May 11, 2023

The Department of Defense’s (DoD’s) recently released DFARS 252.204-7024 has created some confusion about SPRS scores, while at the same time shedding light on how the DoD uses its SPRS system. DFARS 7024 requires DoD contracting officers to consider SPRS (Supplier Performance Risk System) risk assessments to help determine if a defense contractor is “responsible” enough to do work for the DoD.

This blog explains the difference between your organization’s NIST SP 800-171 self-assessment score—commonly known as your SPRS score—and the DoD’s daily SPRS risk assessment score. A clear understanding of the distinction will help you better position your organization to win DoD contracts.

NIST SP 800-171 self-assessment score—aka your SPRS score

The jargon used throughout the Defense Industrial Base (DIB) to describe an organization’s NIST SP 800-171 self-assessment score—namely, calling it an SPRS score—is at the root of the confusion.

Any organization that handles Controlled Unclassified Information (CUI) has a DFARS 7012 clause in its contract. DFARS 7012 obligates contractors to implement the 110 security controls specified in NIST SP 800-171. But it permits contractors to self-assess their cybersecurity levels and so historically compliance throughout the DIB has been weak.

To ramp up compliance, in 2020 DoD released DFARS 7019, which requires that self-assessments be conducted once every three years according to a detailed DoD Assessment Methodology. Scores from those assessments must be submitted to SPRS—and hence the NIST SP 800-171 self-assessment score is commonly called an SPRS score.

SPRS daily risk assessment scores

There is actually much more to the DoD’s SPRS system than your NIST SP 800-171 self-assessment score. SPRS sweeps up defense contractor performance data on a daily basis from several federal reporting systems. That process generates up-to-date assessments of the item risk, price risk, and supplier risk that contractors present to DoD’s mission.

Daily SPRS risk assessments scores are bundled into three areas:

Item risk is the probability that a product, based on intended use, will introduce performance risk resulting in safety issues, mission degradation, or monetary loss.
Price risk is a measure of whether a proposed price for a product or service is consistent with historical prices paid for that item or service.
Supplier risk is the probability that an award may subject DoD’s procurement to the risk of unsuccessful performance or to supply chain risk.

The third bucket, supplier risk, encompasses supply chain risk. That’s where the critical question of whether a defense contractor can effectively secure CUI is considered, if reliable data are available.

NIST SP 800-171 self-assessment SPRS scores are generated by the defense contractor conducting their self-assessement—or by an outside organization hired to do it for them—whereas the SPRS daily risk assessment scores are generated by the DoD’s daily, automated gathering of information from across federal reporting systems about the level of risk that contractors present to the DoD.

Key considerations for defense contractors

Your organization’s NIST SP 800-171 self-assessment score is an indicator of the cybersecurity risk you present to the DoD’s supply chain. If you haven’t yet submitted your self-assessment score to SPRS as required, now is the time to get started on your System Security Plan (SSP) and to conduct a self-assessment. The SSP is a foundational document that supports your self-assessment. If you’ve submitted a score that cannot be supported or is inaccurate, you need to work on backup documentation and correct your score. You can change or correct your self-assessment score on SPRS at any time.

Note that a June 2022 DoD memorandum directs contracting officers to verify, prior to award, that the contractor has a current NIST SP 800-171 DoD self-assessment score posted in SPRS. If you haven’t posted a score, you may be found ineligible for a contract.

Regarding your SPRS daily risk assessment score, it’s clear that minimizing the risk your organization presents to DoD across all three buckets that comprise that score—item risk, price risk, and supplier risk—will be an advantage vis-à-vis your competitors for winning DoD contracts. That message was recently made clear by DoD when it released DFARS 7024 requiring DoD contracting officers to consider SPRS risk assessment scores to help determine contractors’ qualifications for DoD contracts.

Learn more

If you have questions about SPRS, DFARS, NIST SP 800-171, CMMC or any other topics mentioned in this blog, please don’t hesitate to reach out and schedule a free 15-minute consultation with our compliance team. Or you may wish to learn more by reading PreVeil’s white papers and blogs:

Or learn more by watching our videos:

To access additional white papers, blogs and videos, please visit PreVeil’s resources page.

Author

Orlee Berlove, reviewed by Noël Vestal, PMP, CMMC RP

Noël Vestal is a CMMC Certified Professional and CMMC RP with over 15 years in DoD IT program management. She implemented the NIST 800-171/CMMC Level 2 compliance program for an OSC member of the DIB. She has her Master of Science (M.S.) in Information Technology and holds certifications from the CMMC Accreditation Body (CMMC AB) as a CMMC Certified Professional (CCP), CMMC Registered Practitioner (RP), CMMI Associate, and holds additional certifications including, Project Management Professional (PMP), and CompTIA’s Security + certification.

Orlee Berlove has been a marketing leader for over 25 years, and is currently the Senior Director of Marketing at PreVeil. She has her Masters of Engineering, Operations Research and her Bachelor of Arts from Cornell University.