As if a switch has been turned on, since the beginning of 2023 more and more subcontractors throughout the Defense Industrial Base (the DIB) are reporting being asked by their primes for their SPRS scores. And many are being told a minimum score they need to achieve to keep doing business with their prime.
What’s going on? First, this blog explains what an SPRS score is, and how primes are being held responsible for confirming that their subcontractors have filed their SPRS score as required. From there, it’s logical that primes will ask for and use SPRS scores to determine which contractors are doing the best job at securing sensitive data—and to decide which to award subcontracts to. To help your organization become more competitive in the DIB, this blog also outlines what you need to do to calculate and submit an SPRS score and offers a solution to help raise your SPRS score significantly.
Background: What is an SPRS score?
To answer this question, first you need to know that any organization that handles Controlled Unclassified Information (CUI) has a DFARS 252.204-7012 clause in its contract. DFARS 7012 obligates contractors to implement the 110 security controls specified in NIST SP 800-171. The National Institute of Standards and Technology (NIST) wrote SP 800-171 specifically to protect CUI.
But DFARS 7012 permits contractors to self-assess their cybersecurity levels and so historically compliance throughout the DIB has been weak. To ramp up compliance, in 2020 DoD released two new clauses—DFARS 252.204-7019 and 7020. DFARS 7019 requires that self-assessments be conducted once every three years according to a detailed DoD Assessment Methodology. Further, the scores from those assessments must be filed with the DoD’s Supplier Performance Risk System, known as SPRS—and hence the NIST SP 800-171 self-assessment score is commonly called your SPRS score.
Why is pressure on contractors for their SPRS scores increasing now?
DFARS 7020 was released in conjunction with DFARS 7019, described above. While DFARS 7012 stipulates “flow down” obligations, DFARS 7020 ratchets up those obligations. Flow down means that prime contractors must not only abide by the requirements stipulated in a DoD regulation—for example, in DFARS 7012—but also must pass those standards down to their subcontractors. DFARS 7020, however, doesn’t expect primes to just make subcontractors aware of standards; rather it requires primes to proactively check compliance by confirming that their subcontractors have up-to-date SPRS scores on file.
The next logical step primes are taking is to ask for the score itself. And some primes are going further, stipulating minimum SPRS scores that subcontractors must achieve to work with them. Early this year, a subcontractor shared with PreVeil that it was told by a large prime that it needs to achieve an SPRS score of at least 90 (out of a maximum possible score of 110) in order to continue to work with the prime.
Perhaps the apparent jump in primes’ requests for SPRS scores this year is due to the expected implementation of CMMC 2.0 in 2023, even though that may be pushed back. The connection is that CMMC 2.0 is largely designed to validate compliance with NIST SP 800-171. Given CMMC’s expected flow down requirements, primes have a strong business interest in preparing their supply chain for CMMC certification.
Finally, the recently released DFARS Final Rule 252.204-7024 highlights the importance of the SPRS system to the DoD. DFARS 7024 directs contracting officers to consider SPRS risk scores—including item and price risk as well as supplier risk—as they evaluate competing contractors. Contractors that show they can protect CUI present less supplier risk to the DoD than those that cannot.
Further, per DFARS 7020, the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) can choose at any time to review the accuracy of the NIST 800-171 self-assessment score submitted by a contractor to SPRS. Discrepancies between the DIBCAC’s review results and contractor’s self-reported SPRS scores can result in serious consequences ranging from fines to loss of contract.
What should my organization do?
Here’s what your organization needs to do to submit an SPRS score:
- First, all defense contractors need to develop a System Security Plan (SSP). The SSP serves as a foundational document for an NIST SP 800-171 self-assessment and is a prerequisite for consideration for any DoD contract.
- Next, conduct the self-assessment according to the DoD’s NIST SP 800-171 Assessment Methodology. All contractors that handle CUI must perform at least a Basic level self-assessment, as described in the methodology.
- Finally, submit your self-assessment score to the DoD’s Supplier Performance Risk System (SPRS) by the time of contract award. The self-assessment must have been completed within the last three years and be maintained for the duration of the contract.
Keep in mind that an SPRS score of 110 is rare, but having an active plan for continuing to improve your organization’s cybersecurity is essential. If your organization’s self-assessment score falls below 110, you’ll need to create a POA&M (Plans of Actions and Milestones) for the security controls not met, and indicate by what date those security gaps will be remediated and a score of 110 will be achieved.
