, it clearly states if you have
no SSP, you cannot do an assessment full stop.
(18:24):
You do not have a score because a maximum negative score would still meet the DFAR requirement
and you could be awarded the contract or no score prevents contract.
So no SSP, no score, do not pass code.
(18:44):
And then just breaking this week for people who are new to spurs version 4.0 came out
on Monday morning.
Has some additional capabilities, refined interfaces for searching and the entry of
the scores and so on.
It's just a little smoother.
So that in a nutshell are my foot stompers.
(19:06):
No, that's big time stuff and just, you know, this is we're in the middle of October, so
it's time of this recording.
So if you're watching this down the road, then that 4.0 did come out in the early part
of October.
So thanks for jumping through that.
I just want to recap then a couple of those big foot stomp.
So if you don't have 70-19, 70-20 in your claw, as a requirement in your contracts,
(19:32):
then you don't need a SPUR score.
And for the most part, similar to 70-12 though, it's going to be cookie cutter.
That's right.
The big thing that's going to keep you from having to do it is lack of CUI.
Yes, that's my next point.
Yep.
And that Get an NJL Free card is in that question six of that FAQ that you will provide folks
(19:56):
with.
And the CUI versus not CUI and how do I find that out is not always black and white as
we know.
So there are steps you can take to, I guess we'll call it ask up if you can, go through
your contract conditions.
Yep.
Exactly.
Yep.
It can be difficult, but you really need to nail down with who's asserting the contract,
(20:20):
whether or not to CUI.
Because, I mean, honestly, honest, if you don't know whether or not to CUI and you don't know
what it is, how can you protect it?
If you do, in fact, that's critical.
In the default maneuver that most people do is then just try to apply these requirements
to everything so they can say that they're ready for when they do have it.
And then your costs, your management, all these things that go on when you do have that
third party assessment of some sort, regardless of where it comes from, still comes back down
(20:44):
to the data that you handle and what touches it and all that kind of stuff.
So thank you for that.
And I will say the system security plan, NISSI HUNTER 171A, we've referenced that in previous
episodes.
It will continue to come up.
We're still having conversations with people who have focused on the 110 controls.
So this is why we have these conversations.
(21:05):
This is why you want to hear from the firsthand experience that people have been doing this
for a long time.
You have to know that's where you can make decisions.
I see folks mentioning if you got a consultant out there that's going to help you become
compliant, a question you need to ask every consultant is how familiar you are with NISSI
HUNTER 171A.
And for those that say, what's that, you run away screaming.
(21:29):
Yeah.
Yeah.
I mean, I've had conversations this week with companies who've been working with respectable
companies since 2018.
And they're just starting to talk about that stuff.
And it says, well, what have you, all these things you just covered with the conversations
we were having as well.
What did you enter for a score?
Are you sure that's in there?
And what were you basing that off of?
And what's your documentation look like?
And that's why we're just trying to help and get people on the right page.
(21:53):
And I can't echo enough the system security plan details and having that versus just going
and popping in a score.
There's a lot of bad advice out there.
And you hit that really, really hard, which I appreciate.
It's just going through a score and worry about it later.
That's not how that's not going to end.
No, it will not end well.
So don't do that.
But well, awesome.
(22:13):
Well, thanks, Wayne.
I know we went a little bit longer than normal, but that was good.
The references, everything that you've talked about, if you're watching on YouTube, you'll
see some of this stuff pop up on the screen.
But if not, you're listening on your favorite podcast platform, you can check out the reference
links and other areas that we're sending people to down there.
(22:33):
And as always, subscribe, follow, do all that stuff.
We'll have you on again in the future because things will look different in 12 months from
now.
We'll see where things are at.
We'll see how that goes.
And the next thing is CMMC SPR.
Yeah, there.
Yeah.
Well, that's there's a lot of things that we didn't need to talk about today because
we don't want to be here for a week.
But yes, those are those are going to be the fun nuggets that we'll get into later.
(22:58):
And again, just really appreciate you coming on spending some time.
It's a crazy Friday here for a lot of people involved in this ecosystem and stuff.
So thank you, Wayne.
And we'll catch you next time.
And I think we'll maybe spend a little bit more time than we did today on the next topic.
Always happy to help.
Thank you.
All right, there.
Thank you.
(23:19):
Thank you for listening to this episode.
And make sure to subscribe to the quick 10 podcast wherever you get your podcasts and
check us out on YouTube as well.
For more information about quick track, visit our website at www.quicktrack.com.
