Blog

What is a SPRS Score? Understanding Your SPRS Score and Its Importance for DoD Contractors

Posted by: Jenna Brankin April 13, 2023 CMMC, Compliance, Cybersecurity
What is a SPRS Score? Understanding Your SPRS Score and Its Importance for DoD Contractors

As a company that directly or indirectly serves the Department of Defense (DoD), especially if you’re storing, handling, or processing Controlled Unclassified Information (CUI), you are obligated to complete a security self-assessment against the 110 controls identified in NIST Special Publication 800-171—a NIST SP 800-171 self-assessment. You also must calculate your compliance score using the DoD’s Assessment Methodology and upload that score to the DoD’s Supplier Performance Risk System (SPRS).

The DoD recently upped the ante when it announced that DoD compliance requirements mandate that contracting officers must consult SPRS for supplier risk assessment when evaluating contract bids. This includes the SPRS self-assessment results (SPRS score) against the 110 NIST 800-171 controls. This blog will discuss the essential aspects of the SPRS self-assessment score, how it impacts your business and the likely upcoming changes driven by the forthcoming launch of the Cybersecurity Maturity Model Certification (CMMC). that DoD compliance requirements mandate that contracting officers must consult SPRS for supplier risk assessment when evaluating contract bids. This includes the SPRS self-assessment results (SPRS score) against the 110 NIST 800-171 controls. This blog will discuss the essential aspects of the SPRS self-assessment score, how it impacts your business and the changes driven by the launch of the Cybersecurity Maturity Model Certification (CMMC 2.0).  

What Is an SPRS Score? Understanding Your SPRS Score and Its Importance for DoD Contractors  

Necessity of an Accurate SPRS Score

Under Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7019, defense contractors handling CUI must submit an accurate SPRS self-assessment score. CUI consists of sensitive information requiring safeguarding or dissemination controls under US federal laws, regulations, or policies. CUI is not classified but is deemed crucial for national security or federal agency functioning. This score must be calculated according to the DoD Assessment Methodology and must be not more than three (3) years old. The accuracy of the SPRS score is crucial as DFARS clause 252.204-7020 allows the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to conduct audits to verify and validate the submitted SPRS score.

The Significance of the SPRS Self-Assessment Score

The SPRS score is a standardized measure of the security risk a contractor poses. The DoD and prime contractors consider SPRS scores when awarding contracts and forming bid teams, with higher scores providing a competitive advantage. Failure to have a SPRS score can sideline companies from current and future contracts. Inaccurate scores leave companies and their executives vulnerable to penalties that extend beyond the loss of current and future contracts to prosecution under the Department of Justice’s False Claims Act.  

Calculating and Submitting Your SPRS Score

To calculate your SPRS score, conduct a self-assessment for compliance with NIST 800-171 using the DoD’s Assessment Methodology. The SPRS score ranges from a maximum of 110 to a minimum of -203, with deductions from 110 for each control a company does not fully meet. It is essential to develop a System Security Plan (SSP)and Plans of Actions and Milestones (POA&Ms) to meet DoD compliance requirements and address those controls your company does not fully meet today, and submit your score to the DoD’s SPRS. It is essential to maintain an up-to-date and accurate SPRS score.

What Is a Good SPRS Score?

A “perfect SPRS score is 110, indicating that your organization has implemented all NIST 800-171 controls. As a general rule, the closer your organization is to achieving an SPRS score of 110, the more likely it is to be eligible for a wider range of contracts. That doesn’t mean you must achieve a perfect score to be eligible. Score thresholds vary depending on individual contract requirements, and the DOD and defense contractors consider many other criteria in addition the SPRS score. 

However, a higher SPRS score demonstrates a commitment to cybersecurity and compliance with federal standards, which can enhance your organization’s reputation and competitiveness. Organizations with scores above a certain threshold may find themselves at a competitive advantage when bidding for contracts because they can reassure potential partners and clients of their robust cybersecurity and lower risk profile.

Improving and Maintaining Your Supplier Performance Risk Score

To strengthen your SPRS score, self-assess your organization against the 110 NIST 800-171 controls and identify any gaps in your security controls. This SPRS self-assessment helps you score your organization and understand its shortcomings. Next, create a System Security Plan (SSP) and POA&Ms to address those controls your company does not fully meet today. Remember that identifying gaps alone does not improve your score; instead, remediation of these gaps is necessary to improve your score and meet DoD compliance requirements. It is crucial to address the POA&Ms before submitting your SPRS score, as it is mandatory to have an SSP, and remediation helps to improve your score. Remember that higher SPRS scores can make your organization more attractive for contract opportunities.   

CMMC 2.0 and SPRS Scores

Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0), a cybersecurity certification framework developed by the DoD to better protect sensitive data throughout the Defense Industrial Base (DIB), requires most companies to obtain independent third-party assessments to verify compliance with its requirements and the accuracy of SPRS scores. Company executives are more directly be held accountable for the accuracy of the SPRS score under CMMC 2.0, as they must personally sign off on the reported score.  

Tools to Simplify NIST SP 800-171 Self-Assessment, Compliance, and SPRS Scoring

To streamline your compliance process and meet DoD compliance requirements, consider using Exostar’s CMMC Ready Suite, which includes:

  • Managed Microsoft 365 is a cloud collaboration platform that fulfills the implementation of 85 of the 110 NIST 800-171 controls out of the box, accelerating the CMMC compliance journey. 
  • Certification Assistant guides you through the conduct of a SPRS self-assessment, calculates your SPRS score, and generates your SSP with just a click of a button. It also allows you to create POA&Ms) for identified gaps. 
  • PolicyPro uses Machine Learning technology to evaluate and align your current policies against those required by the NIST 800-171 controls and the upcoming CMMC 2.0 requirements, or to create, review, and maintain compliant new policies from scratch. 

By leveraging these powerful tools, you can jump-start your compliance efforts, improve your organization.  

Exostar can help you navigate DoD compliance requirements and win DoD contracts 

Understanding and maintaining an accurate SPRS score is crucial for companies in the DoD supply chain that store, process, or handle CUI. Compliance with DFARS 252.204-7012, 7019 and 7020, along with CMMC 2.0 requires a strong focus on meeting the 110 NIST 800-171 controls and ensuring an up-to-date SPRS score. By improving your organization’s security and SPRS score, you can increase your chances of securing contracts and safeguarding your business’s future in the defense industry.