If you’re a defense contractor handling Controlled Unclassified Information (CUI) then you need to know your SPRS score. If you’re not certain what SPRS is, or its implications, this blog post is for you.
The DoD’s Supplier Performance Risk System (SPRS) is a database containing, among other things, the results of a contractor’s self-assessment against the 110 NIST 800-171 controls. DFARS 7019 requires this self-assessment and submission take place by the time of contract award. In addition, scores may not be more than three years old.
The DoD charged contractors with submitting their score to SPRS to encourage organizations to meet the 110 NIST 800-171 controls, as required by DFARS 7012. SPRS scores have thus become akin to a report card for defense organizations, highlighting how well contractors are doing in complying with NIST 800-171. As a result Primes and the DoD consider SPRS scores when making decisions on which contractors to hire.
#1: Why you need an SPRS score
There’s no way around submitting an SPRS score as a defense contractor handling CUI. All new contracts containing a DFARS 7012 clause will be required to meet DFARS 7019. Any modification of an existing contract with a DFARS 7012 clause will also trigger a DFARS 7019 requirement.
Not only must you submit a SPRS score under DFARS 7019, but you must also ensure that the score you submit is accurate. SPRS scores must be calculated according to DoD Assessment Methodology, which standardizes scoring throughout the DIB. A third party assessor must be able to arrive at the same score if they assess you. Under DFARS 7020, released at the same time as DFARS 7019, the chance that your score will be verified by external assessors is real.
DFARS 7020 allows the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to conduct a Medium or High audit of your organization at will. It also ratchets up “flow down” obligations – obligations which are noted in DFARS 7020 – and requires Primes to proactively check that their subcontractors are compliant. A discrepancy between your, or your subcontractor’s, self-assessed SPRS score and the one calculated by the DIBCAC can result in serious consequences ranging from fines to loss of contract.
The new DFARS Final Rule 252.204-7024 highlights the importance of the SPRS system to the DoD. DFARS 7024 directs contracting officers to consider SPRS risk scores—which include factors related to item and price risk as well as supplier risk—as they evaluate competing contractors. Contractors that show they can protect CUI present less supplier risk to DoD’s mission than those that cannot. Again, if asked, you’ll need to be able to show that the NIST 800-171 self-assessment score that you submit to SPRS is accurate.
Companies must take the possibility of a DIBCAC assessment seriously. Dozens of companies have already gotten the call from DIBCAC, which is increasing the size of its assessment staff so it can pick up its pace going forward. Prime contractors hold the ultimate responsibility for the security of their subcontractors and have begun to conduct these reviews as well. It is in your best interest to ensure that your SPRS score is accurate.
#2: Why your SPRS score matters
An SPRS score serves as a standardized measure of the security risk a given contractor poses. The DoD can look at these scores as one of the factors in determining which company it will award contracts to. While the DoD has not specified a minimum necessary SPRS score for contract eligibility, it is reasonable to assume that companies with a verifiable strong score will have a competitive advantage over less secure competitors.
Under DFARS 7020, Prime contractors are now responsible for the security of their suppliers. That law requires Primes to “flow down” to their suppliers the obligation to self-assess against NIST 800-171 and report their score to the SPRS database. Primes are taking that obligation seriously with some even stipulating a minimum score suppliers must achieve in order to be considered for a contract.
Subcontractors should not aim to simply clear a prime’s minimum score for contract eligibility. A prime is likely to favor subcontractors with higher SPRS scores over competitors with lower scores. The higher your SPRS score, the better positioned you are to win contracts.
Finally, a complete lack of a SPRS score, or a falsified score, will carry severe consequences. In a June 2022 memo to its contracting officers, the DoD noted that:
Contractors should know that companies who misrepresent their SPRS scores will be subject to penalties from the DoD and/or the Department of Justice via its Civil Cyber Fraud Initiative, launched last year.
#3: How to calculate your SPRS score
If your organization hasn’t already submitted an SPRS score to the DoD, now is the time to move on getting that done. Alternatively, you may have an SPRS score on file that doesn’t accurately reflect your cybersecurity levels. If that’s the case, you’ll want to revisit that submission and update your score.
Here’s what your organization needs to do to calculate and submit an SPRS score:
- First,all defense contractors need to develop a System Security Plan (SSP) that details the policies and procedures their organization has in place to comply with NIST SP 800-171, as required by DFARS 7012. The SSP serves as a foundational document for an NIST SP 800-171 self-assessment and is a prerequisite for consideration for any DoD contract.
