Proudly serving Virginia, Maryland and DC // Call us today! 703.396.6120
V2 SystemsV2 Systems
target board with darts

by Erik Briceno

If you’re a government contractor, you’re probably at least partially familiar with NIST 800-171. Even if you don’t have every detail completely memorized, the vast majority of your cyber hygiene policies should be coming directly from NIST guidelines.

To assist in maintaining compliance with what’s outlined in NIST 800-171, we’ve been guiding several of our contractors with the intricacies of the NIST 800-171 “scorecard.” Supplier Performance Risk System, or SPRS, is essentially a score that reflects the contractor’s accomplishment of the NIST cybersecurity requirements. Here are the basics of how it works.

The New DoD Assessment

The new interim rule that’s been added to DFARS requires the use of a standard assessment and scoring methodology — which brings us to what we’re talking about today. The magic “score” a contractor wants to shoot for is 110. A score of 110 is realized if all requirements are fully satisfied. Points are deducted for any NIST SP 800-171 controls that aren’t implemented, and there’s no partial credit. It’s even possible for a contractor to score below zero because of the different weights to individual security requirements.

Until now, contractors could be compliant with the DFARS 7012 clause even if they did not meet all 110 requirements, as long as they had a plan of action and milestones to correct or mitigate deficiencies in their system security plans. This is no longer the case. While scoring below 110 doesn’t necessarily rule out the possibility of you landing a DoD contract, it severely hurts your chances.

NIST 800-171 Basics

The basics of NIST 800-171 can generally be divided into 14 important categories of questions to ask yourself:

  1. Access Control: Who is authorized to view this data?
  2. Awareness and Training: Are people properly instructed in how to treat this info?
  3. Audit and Accountability: Are records kept of authorized and unauthorized access? Can violators be identified?
  4. Configuration Management: How are your networks and safety protocols built and documented?
  5. Identification and Authentication: What users are approved to access CUI and how are they verified prior to granting them access?
  6. Incident Response: What’s the process if a breach or security threat occurs, including proper notification.
  7. Maintenance: What timeline exists for routine maintenance, and who is responsible?
  8. Media Protection: How are electronic and hard copy records and backups safely stored? Who has access?
  9. Physical Protection: Who has access to systems, equipment and storage environments?
  10. Personnel Security: How are employees screened prior to granting them access to CUI?
  11. Risk Assessment: Are defenses tested in simulations? Are operations or individuals verified regularly?
  12. Security Assessment: Are processes and procedures still effective? Are improvements needed?
  13. System and Communications Protection: Is information regularly monitored and controlled at key internal and external transmission points?
  14. System and Information Integrity: How quickly are possible threats detected, identified and corrected?

clock pointing at 10 and 12The process for becoming compliant with the standards set out in NIST 800-171 may take a significant amount of time to implement, and it’s time you don’t have. Failure to comply could affect any dealings with government agencies, including severances of contracts. If you’ve missed the deadline, you could be at risk of losing contracts or damaging relationships.

If you feel you’re in a compliance crunch, contact us for assistance so we can help you achieve that all important 110 as soon as possible.


Since 1995, Manassas Park, VA-based V2 Systems has employed local systems administrators, network engineers, security consultants, help desk technicians and partnering companies to meet a wide range of clients’ IT needs, from research, to implementation, to maintenance. Concentrate on your VISION…We’ll handle the TECHNOLOGY!

About ebriceno
Erik Briceño is the owner of V2 Systems, Inc., one of Northern Virginia’s leading Information Technology Managed Service Providers. He is an inspiring leader for its employees and instrumental business partner for its customers. He is passionate about V2’s purpose, dedicated to exceeding expectations and a consummate professional not afraid of jumping in and getting his hands dirty. Prior to joining V2 Systems in 2002, Erik was a co-founder and COO of, a leading provider of online resources servicing over 5,000 independent musical artists. At, Erik spearheaded all aspects of corporate development, funding, strategic vision, and business development for the firm. From 1997 to 1999 Erik held the position of Acoustic Systems Engineer for Electric Boat Corporation, a leading defense contractor. In this role, Erik was responsible for the acoustic fidelity of two noise critical systems and components in the US Navy’s nuclear submarine systems. Erik holds a B.S. in Mechanical Engineering from Vanderbilt University and a Masters of Business Administration from George Mason University. When not working, you will find Erik a dedicated family man, raising two young children with his lovely wife Karen. Together, they enjoy building legos, playing baseball, skiing, riding horses, swimming, traveling, and fixing up old Mopars.
target board with darts
Your DoD Cyberscore and You