What Is an SPRS Score? The Supplier Performance Risk System Explained

As a company that directly or indirectly serves the Department of Defense (DoD), especially if you’re storing, handling, or processing Controlled Unclassified Information (CUI), you are obligated to complete a security self-assessment against the 110 controls identified in NIST Special Publication 800-171—a NIST SP 800-171 self-assessment. You also must calculate your compliance score using the DoD’s Assessment Methodology and upload that score to the DoD’s Supplier Performance Risk System (SPRS).

The DoD recently upped the ante when it announced that DoD compliance requirements mandate that contracting officers must consult SPRS self-assessment results (SPRS scores) during supplier risk assessments when evaluating contract bids..

This blog will discuss the essential aspects of the SPRS self-assessment score, how it impacts your business, the role it plays in supplier risk evaluation, and the likely upcoming changes driven by the forthcoming launch of the Cybersecurity Maturity Model Certification (CMMC).

The Supplier Performance Risk System for DOD Contractors

What is a SPRS Score?

A SPRS score is a numerical rating that reflects how well a defense contractor has implemented the 110 cybersecurity controls in NIST SP 800-171. The Department of Defense and other Defense Industrial Base (DIB) businesses use the score in supplier risk evaluations to determine a contractor’s risk profile and eligibility for contracts involving CUI. The score directly measures a contractor’s implementation of the cybersecurity controls mandated under DFARS cybersecurity requirements.

The Necessity of an Accurate Score

Under Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7019, defense contractors handling CUI must submit an accurate SPRS self-assessment score. CUI consists of sensitive information requiring safeguarding or dissemination controls under US federal laws, regulations, or policies. CUI is not classified but is deemed crucial for national security or federal agency functioning.

This score must be calculated according to the DoD Assessment Methodology and must not be more than three (3) years old. The accuracy of the SPRS score is crucial as DFARS clause 252.204-7020 allows the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to conduct audits to verify and validate the submitted score.

The Significance of the SPRS Self-Assessment Score

The SPRS score is a standardized measure of the security risk a contractor poses. The DoD and prime contractors consider SPRS scores when awarding contracts and forming bid teams, with higher scores providing a competitive advantage. Failure to have a SPRS score can sideline companies from current and future contracts. Inaccurate scores leave companies and their executives vulnerable to penalties that extend beyond the loss of current and future contracts to prosecution under the Department of Justice’s False Claims Act.

Calculating and Submitting Your SPRS Score

To calculate your SPRS score, conduct a self-assessment for compliance with NIST 800-171 using the DoD’s Assessment Methodology. The SPRS score range starts at a minimum of -203 for a complete failure to implement controls to a maximum of 110 points. The SPRS score range can be negative because of how it is calculated: points are deducted from the starting score of 110 for each unmet NIST SP 800-171 control, with deductions ranging from five points for controls that pose significant risk if unimplemented to one point for controls with limited effect. 

Your business should develop a System Security Plan (SSP) and Plans of Action and Milestones (POA&Ms) to meet DoD compliance requirements and indicate how you plan to address any controls that are unmet.  In all cases, an accurate SPRS score should be submitted to the DOD’s Supplier Performance Risk System.. It is essential to maintain an up-to-date and accurate SPRS score.

What Is a System Security Plan?

A system security plan is a formal document that describes how an organization implements and manages the security controls required by NIST SP 800-171. The SSP outlines the systems in scope, the controls in place, and any gaps that need to be addressed.

What Is a Plan of Action and Milestones?

A plan of action and milestones details the specific steps an organization will take to address any gaps or deficiencies identified during the NIST SP 800-171 assessment. The POA&M lists each unmet control, the actions required to remediate it, responsible parties, and target completion dates.

What Is a Good SPRS Score?

A “perfect SPRS score is 110, indicating that your organization has implemented all NIST 800-171 controls. As a general rule, the closer your organization is to achieving an SPRS score of 110, the more likely it is to be eligible for a wider range of contracts. That doesn’t mean you must achieve a perfect score to be eligible. SPRS score range thresholds vary depending on individual contract requirements, and the DOD and defense contractors consider many other criteria in addition to the SPRS score.

However, a higher SPRS score demonstrates a commitment to cybersecurity and compliance with federal standards, which can enhance your organization’s reputation and competitiveness. Organizations with scores above a certain threshold may find themselves at a competitive advantage when bidding for contracts because they can reassure potential partners and clients of their robust cybersecurity and lower supplier risk profile.

Improving and Maintaining Your Supplier Performance Risk Score

To strengthen your SPRS score, self-assess your organization against the 110 NIST 800-171 controls and identify any gaps in your security controls. This SPRS self-assessment helps you score your organization and understand its shortcomings. Next, create a System Security Plan (SSP) and POA&Ms to address those controls your company does not fully meet today. Remember that identifying gaps alone does not improve your score; instead, remediation of these gaps is necessary to improve your score and meet DoD compliance requirements.

It is crucial to address the POA&Ms before submitting your SPRS score, as it is mandatory to have an SSP, and remediation helps to improve your score. Remember that higher SPRS scores can make your organization more attractive for contract opportunities.

CMMC 2.0 and SPRS Scores

Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0), a cybersecurity certification framework developed by the DoD to better protect sensitive data throughout the Defense Industrial Base (DIB), requires many DIB contractors to obtain independent third-party assessments to verify compliance and the accuracy of SPRS scores. Company executives are to be held directly accountable for the accuracy of the SPRS score under CMMC 2.0, as they must personally sign off on the reported score.

Exostar® Can Help You Navigate DoD Compliance Requirements and Win DoD Contracts

Understanding and maintaining an accurate SPRS score is crucial for companies in the DoD supply chain that store, process, or handle CUI. Compliance with DFARS 252.204-7012, 7019 and 7020, along with CMMC 2.0, require a strong focus on meeting the 110 NIST 800-171 controls and ensuring an up-to-date SPRS score. By improving your organization’s security and SPRS score, you can increase your chances of securing contracts and safeguarding your business’s future in the defense industry.

To streamline your compliance process, consider using Exostar’s CMMC Ready Suite™, which includes:

• Managed Microsoft 365™ is a cloud collaboration platform that fulfills the implementation of 85 of the 110 NIST 800-171 controls out of the box, accelerating the CMMC compliance journey.
• Certification Assistant™ guides you through the conduct of a SPRS self-assessment, calculates your SPRS score, and generates your SSP with just a click of a button. It also allows you to create POA&Ms for identified gaps.
• PolicyPro™ uses Machine Learning technology to evaluate and align your current policies against those required by the NIST 800-171 controls and the upcoming CMMC 2.0 requirements, or to create, review, and maintain compliant new policies from scratch.

By leveraging these powerful tools, you can jump-start your compliance efforts, improve your organization. Contact a defense industry compliance specialist to learn more about how Exostar streamlines compliance for the DIB.