SPRS: What Contractors Need to Know About the Supplier Performance Risk System
What is an SPRS Score?
The Supplier Performance Risk System (SPRS) score measures your current cybersecurity compliance with NIST 800-171. The SPRS score is a tool used by the Department of Defense (DoD) to measure the risk of a contractor's cybersecurity position in protecting sensitive DoD information (CDI/CUI).
Contractors are required to assess their systems against NIST SP 800-171. Those self-assessment results will range from a scale of 110 to -203 which aid the DoD in gauging risk in awarding you a contract.
The NIST 800-171 framework (110 controls), which the SPRS score is based on, was required to be fully implemented by December 31st, 2017 in the DFARS 252.204-7012 clause.
The SPRS score is a criterion the DoD has set forth to measure the cybersecurity risk of your organization in handling Covered Defense Information (CDI) which can include any form of Controlled Unclassified Information (CUI). The most common form of CUI that the DoD would be looking to protect is Controlled Technical Information (CTI).
If you are unsure of the type of CUI you might have or owe the government as a deliverable, Summit 7 can assist with reviewing your contracts and building guidebooks for your organization.
How do I create an SPRS score?
Steps to creating an SPRS Score:
DoD's NIST SP 800-171 Assessment Methodology serves to objectively evaluate how well a contractor has implemented security measures outlined in the NIST SP 800-171 guidelines.
The focus is on assessing complete implementation of security requirements, without giving partial credit. Contractors are assigned scores based on the security requirements they have not implemented. A perfect score is 110, reflecting full compliance, and points are subtracted for each unmet requirement, potentially resulting in a negative score.
Certain security requirements have varying levels of impact on data security, and this methodology accounts for this by assigning different point values based on the potential impact of non-implementation.
There are three tiers of point deductions:
- 5 points for significant risks
- 3 points for requirements with specific impacts
- 1 point for requirements with limited or indirect effects
Weighted impact is also applied to requirements. Some requirements are considered more essential, and points are deducted for not implementing these "Basic Security Requirements" and a subset of "Derived Security Requirements."
Certain requirements, such as multi-factor authentication and validated encryption, can be partially effective if not fully implemented. Points are deducted based on how these are implemented, considering the specifics.
The methodology also accounts for possible future revisions of requirements. When new or modified requirements are introduced, they will be assigned point values using this scoring method.
Contractors are required to have a System Security Plan (SSP) and a Plan of Action and Milestones (POA&M) for unimplemented requirements. The assessment process relies on the information provided in the System Security Plan.
If this plan is absent, the assessment cannot be conducted.
Temporary deficiencies that are addressed in action plans can still be considered as implemented. Similarly, isolated exceptions arising from unique situations that prevent the implementation of certain security requirements are assessed differently.
If the DoD CIO determines that a requirement is inapplicable or suggests an equally effective alternative, this assessment is documented in the contractor's System Security Plan. Such approved measures and security requirements will be counted as implemented. Contractors are not required to repeatedly provide this documentation for each contract if it has been approved by the DoD CIO.
After the assessment, contractors receive their results and have a 14-day period to provide additional information, contest findings, or demonstrate compliance with any security requirements not observed by the assessment team. This process ensures a fair and comprehensive evaluation of contractors' adherence to NIST SP 800-171 requirements for protecting sensitive DoD information.
Resources:
- Explore the SPRS website.
What is a good SPRS score?
A perfect SPRS score is 110 and the lowest SPRS score is a -203. If you have a lower score, the DoD will have to assume more risk and may decide not to award you the contract.
Increasing your cybersecurity by implementing the measures outlined in NIST SP 800-171 against the 320 Assessment Objectives listed in the documentation will allow you to score higher and higher, improving your chances of being awarded a contract.
When scoring yourself, begin with a perfect score and deduct points (1, 3, or 5) for controls you don’t have implemented. Doing so could bring your score down as low as -203 or if all controls are implemented you would maintain a perfect 110.
What if I upload an inaccurate SPRS score?
If you upload an inaccurate SPRS score, you might get caught, lose your contract at the very least, and you'll likely owe a lot of money.
There are several ways that you may be caught, a few being:
- The DOD could perform a random DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) assessment on you, in which they discover the false report.
- Someone internal could become a whistleblower.
If caught, you could have a false claims act from the DOJ on your hands, and the penalty could be as high as 3x the contract value. If a whistleblower is involved, they could receive up to 25% of that amount
How can Summit 7 help with SPRS?
Summit 7 can help you assess your compliance, calculate your SPRS score, provide a gap analysis, prescribe remediations where needed, and aid you in your security and compliance journey.
A score of 110 is required to be compliant with CMMC. Cybersecurity compliance for DoD contracts takes time (12-18 months), so if you hope to secure contracts this year, we recommend starting your SPRS process now.