Assessment Documenting by E-mail

Once you have an Assessment Score, it needs to be documented on SPRS. This can be done easily by e-mail, according to recent instructions from the Department of Defense. Click here to reference the DOD procedures.

You need to download the Assessment Tool with Plan and use it to make you assessment and document your plan for addressing all the security requirements.

The following are the key elements required in the email:

Send email as follows:

To: webptsmh@navy.mil

Subject: State what you are submitting and your company name (ex: NIST SP 800-171 summary level basic assessment for ABC Company)

Body Text: State what you are submitting. We suggest that you include a statement noting that you do not require encryption for your email to be read and processed. The government term for this is submitting "Decontrolled" information.

Data: There are 8 specific pieces of information you need to submit. These are:

  1. Assessment Date: the date you did the Assessment
  2. Assessment Score: this is the score number you got after assessing all 110 requirements
  3. Scope of Assessment: they want to know if the assessment is for your whole company or a specific division. You need to enter Enterprise, Enclave or Contract. Enterprise means the scope is for the entire company. Enclave means that the scope for only a specific business unit within your company. Contract means that the scope covers only the part of your company dealing with a particular government contract.
  4. Plan of Action Completion Date: this entry is a date only MM/DD/YYYY. This is the date by which you believe you could have all Not Yet Implemented requirements implemented. All requirements you marked as Not Applicable are not included in this plan. Your Plan of Action for each Not Yet Implemented item needs to be stated on the spreadsheet you download from the Assessment Tool. Note: you will not need to submit your Plan of Action to SPRS or the government.
  5. Included CAGE Code/s: just enter your 5-character CAGE Code. If you have multiple active CAGE Codes, then these should be entered.
  6. Name of System Security Plan: this entry is simply the name of your company followed by System Security Plan (ex: ABC Company System Security Plan)
  7. SSP Version: when you revise or update your SSP, you should give it a revision number. Most likely, this will be your first SSP, so the entry here could be Version 1
  8. SSP Date: this is a date only entry MM/DD/YYYY. This is the date you completed or revised your most recent SSP version.

Following is a suggested template for your email to SPRS:

To: webptsmh@navy.mil

Subject: NIST SP 800-171 Assessment for (your company name)

Body: As specified by relevant DFAR CMMC sections and in accordance with NIST SP 800-171, we are submitting our Assessment Score for posting in SPRS. Please consider this communication as Decontrolled with no encryption requested.

  1. Assessment Date:
  2. Assessment Score:
  3. Scope of Assessment:
  4. Plan of Action Completion Date:
  5. Included CAGE Code:
  6. Name of System Security Plan:
  7. SSP Version:
  8. SSP Date: