DFARS Final Rule 252.204-7024, Use of Supplier Performance Risk System (SPRS) Assessments, (aka DFARS 7024) was published in March 2023 and effective immediately. It provides guidance to DoD Contracting Officers about how to use SPRS data.
The Department of Defense (DoD) explains that “DFARS 7024 requires contracting officers to consider SPRS risk assessments, if available, in the evaluation of a supplier’s quotation or offer and to consider SPRS supplier risk assessments” as they determine whether a contractor is “responsible” enough to be awarded a DoD contract. (Federal Register, March 22, 2023.)
This blog offers background about the Supplier Performance Risk System to help defense contractors understand DFARS 7024. We discuss what’s new about the final rule, and offer advice to contractors who want know what it means for them.
Background: DoD’s Supplier Performance Risk System (SPRS)
According to the DoD’s SPRS training manual, SPRS is the “authoritative source” for contracting officers to retrieve supplier and product performance information assessments “to use in identifying, assessing, and monitoring” the performance of defense contractors”.
Defense contractors’ NIST SP 800-171 assessment scores are stored on SPRS. Those scores indicate whether contractors can effectively secure Controlled Unclassified Information (CUI), and are available to contracting officers as they evaluate defense contractors.
SPRS also sweeps up contractor performance data on a daily basis from several federal reporting systems. That process creates up-to-date risk assessments for contracting officers to consider as they evaluate contractors’ proposals. Daily SPRS risk assessments scores are bundled into three areas, defined in DFARS 7024 as follows:
Our focus here is on third bucket, supplier risk, which encompasses supply chain risk. That’s where the critical question of whether a defense contractor can effectively secure CUI is considered, if reliable data are available.
If you’re thinking that your NIST SP 800-171 self-assessment score is your SPRS score and are finding all this a bit puzzling, you’re not alone.
DFARS 7019 requires contractors that handle CUI to conduct self-assessments of their compliance with NIST SP 800-171, compute their score, and submit it to SPRS. To many cyber-conscious companies in the Defense Industrial Base (DIB), that score is commonly known as an SPRS score. Actually, there is much more to the SPRS system, as it collects information from many government sources. The daily SPRS risk score—which DFARS 7024 directs contracting officers to consider—reflects additional, distinct categories of information.
What’s new in DFARS 7024?
DoD explains that DFARS 7024 is “necessary to revise [DFARS] to incorporate the extended capabilities of the Supplier Performance Risk System (SPRS), made possible by recent technical enhancements.”
According to DoD’s supplementary information, accompanying the final rule, “The objective of the new final rule is to notify offerers [defense contractors]…that SPRS collects performance data from a variety of Government sources on awarded contracts to develop item risk, price risk and supplier risk assessments for contracting officers to consider during evaluation of quotations or offers.”
All that said, it’s not immediately obvious what’s new about DFARS 7024. A review of changes from the Interim Rule to the DFARS 7024 Final Rule, however, helps shed light on DoD’s intentions: DoD’s explanatory comments about 7024 indicate that changes in the final rule are to “clarify that risk assessments are not a mandatory, stand-alone, evaluation factor for source selections and that the contracting officer shall ‘consider’ the risk assessments, if available, as part of broader evaluation factors…” In the end, DFARS 7024 indicates that contracting officers “shall use their discretion in considering the information available in SPRS.”
Contracting officers also are being given discretion about how to consider defense contractors’ NIST SP 800-171 self-assessment scores which contractors submit to SPRS, as required by DFARS 7019. That’s because, as described below, self-reported scores aren’t reliable-enough indicators of contractors’ cybersecurity levels to mandate consideration in all instances.
This leads to two key observations:
First, contracting officers have access to cybersecurity scores because SPRS includes links to NIST SP 800-171 assessments. Defense contractors that move early and undergo DIBCAC (the Defense Industrial Base Cybersecurity Assessment Center) or Joint Surveillance Assessments will have reliable cybersecurity scores that contracting officers may consider within the “supplier risk” bucket. The joint assessments are voluntary and conducted by representatives from both DIBCAC, and a C3PAO (Certified Third-Party Assessor Organization). Having a high, verified DIBCAC or Joint Surveillance Assessment score likely will give defense contractors a competitive advantage in securing DoD contracts—both at the prime level and as subcontractors.
Second, the unreliability of self-reported scores has been made clear by the large gaps found between reported scores and reality revealed by dozens of DIBCAC spot audits conducted, as “Medium” assessments (per DFARS 7020) over the past couple years. The inability of contracting officers to rely on self-reported cybersecurity scores highlights the need for third-party verification of cybersecurity levels, as will be required under CMMC 2.0.
What does DFARS 7024 mean for defense contractors?
DFARS 7024 makes clear that DoD’s evaluation of defense contractors via SPRS focuses on the level of risk that competing contractors present to DoD’s mission. Minimizing the item risk, price risk and supplier risk—including supply chain risk—that your organization brings to the table is advantageous.
Your organization’s NIST SP 800-171 self-assessment score is an indicator of the cybersecurity risk you present to the DoD’s supply chain. Self-assessment of that compliance (conducted according to DoD Assessment Methodology) and submission of the resulting score to SPRS are mandated by DFARS 7019. If you haven’t yet submitted your NIST SP 800-171 self-assessment score, now is the time to get started on your System Security Plan (SSP) and to conduct a self-assessment. The SSP is a foundational document that supports your self-assessment—and DIBCAC is likely to ask to review it if your organization is selected for a Medium Assessment. If you’ve submitted a score that can’t be supported or is inaccurate, you need to work on your backup documentation and correct your score. You can change or correct your score on SPRS at any time.
A June 2022 DoD memorandum directs contracting officers to verify, prior to award, that the contractor has a current NIST SP 800-171 DoD self-assessment score posted in SPRS. If you haven’t posted a score, you may be found ineligible for a contract.
Keep in mind that when you don’t achieve the highest possible NIST SP 800-171 self-assessment score of 110, having an active plan to improve your organization’s cybersecurity is essential. If your self-assessment score is below 110, you need to create a POA&M (Plan of Actions and Milestones) for the security controls not met, and indicate by what date those security gaps will be remediated and a score of 110 will be achieved. If DIBCAC selects your organizaton for a Medium Assessment, they are likely to ask for confirmation of this information.
Defense contractors are strongly cautioned against knowingly misrepresenting what they post on SPRS regarding their cybersecurity compliance. The DoD’s June 2022 memo notes that failure to have or make progress on a plan to implement NIST SP 800-171 may be considered a material breach of contract requirements, exposing a company to withholding of payments and, potentially, contract termination. Additionally, the Department of Justice’s Civil Cyber Fraud Initiative specifically targets organizations that knowingly misrepresent their cybersecurity practices.
Next steps
NIST SP 800-171 was developed specifically to protect CUI. That protection has long been a high priority of DoD leadership in the face of serious and ongoing threats to the confidentiality of sensitive but unclassified information relevant to defense capabilities and missions. Recent pronouncements of DoD leadership emphasize the continuing importance DoD assigns to CUI protection. Improving your organization’s ability to protect CUI will improve your NIST SP 800-171 self-assessment score significantly. That, in turn, would better prepare your organization to volunteer for a Joint Surveillance Assessment and, importantly, to “pass” the mandatory CMMC assessments that DoD is expected to require of most defense contractors that handle CUI for the DoD.
CUI is frequently shared in the form of files or emails, and thus platforms that use powerful encryption to protect file sharing and emails are key tools to secure your information and, likewise, raise your NIST SP 800-171 self-assessment score. Further, encrypting emails and their attachments also reduces exposure to sophisticated hackers who may do reconnaissance on your communications in preparation for lateral or vertical movement within your organization and/or up and down your supply chain.
*****************************
PreVeil’s end-to-end encrypted Drive and Email platform for file sharing and communication provides high security for protecting CUI. PreVeil uses FIPS 140-2 validated encryption modules, presently required by NIST SP 800-171. To learn more, please visit www.preveil.com