And we'll see you next time.
Welcome to the Quick 10 Podcast, brought to you by Quick Track, focusing on all things
(00:07):
FedCon and cyber defense from different perspectives and different personalities, all in 10-ish
minutes.
Here's your host, Derek White.
All right, everybody.
Welcome back to another episode of the Quick 10 Podcast.
I'm your host, Derek White.
(00:27):
With me today, I've got Wayne Bolin, cyber compliance community contributor.
Wayne, thanks for being here, man.
Great to be here.
I look forward to it.
Today, we are going to talk about all things SPRS, at least as much as we can in the abbreviated
time that we do for these podcasts.
(00:48):
Very much a topic that I know personally for you is a huge deal.
You present on this a lot.
I really wanted to just have you on, have you talk about SPRS here and now kind of stuff
and separate maybe the conversations that these podcasts have covered over the last
couple of months regarding things like CMMC, but the here, the now, the what's going on.
(01:11):
A lot of people are going to have a lot of questions and navigate.
You see this front hand, we see this front hand, but you really have that experience
here to walk through it.
Flora is kind of yours here, Wayne, just to kind of tell us a little bit about what you
do when it comes to this topic and what points you hit on.
Then from there, we'll just talk through a few different things that might be relevant
(01:33):
for people that are listening.
Yeah.
To be honest, I really have no idea how I became so attached to SPRS in this 70-19-20
rule, because prior to this, I have a background in incident response and things.
My boss at one point, I think in 2019, asked me to lead a compliance team and I'm like,
(01:53):
compliance, who wants to do that?
I did that for a while and just when this rule came out, I just dove in.
I have no idea why, but I've become really versed in it.
It's probably the only rule I've read front to back, printed, beat up, yellow, highlighted.
It's just crazy, but here we are.
So I've become an expert on it.
(02:15):
For those who don't know, SPRS stands for supplier performance risk system.
One of the things I cover in the very beginning of the presentation I speak to is SPRS has
been around for a long time and is much more broad than us Johnny-come-lately cyber self-assessment
sort of thing.
(02:35):
There's a lot of other things that supply chain type folks on the government and industry
side have been using this for way before we come in.
Our little carve out for posting these cyber self-assessments is a very small part of the
overall supplier risk part of this government.
(02:56):
So they're very good about providing documentation.
If you're a user of this, make use of the documentation.
SPRS is access through what's called PI, P-I-E, which is a government, basically a platform
that hosts a whole lot of different applications the government uses.
(03:18):
So you get to PI and then SPRS is one of the options.
So generally I start with the very basic route of what drives you to having to post a SPRS
self-assessment.
And at the base is something we know and love and that's DFAR 712.
(03:39):
DFAR 712, I'm not going to regurgitate it, but basically says covered contractor system,
adequate security, blah, blah, blah, basically boils down to being compliant with NIST 800171.
However, 18 months or so ago when I was first building this presentation, I tried to figure
(04:02):
out what is there that actually says you have to be compliant?
Because I've always foot stomped 712 isn't enough.
712 goes in all the contracts and a lot of people would tell you if you have 712 in your
contract, you must be NIST 800171 compliant.
And that is not true.
And that's when I come across the DOD procurement toolbox, FAQ revision three.
(04:26):
And I think we're going to put, you're going to post that link in the notes.
For sure.
Yep.
So, 712-6 has an extract, which basically you get out of jail free card, and it says
you only have to implement the security requirements of 800171 if your contract includes the DFAR
clause, and you are provided covered defense information by the DOD and you are processing,
(04:50):
storing, or transmitting that covered defense information on your information system slash
network.
So you can have DFAR 712 in your contract all day long, but if you're not getting any
CUI, it does not apply.
Now I've used the phrase and too much chagrin to certain people in the community.
I like to call this a self-deleting clause.
(05:13):
What that means is there's a whole cookie cutter list of clauses of going government
contracts that we receive.
If you don't get CUI, it's just kind of self-deletes itself and you can ignore it.
It does not apply.
And I'm so glad I found this FAQ question 6 that validates my thinking.
(05:33):
Prior to that, I really had nothing to stand on.
So people need to check that out and grab that if it needed to.
Well, not to mention the 712 questionnaires and stuff, right?
They just get thrown in these boilerplate questions and that causes a lot of confusion
for those that haven't seen CUI and haven't had it detailed in their terms and conditions
(05:53):
and say, well, what does everybody do when there's a million contract clauses?
