1. Home
  2. |Insights
  3. |DoD Digs In Its Cyber “SPRS”: New Solicitation Provision Requires Contracting Officers to Consider SPRS Risk Assessments

DoD Digs In Its Cyber “SPRS”: New Solicitation Provision Requires Contracting Officers to Consider SPRS Risk Assessments

Client Alert | 1 min read | 03.27.23

On March 22, 2022, the Department of Defense (DoD) issued a final rule requiring contracting officers to consider supplier risk assessments in DoD’s Supplier Performance Risk System (SPRS) when evaluating offers. SPRS is a DoD enterprise system that collects contractor quality and delivery performance data from a variety of systems to develop three risk assessments: item risk, price risk, and supplier risk. The final rule introduces a new solicitation provision, DFARS 252.204-7024, which instructs contracting officers to consider these assessments, if available, in the determination of contractor responsibility.

SPRS risk assessments are generated daily using specific criteria and calculations based on the price, item, quality, delivery, and contractor performance data collected in the system.  Although compliance with cybersecurity clauses DFARS 252.204-7012, -7019, or -7020 are not currently used to generate supplier risk assessments, the potential cybersecurity implications are evident. Under DFARS -7019 and -7020, DoD requires contractors to demonstrate their compliance with cybersecurity standard NIST SP 800-171 by scoring their implementation of 110 controls and uploading their score to SPRS.

Some believe that DoD could incorporate the NIST 800-171 Basic Self-Assessment score into the supplier risk assessment at any time. If SPRS scores are incorporated into supplier risk assessments, this solicitation provision will make the accuracy and veracity of contractors’ SPRS scores significantly more important. Inaccurate SPRS scores could open contractors to legal risk, including False Claims Act (FCA) liability. Under the Department of Justice’s Civil Cyber Fraud Initiative, FCA actions regarding inaccurate cybersecurity representations have increased. Because these assessments will now influence award decisions, accuracy will become key.

Contacts

Insights

Client Alert | 2 min read | 07.15.26

CMMC Phase II Suspension Requires Reconsideration of Such Requirements in Solicitations

As discussed in more detail here, the U.S. Department of War (DoW) recently issued a memorandum (Memo 26-P-1023, dated July 13, 2026) directing the immediate suspension of Cybersecurity Maturity Model Certification (CMMC) Phase II requirements (Level I and II self assessments are still permitted). Significantly, the memo directs that “all pending and future CMMC implementation milestones across DoW solicitations and contracts are held in abeyance until further notice.” Moreover, the DoW issued a memorandum on implementing these requirements (available here), directing agencies to issue amendments removing CMMC Level 2 and 3 requirements from active solicitations “as soon as practicable.” Contractors should monitor the government’s compliance with this requirement and should be prepared, if needed, to file a bid protest to protect their rights....