DoD Digs In Its Cyber “SPRS”: New Solicitation Provision Requires Contracting Officers to Consider SPRS Risk Assessments
Client Alert | 1 min read | 03.27.23
On March 22, 2022, the Department of Defense (DoD) issued a final rule requiring contracting officers to consider supplier risk assessments in DoD’s Supplier Performance Risk System (SPRS) when evaluating offers. SPRS is a DoD enterprise system that collects contractor quality and delivery performance data from a variety of systems to develop three risk assessments: item risk, price risk, and supplier risk. The final rule introduces a new solicitation provision, DFARS 252.204-7024, which instructs contracting officers to consider these assessments, if available, in the determination of contractor responsibility.
SPRS risk assessments are generated daily using specific criteria and calculations based on the price, item, quality, delivery, and contractor performance data collected in the system. Although compliance with cybersecurity clauses DFARS 252.204-7012, -7019, or -7020 are not currently used to generate supplier risk assessments, the potential cybersecurity implications are evident. Under DFARS -7019 and -7020, DoD requires contractors to demonstrate their compliance with cybersecurity standard NIST SP 800-171 by scoring their implementation of 110 controls and uploading their score to SPRS.
Some believe that DoD could incorporate the NIST 800-171 Basic Self-Assessment score into the supplier risk assessment at any time. If SPRS scores are incorporated into supplier risk assessments, this solicitation provision will make the accuracy and veracity of contractors’ SPRS scores significantly more important. Inaccurate SPRS scores could open contractors to legal risk, including False Claims Act (FCA) liability. Under the Department of Justice’s Civil Cyber Fraud Initiative, FCA actions regarding inaccurate cybersecurity representations have increased. Because these assessments will now influence award decisions, accuracy will become key.
Contacts
Insights
Client Alert | 5 min read | 08.04.25
The Belgian federal government has taken two decisive steps in the implementation of its reform agenda. First, the adoption of the so-called Summer Agreement on July 21 outlines an ambitious fiscal and social overhaul. Second, the long-awaited Program Act was approved during the night of July 17 to July 18 and introduces a historic limitation on unemployment benefits. Together, these measures significantly redefine the Belgian labor market ecosystem.
Client Alert | 2 min read | 07.31.25
A Greater Sum of Certainty: ASBCA Weighs in on when Sum Certain Defense Is Not Waived
Client Alert | 7 min read | 07.31.25
Significant Changes Are in the Works for EU Environmental, Social, and Governance (ESG) Laws
Client Alert | 6 min read | 07.30.25
The new EU “Pharma Package”: Global (Orphan) Marketing Authorization