They go through it, they reach out for resources and start putting stuff into place.
And to your point, yes.
Then all of a sudden it's like, oh, maybe I don't need that.
Who's telling them that?
Yes, you're right.
That is a really good Q&A definition of that for sure.
So then operating from that and assumption that you get CUI and you have the 712 clause,
(06:17):
then in order to actually do the SPURS self-assessment and enter that in SPURS, you need to have
the 7019 and 7020, which came out together.
And I have a heck of a time keeping those straight as far as which one requires you
to make yourself available for DIP CAC assessments and all that stuff versus what makes you load
(06:40):
the SPURS into SPURS.
But everybody can read 7019 and 7020.
Generally they're put out together.
And then those clauses require you to then perform that self-assessment posted.
I have a few minutes later that I'll kind of touch on that so I won't get ahead of myself.
(07:02):
Yeah, you're right.
For those that this is new to 7019, 7020, we've been around since way before that.
So it was a big shift to all of a sudden say, hey, you're going to enter this score into
a system that the government manages.
And be available for when they say we want to show up, which unfortunately had to, I
(07:24):
guess, kind of be labeled as a clause because I guess technically some people could have
said, nah, we're not going to do that.
So it's an accountability push on our side.
That's how I would kind of explain it is, I mean, if you are required to do these things
because you handle that type of data, then you should be ready for that and you should
be doing this stuff.
And if there's not a mechanism for finding out if that's true or not, or at least hold
(07:47):
somebody's feet to the fire to make sure that it's accurate, then we know how that looks.
That's how it used to be.
Yeah.
Now I'm going to make a statement with no definitive evidence whatsoever, but my thinking
is these two clauses were created to be a bridge between 7012 and 7021 CMMC because,
you know, when they were pitching CMMC, they said CMMC is driven because people were signing
(08:13):
7012 and just ignoring it where 70, you know, the SPURS requirement to do the self assessment
and load it is a step higher than 7012 where you just signed the contract and that says
you're compliant by a simple signature versus 7021, which is a third party assessment.
(08:34):
This is kind of the bridge in the middle.
And I'm being really big on conspiracy theories, it also adds additional evidence for a false
claims act because, you know, just signing a 7012, that's kind of weak if you want to
prosecute a company for false claims.
If you have a self assessment and you enter the score in a government database, that's
(08:58):
a little more ammunition to use for a false claims act.
Yeah, and then go ahead.
Yep.
This self assessment is based on the DODAN, the DOD assessment methodology, probably should
include that link too.
For sure.
Yep.
I want to assume everybody knows where that is, but the DOD assessment methodology has
(09:20):
a background purpose, talks a lot of information about what's behind the methodology.
Then it has a step by step for each control and the score.
And that's the calculus you use to perform the self assessment and come up with that
score.
However, I foot stomp this big time.
(09:41):
If you're not using this 801 71 alpha to help with that, you could end up with a big swing
in the mix because the scoring matrix or whatever you want to call it, it's very weak on content.
It basically names the control and then tells you what score you get or how much you would
(10:02):
lose.
And then I have an assessment guidance from that, that I talk about to show people that
shows the level of detail you can get when you're using 171 to help you.
And then it typically has discussions in there.
So if you're somebody trying to do it yourself without IT support and you really kind of
(10:22):
lost that narrative and that 171 may be very helpful.
Yeah, for sure.
And obviously we should probably disclaim too that everything that we're talking about
is personal opinion here, not the organization's opinion.
So yeah, no, but yes, that's, that's, that's right.
(10:44):
Yes.
It's like, that's how, you know, sporting fans should be thinking about their teams
and stuff too.
So that's all I'm going to say about the actual self assessment process, because that's not
what I think is the most important part of my presentation.
And that is you can have the best process for self assessing the best self assessment
(11:06):
score in the world.
But if you don't do and address the logistics of spurs and its relationship with sam.gov,
you're never going to get that in there.
And what that is, is for those not familiar, sam.gov is the government database where if
you are a new company and you want to get a cage code, which is necessary to do contracting
(11:28):
work with the DOD, each contractor will have a cage code in it.
And everything about assessments, cyber assessments, whether it's a DIPAC or a SPUR self assessment
revolves around that cage code.
That cage code starts in sam.gov.
That's where you enter financial information, tax information, you identify contracts, POC,
electronic business, POC, all that.
(11:51):
And that is a POC mess at times.
So there are two key fields in there that are critical to get the cage code that your
company or codes that your company is identified as over to the spurs database.