- Next, conduct the self-assessment according to the DoD’s NIST SP 800-171 Assessment Methodology. All contractors that handle CUI must perform at least a Basic level self-assessment, as described in the DoD assessment methodology.
- DoD methodology assigns each of the 110 NIST SP 800-171 controls a weight of one, three, or five points. Scoring starts at the lowest possible score of -203. One, three, or five points are earned for each control met, all the way up to the maximum of +110.
- Finally, submit your self-assessment score to the DoD’s Supplier Performance Risk System (SPRS) by the time of contract award. The self-assessment must have been completed within the last three years and be maintained for the duration of the contract. This DoD document, SPRS Access for NIST SP 800-171, offers step-by-step instructions for submitting scores via the DoD’s Procurement Integrated Enterprise Environment (PIEE).
Keep in mind that an SPRS score of 110 is rare, but having an active plan for continuing to improve your organization’s cybersecurity is essential. If your organization’s self-assessment score falls below 110, you’ll need to create a POA&M (Plans of Actions and Milestones) for the security controls not met, and indicate by what date those security gaps will be remediated and a score of 110 will be achieved.
#4: How to improve your SPRS score
Most companies will not have a perfect 110 SPRS score at this point. Many organizations have some security shortcomings and will need to create an active plan to resolve those issues and raise their score.
Improving your SPRS score starts with creating an SSP. As such, you should start by downloading one of the many SSP templates available online and self assess your organization against the 110 NIST 800-171 controls.
From there, you can start calculating your SPRS score. This exercise will force you to review each control and take inventory of what you have in terms of policy and technology. From there you will be able to see which controls you already meet, as well as where there are gaps to close.
#5: What CMMC Will Require for your SPRS score
Today, compliance with NIST SP 800-171 and other requirements is self-assessed. Organizations determine how well they meet the NIST 800-171 requirements. Under CMMC, compliance with CMMC Level 2 requirements will be checked by independent third-party assessors certified by the DoD (C3PAOs).
In addition, the upcoming Cybersecurity Maturity Model Certification (CMMC) will require a company executive to sign off on an SPRS score. This executive will be held accountable for the score’s validity. Defense contractors should preempt this eventuality by getting started on their compliance program today and work with a registered practitioner (RP) or Certified Third-Party Assessor Organization (C3PAO) to get their score verified.
How PreVeil can help
PreVeil’s three step roadmap to achieving NIST compliance can help you raise your SPRS score simply and cost effectively.
Step One: Adopt a proven cloud platform to secure, store and share CUI. PreVeil’s end-to-end encrypted Drive and Email solutions support compliance with DFARS 252.204-7012 and NIST 800-171. Just by deploying PreVeil you will have taken action to protect your CUI.
Step Two: Take advantage of PreVeil’s compliance documentation package. PreVeil’s documentation package includes an SSP template, pre-populated with information on the 102 controls that PreVeil supports either completely or as part of a shared responsibility. PreVeil even helps you with controls that don’t apply to PreVeil. For those, PreVeil provides a customer responsibility matrix (CRM) and Plan of Action and Milestones (POA&M).
Step Three: Finish with PreVeil’s partner community. Most companies will need a little extra help to close their POA&Ms. PreVeil is partnered with Managed Service Providers (MSPs) that are already familiar with PreVeil’s system and with NIST requirements. This familiarity allows them to resolve your remaining issues quickly, saving you time and money.
To achieve an SPRS score that will make you competitive for DoD contracts, get started on creating a SSP and meeting the compliance requirements spelled out in NIST SP 800-171. You’ll likely have some work to do in order to achieve a +110 SPRS score, but an active plan for continuous improvement of your organization’s cybersecurity can get you there.
If you need help or have questions about calculating or raising your SPRS score schedule a free 15-minute appointment with our compliance team.
Or you may wish to learn more by reading PreVeil’s briefs:
NIST SP 800-171 Self-Assessment: Improving Your Cybersecurity and Raising Your SPRS Score
Case Study: Defense Contractor Achieves 110/110 Score in NIST SP 800-171 DoD Audit
The DFARS Interim Rule: What you need to know
Complying with the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC 2.0) our videos:
Or by watching:
[Webinar] The Business & Legal Risks of Not Complying with DFARS 7012 & CMMC
[Video] What Is DFARS 7019 and What Does It Require?
[Video] What Is DFARS 7020 and What Does It Require?