If you’re a government contractor or subcontractor, then you’ve probably already heard about the SPRS score. If you have a government contract with Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7019, along with DFARS 252.204-7012, then you must have this score to keep your current contract or get new ones. This dates back to November 30, 2020 with the DFARS Interim Rule requiring the submission of the SPRS score before acquiring new contracts. Clients are always asking what an SPRS score is and why they need it. Simply put: your SPRS score is the only way a government contracting officer can determine you’re doing what’s required to secure its sensitive data.
SPRS stands for the Supplier Risk Performance System. Without this system, the government has no way of knowing you’re fulfilling the DFARS clause in your contract. Furthermore, submitting your accurate score to SPRS is how you can stay competitive in the Defense Industrial Base (DIB). How? Without an SPRS score or a high one, you might be passed over for a contractor who has a higher one, which states they can better protect Controlled Unclassified Information (CUI) than you.
So, what is the SPRS score exactly and how can you improve yours? We’re going to walk you through everything you need to know about SPRS as well as how to score yourself.
Cuick Trac helps defense contractors satisfy all of the technical controls for NIST SP 800-171 and CMMC Level 2. Learn how with a free 30-minute demo today!
What is SPRS?
The SPRS score originated from the government’s requirement for all its contractors to protect CUI. This requirement is the DFARS 252.204-7012 clause in your contract. It says:
“The Contractor shall provide adequate security on all covered contractor information systems…[being] subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”.
Not only must you be able to protect CUI and provide cyber incident reporting, but you must implement all 110 security requirements of NIST SP 800-171. However, if you have the DFARS 7012 clause, you most likely also have the DFARS 7019 clause requiring you to assess your business against those controls once every three years.
“In order to be considered for award, if the Offeror is required to implement NIST SP 800-171, the Offeror shall have a current assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) (see 252.204-7019) for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order.” So, why do you have to submit your score to the government? The government needs to be able to determine the risk factor for its contractors. To do that, they must be able to verify the self-assessments. Submitting your self-assessment score to SPRS is an accountability requirement the government needs to ensure contractors are meeting NIST 800-171 requirements.
Who Needs to Submit an SPRS Score?
Any business that contracts or subcontracts with the government and has the DFARS 7012, 7019 or 7020 clause needs to provide an SPRS score. If you’re unsure, you need to look at your contract.
But, what if you’re a subcontractor? Does this still apply to you? Most often, yes it does, if your prime has flowed down the DFARS 7012 and 7019 clauses to you in your contract, purchase order, or terms and conditions of a purchase order. This is called the flow-down requirement and it means that any business holding a government contract with the DFARS 7012 clause must also pass this clause down to their subcontractors who might receive CUI. And, often, if DFARS 7019 is part of the Prime’s contract, then it’s passed down as well.
In our experience, most subcontractors receive this clause even if it’s highly unlikely they’ll be handling CUI. Why? Because big prime contractors want to ensure every point of data flow is secure to keep a competitive edge in the DIB. Therefore, you not only have a contractual agreement to fulfill NIST SP 800-171. If you want to win new bids and keep your current contracts, then you also must conduct a cybersecurity self-assessment and submit that score to SPRS.
So how do you go about scoring yourself? It begins with a cybersecurity self-assessment.
Conducting a Cybersecurity Self-Assessment
For you to obtain an accurate SPRS score, you must first conduct a basic cybersecurity self-assessment based on the DoD 800-171 Assessment Methodology. According to the latest version of the methodology, the DoD uses it “to assess the implementation of NIST SP 800-171 by its prime contractors. Prime contractors may use this methodology to assess the implementation status of NIST SP 800-171 by subcontractors.”
Based on this framework, you’ll conduct your cybersecurity self-assessment using NIST Special Publication 800-171A. The assessment and scoring can be broken up into six main steps:
- Develop a System Security Plan (SSP). An SSP shows everything in scope for your assessment and how you’re meeting all the security requirements, whether met or not met (NIST SP 800-171a 3.12.4).
- Conduct your assessment based on your SSP. You must meet all the assessment objectives (a total of 320) of each requirement to meet it. You cannot claim to meet a requirement if you don’t fully meet all its assessment objectives.
- Calculate your score using the DoD Assessment Methodology table. Subtract any security requirements marked NOT MET from a score of 110. Each requirement has a weighted score, which may result in a negative final score (-203 at the lowest).
- Identify what requirements you’re not meeting (gap analysis). Most businesses do not have a perfect score for their first assessment. This isn’t the end of the world if you take corrective Plans of Actions & Milestones (POA&Ms) to meet the controls you failed. A gap analysis will not improve your score, but it does give you a path forward to reach a score of 110.
- Create your POA&M to address those requirements marked NOT MET.
- Submit your score to SPRS, using the SPRS NIST SP 800-171 Quick Entry Guide and SPRS NIST SP 800-171 Entry Tutorial.
You must submit your score every three years, unless otherwise stated in your contract, to fulfill DFARS 252.204-7019 assessment requirements. However, while the requirement to submit your score is every three years, you can submit it when your score changes as you complete your POA&Ms. This way you can remain competitive in the DIB.
Lowering Your Risk with a High SPRS Score
If you’re a government contractor and you want to be awarded new contracts and keep your current ones, then you need to have an SPRS score for NIST SP 800-171. Even if you think you’ll never handle CUI, we’ve found in our experience that prime contractors are passing down DFARS clauses to subcontractors as a matter of practice.
And, quite frankly, since DFARS Final Rule 252.204-7024 was established, contracting officers are obligated to consider your SPRS in awarding contracts. So, the real question is, can you afford to not submit an SPRS score and have as high of one as you can get?
If you don’t want to take the legal and business risk of losing government contracts, then you need to conduct a cybersecurity assessment and submit your SPRS score. You can do this yourself, but it requires considerable time and dedicated resources, not to mention knowledge and expertise of each of the requirements. There are many service providers that can do the assessment for you.
At Beryllium, we know how daunting a cybersecurity assessment can be, not to mention expensive. We have affordable and practical solutions for defense contractors to meet DFARS requirements. Contact us today if you have a current defense contract or want to bid on contracts in the DIB.