And, most important, you need not be overwhelmed. Recent technological advances in cryptography have made military-grade cybersecurity widely available and affordable for small to mid-size organizations, as described below.
How can PreVeil help raise my SPRS score?
Raising your organization’s SPRS score is crucial. Given the weight that NIST SP 800-171 places on the protection of CUI, improving your organization’s ability to protect this sensitive data will improve your score significantly. CUI is typically shared in the form of files or emails, and thus platforms that protect file sharing and emails are key tools for raising your score.
PreVeil’s encrypted Drive and Email platform for file sharing and communication provides unrivaled security for protecting CUI using end- to-end encryption, the gold standard for data protection. That means that files and emails are only ever encrypted and decrypted on a user’s device—and never on a server. This key feature and others add up to PreVeil supporting 102 of the 110 NIST SP 800-171 controls. Thus, upon deployment, your SPRS score will increase dramatically.
PreVeil’s brief, NIST SP 800-171 Compliance: Improving Cybersecurity and Raising Your SPRS Score, shows how a typical small to mid-size defense contractor can increase its self-assessment score by 129 points by deploying PreVeil. The “typical contractor” in this case is based on an analysis of more than 500 compliance reviews conducted by SysArc, an MSSP in the Washington, D.C. area. SysArc found that its typical small to mid-size client, on average, scored -27 on its initial NIST SP 800-171 self-assessment. (Recall that negative scores are possible.) Their typical contractor has implemented basic cybersecurity controls—e.g., a firewall, patch system, and antivirus software—but little else. They lack MFA, encryption, and continuous monitoring of networks and, likewise, are struggling to adequately protect CUI.
Upon deploying PreVeil, the typical contractor’s security infrastructure:
- Meets 41 additional security controls—many of which are high value—including, for example, Access Controls that protect remote access sessions and require authorization for wireless access prior to allowing such connections. This raises the typical contractor’s score by 103 points, from -27 up to +76.
- Meets eight additional security controls given the combination of the typical contractor’s infrastructure and PreVeil’s overlay (i.e., the responsibility for meeting these controls is shared). This raises the typical contractor’s score by another 26 points, from +76 up to +102.
The final result with the PreVeil overlay is that the typical contractor’s self-assessment score increases from -27 to +102, a gain of 129 points.
PreVeil also has written a separate brief describing an actual case study of how a small defense contractor achieved the highest possible score of 110 out of 110 on a NIST SP 800-171 audit conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)—the DoD’s ultimate authority on compliance. The contractor prepared for the rigorous audit by deploying PreVeil as an overlay to its existing O365 Commercial system for all its users handling CUI. Deployment was an easy process that laid the foundation for compliance with NIST SP 800-171’s most important controls, i.e., the ones that protect CUI. The defense contractor’s top score placed it alongside the nation’s top prime contractors for cybersecurity.
PreVeil world-class security raises your SPRS score, minimizes your business risks, and is easy to deploy and use. PreVeil lowers your costs too: Its all-inclusive license costs approximately $10,000 per year for the typical small to medium-size business. Moreover, your suppliers and partners can join for free so that you can readily communicate with them using PreVeil.
If you need help or have questions about DFARS, NIST SP 800-171, CMMC or any other topics, please don’t hesitate to reach out and schedule a free 15-minute consultation with our compliance team. Or you may wish to learn more by reading PreVeil’s white papers and blogs:
- NIST SP 800-171 Compliance: Improving Cybersecurity and Raising Your SPRS Score
- Case Study: Defense contractor achieves 110/110 score in NIST SP 800-171 DoD audit.
- Getting Started with NIST SP 800-171 Compliance in Higher Education.
- What is DFARS 7012 and why is it important?
- What is DFARS 7019 and how can contractors comply with it?
- What defense contractors should know about DFARS 7020
- How to meet the System Security Plan (SSP) challenge
- Complying with the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC 2.0)
- If you’re waiting for CMMC to start compliance… You’re already behind
Or learn more by watching our videos:
- [Webinar] The Business & Legal Risks of Not Complying with DFARS 7012 & CMMC
- [Video] What Is DFARS 7019 and What Does It Require?
- [Video] What Is DFARS 7020 and What Does It Require?
- To access additional white papers, blogs and videos, please visit PreVeil’s resources page.