There's a immediate owner and highest level owner field.
(12:13):
And if those fields are not populated, your cage code will never populate over to spurs.
And you can never do it in your hierarchy and you can never make an entry.
So it's critical that you have somebody identified to keep that up to date.
And you need to keep it up to date on a regular basis because in about the last 18 months,
(12:36):
the government's made it a lot more difficult to make modifications to sam.gov.
And again, another unfounded thought on why that's true, it feels like maybe there were
some of our adversaries making shell companies and doing some nefarious activity.
And they just decided rightfully so that they need to make it a little more rigid and difficult
(12:59):
to make changes to those records in there because how many things cascade down are directly
related to that.
So step one is you got to be on top of your sam.gov cage registration presence and keep
that current.
Yeah, and this is why we want everyone to be more foundational because it's just got
(13:22):
to be from the top down and organization.
That's all organizational stuff.
That's all things that are important anyway.
Let's get to the myth side.
Some of the things that you've been talking about.
I got one more list of best practices that I like to tell people about.
Yeah, please do.
One of those is controlling access to spurs because those scores that are in spurs are
(13:46):
attestation from your company and the Dibcat can get in there and poke around and say,
you know, this score sounds a little high or something.
Maybe we need to go check out company X.
You need to be really careful about maintaining access.
Now this is more applicable to medium and large organizations that have a lot of cage
codes, a lot of people involved than a small company that may have a handful of cage codes
(14:12):
in a single individual.
But I like to maintain control to the minimum amount of people possible.
Consider building an offline database with the information from spurs.
It's easy to export, put it in a Tableau database, then allow your company contracting legal
cyber people if they want to know what your score is for any given cage code to use that
(14:36):
offline database and look that up and just keep the fingers out of the kitchen in the
master database so that you won't run into problems.
You need to carefully document the score and select the appropriate individual to enter
the score.
And then most importantly, you need to create a process for data review that ensures accuracy
(14:57):
and currency of that entry.
And that process needs to have senior level leadership knowledgeable of that and aware
what that score is given the implications of a false score.
But we'll jump ahead now to...
Yeah.
Well, then I know a couple of things that you're gonna say here.
(15:21):
Some of these are a little bit dated because they're from 18 months ago and people become
more familiar with spurs and everything.
But when I first...
This is the kind of information that caused me to create this in the first place because
there was just so much misinformation floating around after.
And at the time, one of the big myths was you're required to have a spurs score now.
(15:44):
When it first come out, there were people shrieking to the top of the mountain that
you gotta go get your spurs score done and entered in the database right now.
Well, no, you don't.
You didn't have to until you got the clause in a contract.
Which is 17, 19, and 20.
Yeah.
Yep.
And it's good to have it calculated and ready to go, but do you really want to enter it
(16:06):
in there before it's required?
I say not.
There's nothing to gain except exposing yourself.
So my guidance was you wait until it's required by contract.
Spurs score is required even if you have zero CUI.
I think we covered that pretty well in the beginning.
That's not true.
Although there were people telling me if you got 70, 12, you gotta have a spurs score.
(16:30):
No, no.
There is a failing spurs score.
Not true.
The rule, the spirit of the rule says you have to have a score.
Doesn't matter what it is.
And to the best of our knowledge, the contracting officers are not using that score as a competitive
aspect of evaluating contract bids.
(16:52):
Hopefully that's true and there's no unbeknown bias or anything.
But the only failing score is no score.
Early on there was a lot of kerfuffle around you have to load your SSP and POAMs along
with your spurs score.
Well, no, you don't.
There is no capability to even do that.
So that is never possible.
Even saw an article that said you had to have an ECA or cap card to access PI and get into
(17:18):
spurs.
While that's a capability, that's not a requirement.
And then there's this concept that I saw people saying you must have a spurs score to do any
work with the DOD, which is not correct.
We covered that back when you said you had that CUI for that clause to apply.
Another one good one is does your company have a spurs score loaded?
(17:38):
Well, I have a whole lot of spurs loaded.
You need to specify what cage code is associated with this all spurs or has got to be associated
with cage.
And then the final one was somebody was really confused.
Your ExoStar score is not your spurs score and that's not going to work.
So the two are not the same.
(18:01):
And a biggie that I speak to as a standalone, there are people who say if you have no SSP,
it's like an immediate negative 200 change.
Not true.
If you look at 3.12.4 in the DOD assessment methodology, it clearly states if you have
no SSP, you cannot do an assessment full stop.
