The Department of Defense’s (DoD’s) recently released DFARS 252.204-7024 has created some confusion about SPRS scores, while at the same time shedding light on how the DoD uses its SPRS system. DFARS 7024 requires DoD contracting officers to consider SPRS (Supplier Performance Risk System) risk assessments to help determine if a defense contractor is “responsible” enough to do work for the DoD.
This blog explains the difference between your organization’s NIST SP 800-171 self-assessment score—commonly known as your SPRS score—and the DoD’s daily SPRS risk assessment score. A clear understanding of the distinction will help you better position your organization to win DoD contracts.
NIST SP 800-171 self-assessment score—aka your SPRS score
The jargon used throughout the Defense Industrial Base (DIB) to describe an organization’s NIST SP 800-171 self-assessment score—namely, calling it an SPRS score—is at the root of the confusion.
Any organization that handles Controlled Unclassified Information (CUI) has a DFARS 7012 clause in its contract. DFARS 7012 obligates contractors to implement the 110 security controls specified in NIST SP 800-171. But it permits contractors to self-assess their cybersecurity levels and so historically compliance throughout the DIB has been weak.
To ramp up compliance, in 2020 DoD released DFARS 7019, which requires that self-assessments be conducted once every three years according to a detailed DoD Assessment Methodology. Scores from those assessments must be submitted to SPRS—and hence the NIST SP 800-171 self-assessment score is commonly called an SPRS score.
SPRS daily risk assessment scores
There is actually much more to the DoD’s SPRS system than your NIST SP 800-171 self-assessment score. SPRS sweeps up defense contractor performance data on a daily basis from several federal reporting systems. That process generates up-to-date assessments of the item risk, price risk, and supplier risk that contractors present to DoD’s mission.
Daily SPRS risk assessments scores are bundled into three areas:
- Item risk is the probability that a product, based on intended use, will introduce performance risk resulting in safety issues, mission degradation, or monetary loss.
- Price risk is a measure of whether a proposed price for a product or service is consistent with historical prices paid for that item or service.
- Supplier risk is the probability that an award may subject DoD’s procurement to the risk of unsuccessful performance or to supply chain risk.
The third bucket, supplier risk, encompasses supply chain risk. That’s where the critical question of whether a defense contractor can effectively secure CUI is considered, if reliable data are available.
Key considerations for defense contractors
Your organization’s NIST SP 800-171 self-assessment score is an indicator of the cybersecurity risk you present to the DoD’s supply chain. If you haven’t yet submitted your self-assessment score to SPRS as required, now is the time to get started on your System Security Plan (SSP) and to conduct a self-assessment. The SSP is a foundational document that supports your self-assessment. If you’ve submitted a score that cannot be supported or is inaccurate, you need to work on backup documentation and correct your score. You can change or correct your self-assessment score on SPRS at any time.
Note that a June 2022 DoD memorandum directs contracting officers to verify, prior to award, that the contractor has a current NIST SP 800-171 DoD self-assessment score posted in SPRS. If you haven’t posted a score, you may be found ineligible for a contract.
Regarding your SPRS daily risk assessment score, it’s clear that minimizing the risk your organization presents to DoD across all three buckets that comprise that score—item risk, price risk, and supplier risk—will be an advantage vis-à-vis your competitors for winning DoD contracts. That message was recently made clear by DoD when it released DFARS 7024 requiring DoD contracting officers to consider SPRS risk assessment scores to help determine contractors’ qualifications for DoD contracts.
If you have questions about SPRS, DFARS, NIST SP 800-171, CMMC or any other topics mentioned in this blog, please don’t hesitate to reach out and schedule a free 15-minute consultation with our compliance team. Or you may wish to learn more by reading PreVeil’s white papers and blogs:
- NIST SP 800-171 Compliance: Improving Cybersecurity and Raising Your SPRS Score
- Case Study: Defense contractor achieves 110/110 score in NIST SP 800-171 DoD audit.
- Getting Started with NIST SP 800-171 Compliance in Higher Education.
- What is DFARS 7012 and why is it important?
- What is DFARS 7019 and how can contractors comply with it?
- What defense contractors should know about DFARS 7020
- The DoD’s New Final Rule DFARS 252.204-7024: What Does it Mean for Defense Contractors?
- How to meet the System Security Plan (SSP) challenge
- Complying with the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC 2.0)
- If you’re waiting for CMMC to start compliance… You’re already behind
Or learn more by watching our videos:
- [Webinar] The Business & Legal Risks of Not Complying with DFARS 7012 & CMMC
- [Video] What Is DFARS 7019 and What Does It Require?
- [Video] What Is DFARS 7020 and What Does It Require?
To access additional white papers, blogs and videos, please visit PreVeil’s resources page.