SPRS: What Contractors Need to Know About the Supplier Performance Risk System
What is an SPRS Score?
The Supplier Performance Risk System (SPRS) score measures your current cybersecurity compliance with NIST 800-171. The SPRS score is a tool used by the Department of Defense (DoD) to measure the risk of a contractor's cybersecurity position in protecting sensitive DoD information (CDI/CUI).
Why SPRS? Integration with Procurement and Enhancing Supplier Management in DoD Processes
The Supplier Performance Risk System (SPRS) plays a critical role in the Department of Defense (DoD) procurement process by enhancing supplier management through integrated risk analysis across Price, Item, and Supplier factors. SPRS helps procurement professionals ensure competitive pricing with its Price Risk tool, which compares industry prices to historical government data, while the Item Risk tool flags high-risk products, ensuring attention to critical safety or counterfeiting concerns. The Supplier Risk tool evaluates vendors' past performance across DoD contracts, focusing on delivery and quality, helping procurement teams make informed decisions. Additionally, SPRS supports market research, supplier surveillance, and real-time risk monitoring, providing comprehensive insights that enable more efficient and secure procurement processes within the DoD. By integrating these tools, SPRS strengthens supplier selection and risk management, improving overall supply chain reliability.
How does the SPRS Measure a Contractor's Cybersecurity Risk?
Contractors are required to assess their systems against NIST SP 800-171. Those self-assessment results will range from a scale of 110 to -203 which aid the DoD in gauging risk in awarding you a contract.
The NIST 800-171 framework (110 controls), which the SPRS score is based on, was required to be fully implemented by December 31st, 2017 in the DFARS 252.204-7012 clause.
The SPRS score is a criterion the DoD has set forth to measure the cybersecurity risk of your organization in handling Covered Defense Information (CDI) which can include any form of Controlled Unclassified Information (CUI). The most common form of CUI that the DoD would be looking to protect is Controlled Technical Information (CTI).
If you are unsure of the type of CUI you might have or owe the government as a deliverable, Summit 7 can assist with reviewing your contracts and building guidebooks for your organization.
How do I create an SPRS score?
Steps to creating an SPRS Score:
DoD's NIST SP 800-171 Assessment Methodology serves to objectively evaluate how well a contractor has implemented security measures outlined in the NIST SP 800-171 guidelines.
The focus is on assessing complete implementation of security requirements, without giving partial credit. Contractors are assigned scores based on the security requirements they have not implemented. A perfect score is 110, reflecting full compliance, and points are subtracted for each unmet requirement, potentially resulting in a negative score.
Certain security requirements have varying levels of impact on data security, and this methodology accounts for this by assigning different point values based on the potential impact of non-implementation.
There are three tiers of point deductions:
- 5 points for significant risks
- 3 points for requirements with specific impacts
- 1 point for requirements with limited or indirect effects
Weighted impact is also applied to requirements. Some requirements are considered more essential, and points are deducted for not implementing these "Basic Security Requirements" and a subset of "Derived Security Requirements."
Certain requirements, such as multi-factor authentication and validated encryption, can be partially effective if not fully implemented. Points are deducted based on how these are implemented, considering the specifics.
The methodology also accounts for possible future revisions of requirements. When new or modified requirements are introduced, they will be assigned point values using this scoring method.
Contractors are required to have a System Security Plan (SSP) and a Plan of Action and Milestones (POA&M) for unimplemented requirements. The assessment process relies on the information provided in the System Security Plan.
If this plan is absent, the assessment cannot be conducted.
Temporary deficiencies that are addressed in action plans can still be considered as implemented. Similarly, isolated exceptions arising from unique situations that prevent the implementation of certain security requirements are assessed differently.
If the DoD CIO determines that a requirement is inapplicable or suggests an equally effective alternative, this assessment is documented in the contractor's System Security Plan. Such approved measures and security requirements will be counted as implemented. Contractors are not required to repeatedly provide this documentation for each contract if it has been approved by the DoD CIO.
After the assessment, contractors receive their results and have a 14-day period to provide additional information, contest findings, or demonstrate compliance with any security requirements not observed by the assessment team. This process ensures a fair and comprehensive evaluation of contractors' adherence to NIST SP 800-171 requirements for protecting sensitive DoD information.
Resources:
- Explore the SPRS website.
What is a good SPRS score?
A perfect SPRS score is 110 and the lowest SPRS score is a -203. If you have a lower score, the DoD will have to assume more risk and may decide not to award you the contract.
Increasing your cybersecurity by implementing the measures outlined in NIST SP 800-171 against the 320 Assessment Objectives listed in the documentation will allow you to score higher and higher, improving your chances of being awarded a contract.
When scoring yourself, begin with a perfect score and deduct points (1, 3, or 5) for controls you don’t have implemented. Doing so could bring your score down as low as -203 or if all controls are implemented you would maintain a perfect 110.
What if I upload an inaccurate SPRS score?
If you upload an inaccurate SPRS score, you might get caught, lose your contract at the very least, and you'll likely owe a lot of money.
There are several ways that you may be caught, a few being:
- The DOD could perform a random DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) assessment on you, in which they discover the false report.
- Someone internal could become a whistleblower.
If caught, you could have a false claims act from the DOJ on your hands, and the penalty could be as high as 3x the contract value. If a whistleblower is involved, they could receive up to 25% of that amount
How can Summit 7 help with SPRS?
Summit 7 can help you assess your compliance, calculate your SPRS score, provide a gap analysis, prescribe remediations where needed, and aid you in your security and compliance journey.
A score of 110 is required to be compliant with CMMC. Cybersecurity compliance for DoD contracts takes time (12-18 months), so if you hope to secure contracts this year, we recommend starting your SPRS process now.