(18:24):
You do not have a score because a maximum negative score would still meet the DFAR requirement
and you could be awarded the contract or no score prevents contract.
So no SSP, no score, do not pass code.
(18:44):
And then just breaking this week for people who are new to spurs version 4.0 came out
on Monday morning.
Has some additional capabilities, refined interfaces for searching and the entry of
the scores and so on.
It's just a little smoother.
So that in a nutshell are my foot stompers.
(19:06):
No, that's big time stuff and just, you know, this is we're in the middle of October, so
it's time of this recording.
So if you're watching this down the road, then that 4.0 did come out in the early part
of October.
So thanks for jumping through that.
I just want to recap then a couple of those big foot stomp.
So if you don't have 70-19, 70-20 in your claw, as a requirement in your contracts,
(19:32):
then you don't need a SPUR score.
And for the most part, similar to 70-12 though, it's going to be cookie cutter.
That's right.
The big thing that's going to keep you from having to do it is lack of CUI.
Yes, that's my next point.
Yep.
And that Get an NJL Free card is in that question six of that FAQ that you will provide folks
(19:56):
with.
And the CUI versus not CUI and how do I find that out is not always black and white as
we know.
So there are steps you can take to, I guess we'll call it ask up if you can, go through
your contract conditions.
Yep.
Exactly.
Yep.
It can be difficult, but you really need to nail down with who's asserting the contract,
(20:20):
whether or not to CUI.
Because, I mean, honestly, honest, if you don't know whether or not to CUI and you don't know
what it is, how can you protect it?
If you do, in fact, that's critical.
In the default maneuver that most people do is then just try to apply these requirements
to everything so they can say that they're ready for when they do have it.
And then your costs, your management, all these things that go on when you do have that
third party assessment of some sort, regardless of where it comes from, still comes back down
(20:44):
to the data that you handle and what touches it and all that kind of stuff.
So thank you for that.
And I will say the system security plan, NISSI HUNTER 171A, we've referenced that in previous
episodes.
It will continue to come up.
We're still having conversations with people who have focused on the 110 controls.
So this is why we have these conversations.
(21:05):
This is why you want to hear from the firsthand experience that people have been doing this
for a long time.
You have to know that's where you can make decisions.
I see folks mentioning if you got a consultant out there that's going to help you become
compliant, a question you need to ask every consultant is how familiar you are with NISSI
HUNTER 171A.
And for those that say, what's that, you run away screaming.
(21:29):
Yeah.
Yeah.
I mean, I've had conversations this week with companies who've been working with respectable
companies since 2018.
And they're just starting to talk about that stuff.
And it says, well, what have you, all these things you just covered with the conversations
we were having as well.
What did you enter for a score?
Are you sure that's in there?
And what were you basing that off of?
And what's your documentation look like?
And that's why we're just trying to help and get people on the right page.
(21:53):
And I can't echo enough the system security plan details and having that versus just going
and popping in a score.
There's a lot of bad advice out there.
And you hit that really, really hard, which I appreciate.
It's just going through a score and worry about it later.
That's not how that's not going to end.
No, it will not end well.
So don't do that.
But well, awesome.
(22:13):
Well, thanks, Wayne.
I know we went a little bit longer than normal, but that was good.
The references, everything that you've talked about, if you're watching on YouTube, you'll
see some of this stuff pop up on the screen.
But if not, you're listening on your favorite podcast platform, you can check out the reference
links and other areas that we're sending people to down there.
(22:33):
And as always, subscribe, follow, do all that stuff.
We'll have you on again in the future because things will look different in 12 months from
now.
We'll see where things are at.
We'll see how that goes.
And the next thing is CMMC SPR.
Yeah, there.
Yeah.
Well, that's there's a lot of things that we didn't need to talk about today because
we don't want to be here for a week.
But yes, those are those are going to be the fun nuggets that we'll get into later.
(22:58):
And again, just really appreciate you coming on spending some time.
It's a crazy Friday here for a lot of people involved in this ecosystem and stuff.
So thank you, Wayne.
And we'll catch you next time.
And I think we'll maybe spend a little bit more time than we did today on the next topic.
Always happy to help.
Thank you.
All right, there.
Thank you.
(23:19):
Thank you for listening to this episode.
And make sure to subscribe to the quick 10 podcast wherever you get your podcasts and
check us out on YouTube as well.
For more information about quick track, visit our website at www.quicktrack.com.
And we'll see you next time.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com