Add a bookmark to get started

12 April 20233 minute read

SPRS cybersecurity reporting: It's now more than just a number

The US Department of Defense (DoD) recently issued a final rule that may impact the weight given to the cybersecurity self-assessment scores that defense contractors report in DoD’s Supplier Performance Risk System (SPRS).

SPRS is a DoD system that gathers information from a variety of sources, including the Contractor Performance Assessment Reporting System (CPARS) and the System for Award Management (SAM), and uses algorithms to generate a supplier risk score for each contractor.  DoD acquisition personnel may use that information when assessing a contractor’s responsibility and the risk associated with a contractor’s proposed approach to performing a contract.

SPRS’s assessment focuses on three areas: (1) item risk (ie, whether the product will introduce performance risk); (2) price risk (ie, whether the proposed price is consistent with historical prices); and (3) supplier risk (ie, whether there is a risk of unsuccessful performance or supply chain risk).  Under the final rule, contracting officers are required to consider SPRS risk assessments when evaluating proposals, including in commercial item procurements, and when determining responsibility.

The final rule underscores the importance of having an accurate NIST SP 800-171 self-assessment score in SPRS.  Although the current SPRS assessment tool does not incorporate NIST SP 800-171 self-assessment scores into item, price, or supplier risk ratings, the self-assessment scores are accessible by procurement personnel through the SPRS system.  By drawing more attention to the SPRS system and incorporating it into the evaluation process, it is more likely that contracting officers will consider cybersecurity self-assessment scores when evaluating risk associated with a potential contract award.  It is also possible that the self-assessment scores will be included in the SPRS ratings in the near future.  Thus, it is now more likely that a low NIST SP 800-171 score could impact a responsibility determination or otherwise be viewed as posing supplier risk to an agency.

Additionally, consideration of a cybersecurity self-assessment score during proposal evaluation may increase the risk of False Claims Act liability for a contractor that has knowingly or recklessly misrepresented its self-evaluation score in SPRS under the theory that, but for the false assessment score, the contractor would not have been awarded the contract at issue.

In light of these developments, it is critical for contractors to review their current NIST SP 800-171 self-assessment scores and periodically consider whether any revisions are necessary.    

We are closely monitoring developments relating to cybersecurity requirements for government contractors. If you have any questions or are interested in learning more, please contact the authors.