SPRS

The Supplier Performance Risk System (SPRS) is a Department of Defense (DoD) platform used to assess and evaluate the performance, risks, and security posture of DoD suppliers. SPRS plays a critical role in the DoD’s acquisition process, providing procurement officials with performance ratings, risk assessments, and supplier compliance information, especially in relation to cybersecurity standards like NIST 800-171 and the Cybersecurity Maturity Model Certification (CMMC). SPRS is a key component in ensuring that defense contractors meet the required security and performance standards when handling Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

Key Functions and Features of SPRS:

1 - Supplier Performance Ratings:

SPRS allows the DoD to evaluate a supplier’s past performance based on data from government contracts. These performance ratings help contracting officers make informed decisions when awarding new contracts. Performance ratings may cover aspects such as delivery timeliness, product quality, and contract fulfillment. The system aggregates performance data and provides a score that helps DoD personnel assess whether a supplier is reliable and meets the required standards.

2 - Cybersecurity Compliance:

One of the most important features of SPRS is its ability to track and verify suppliers' compliance with cybersecurity requirements. This includes self-assessments for compliance with NIST 800-171 controls, which are critical for protecting CUI. Defense contractors handling CUI must submit their NIST 800-171 self-assessment scores through SPRS, indicating their level of compliance with the 110 security controls outlined in the NIST 800-171 standard. Contractors are required to assess their security posture, calculate a score, and submit it to SPRS. The score is based on the number of controls fully implemented, partially implemented, or not implemented. The perfect score is 110, and deductions are made for controls that are not yet fully in place.

3 - Risk-Based Decision Making:

SPRS helps DoD procurement officials assess the overall risk of working with a particular supplier. This includes evaluating potential cybersecurity risks, performance risks, and any other issues that might impact the success of a project or contract. SPRS generates a risk score for each supplier, based on their performance history, cybersecurity compliance, and other relevant factors. This risk score is considered when determining contract awards, giving preference to suppliers with lower risk profiles.

4 - CMMC Integration:

SPRS is expected to play a significant role in the Cybersecurity Maturity Model Certification (CMMC) process. As the DoD moves to implement CMMC 2.0, contractors will need to either self-assess or undergo third-party assessments depending on their CMMC level. The SPRS platform will track the CMMC certification levels of defense contractors, allowing contracting officers to verify a supplier’s CMMC status and ensure that they meet the required cybersecurity standards for a given contract.

5 - Supplier Risk Scoring:

In addition to performance and cybersecurity compliance, SPRS tracks various risk factors that could impact a supplier’s ability to fulfill contracts. These include financial stability, delivery risks, and operational risks that could affect contract execution. SPRS assigns risk scores that reflect the likelihood of a supplier successfully delivering on a contract while adhering to DoD standards.

6 - Information Access for Contracting Officers:

SPRS is accessible to DoD contracting officers, who use the system to gather critical information about suppliers during the procurement process. This allows them to make more informed, risk-based decisions about which suppliers to work with. Contracting officers can review a supplier’s performance history, cybersecurity compliance, risk assessments, and CMMC certifications through SPRS when evaluating proposals and awarding contracts.

SPRS and NIST 800-171 Self-Assessment:

One of the critical uses of SPRS is the submission of NIST 800-171 self-assessment scores by defense contractors. Under DFARS 252.204-7019 and 252.204-7020, defense contractors are required to:

Perform a Self-Assessment: Contractors handling CUI must conduct a self-assessment of their cybersecurity practices based on the NIST 800-171 framework. This self-assessment measures the contractor’s compliance with the 110 security controls that aim to protect CUI.

Submit the Score to SPRS: Once the self-assessment is complete, contractors calculate their score based on the degree to which they have implemented the 110 security controls. The score is submitted to SPRS, and contracting officers use this score to assess whether the contractor meets the required security standards.

Develop a Plan of Action (POAM): If there are gaps in compliance, contractors are expected to develop a Plan of Action and Milestones (POAM) to address those gaps and implement missing or incomplete controls over time. This plan is part of the assessment and is considered when determining the contractor's readiness for handling CUI.

Scoring Scale:

• The highest score is 110, which indicates full implementation of all NIST 800-171 controls.
• Contractors lose points based on how many controls are not fully implemented, with each control assigned a point value based on its importance to system security.
• Contractors must have their scores updated at least every three years, or more frequently if there are significant changes to their security posture.

SPRS and the Procurement Process:

1 - Pre-Award Assessments:

• Before awarding a contract, DoD contracting officers use SPRS to evaluate a supplier’s past performance and cybersecurity posture. This includes reviewing NIST 800-171 compliance scores and CMMC certification status.

• Suppliers with high cybersecurity scores and strong performance histories are more likely to be awarded contracts, especially when the contract involves handling sensitive information such as CUI.

2 - Post-Award Monitoring:

• SPRS continues to be used after a contract is awarded to monitor supplier performance and risk. Contractors are expected to maintain high cybersecurity standards throughout the life of the contract.

• If a contractor’s cybersecurity posture deteriorates (e.g., by failing to address vulnerabilities or allowing their score to drop), this may impact their ability to win future contracts or lead to contract termination.

3 - Benefits of SPRS:

Enhances Cybersecurity: By requiring contractors to submit cybersecurity compliance scores, SPRS helps improve the overall security of the Defense Industrial Base. Contractors are incentivized to implement and maintain strong cybersecurity practices to remain competitive in the DoD contracting process.

Supports Risk-Based Decisions: SPRS provides DoD contracting officers with valuable data to assess supplier risks, helping them make informed, risk-based decisions during the procurement process.

Promotes Accountability: SPRS holds contractors accountable for their performance and cybersecurity practices, ensuring that only reliable, secure suppliers are awarded contracts to handle sensitive DoD projects.

Summary:

The Supplier Performance Risk System (SPRS) is a critical tool used by the Department of Defense (DoD) to evaluate the performance, cybersecurity posture, and risk profile of defense contractors. It plays a key role in ensuring compliance with cybersecurity standards like NIST 800-171 and supports the broader goals of the Cybersecurity Maturity Model Certification (CMMC) framework. SPRS helps DoD procurement officials make informed, risk-based decisions about which contractors to engage with, particularly when sensitive Controlled Unclassified Information (CUI) is involved, enhancing the overall security of the Defense Industrial Base.