In this article, we’ll identify many common mistakes that DoD contractors make in determining their SPRS Score and provide recommendations to help you ensure an accurate one.
For many contracts, the Department of Defense (DoD) requires contractors, sub-contractors, and suppliers to submit an attestation of cybersecurity compliance in the form of a Supplier Performance Risk System (SPRS) Score. Many Prime Contractors and teaming partners are requiring this score, as well.
The DoD Assessment Methodology (DoDAM) that must be followed to generate the SPRS Score has a complex and confusing assessment process, especially for those without extensive DoD compliance and audit experience. This leads businesses to make mistakes when attempting to conduct an in-house self-assessment to determine their score.
The requirement for an SPRS Score is a result of the DFARS 252.204-7012 (DFARS 7012)1 and its DFARS Interim Rule (September 2020).2
An Interim Final Rule is expected in 2023 that will establish CMMC 2.0; however, this is unlikely to significantly change the SPRS Score.
In submitting an SPRS Score, misrepresentation of compliance and security violations that reveal non-compliance can result in the Government taking adverse actions.3 These may include criminal and civil penalties under the False Claims Act (FCA)4, loss of contracts, fines, and/or suspension of the ability to continue doing business with the U.S. Government.
An accurate SPRS Score based on a proper assessment gives you a clear view of where your business really is with compliance, where your business needs to be, and the path to get there. It shows due diligence that your business is acting in good faith to meet compliance requirements and protect sensitive Government data. It also supports important strategic decisions on investments of time, effort, and money to improve your cybersecurity and meet compliance requirements.
- Miscalculating the Score
- The SPRS Score is subtractive. It begins at a perfect score of 110 points, then subtracts the Control Weight (5 points, 3 points, or 1 point) of each control not met.
- The range for an SPRS Score is -203 points to +110 points.
- Peerless finds that most first-time assessments have a negative score due to incomplete controls. However, the SPRS Score can often quickly be made positive by implementing the right short-term solutions.
- Not Evaluating Assessment Objectives
- Giving Yourself Credit for Incomplete / Partial Controls
- The DoD Assessment Methodology requires an all-or-nothing approach to scoring each of the 110 controls.
- Controls must have all their assessment objectives fully implemented to receive credit.
- Partially Implemented controls subtract the full weighted point value of the control, the same as Not Implemented controls.
- DoD only permits Official Partial Credit for two controls (3.5.3 and 3.13.11).
- If the specific requirements to qualify for Official Partial Credit status in the DoD Assessment Methodology are met, fewer points are deducted for these controls.
- Peerless finds that most first-time assessments result in a negative SPRS Score due to incomplete controls. With the right recommendations, SPRS Scores can quickly and easily become positive.
- Marking Controls as Not Applicable (N/A)
- DoD only permits Not Applicable (N/A) status for five controls (3.1.12, 3.1.13, 3.1.16, 3.1.17, and 3.1.18).
- If the specific requirements to qualify for N/A status in the DoD Assessment Methodology are met, points are not deducted for these controls.
- The assessment objectives of the remaining controls must be fully met, whether or not they apply to your information systems or operations.
- Meeting such assessment objectives may require an administrative approach (ex. documenting a formal explanation, policy, process, procedures) and/or a technical approach (ex. implementation, enforcement).
- Marking Controls as Alternative Measures, Temporary Deficiency, Enduring Exception, or Risk Acceptance
- Control status will almost always be one of the following:
- Implemented (Met)
- Partially Implemented (Partially Met / Not Met)
[Lose all points.]
- Official Partial Credit (Partially Met / Not Met)
[Only permitted for controls 3.5.3 and 3.13.11.]
- Not Applicable (N/A)
[Only permitted for controls 3.1.12, 3.1.13, 3.1.16, 3.1.17, and 3.1.18.]
- The other control statuses mentioned in the DoD Assessment Methodology should only be used with caution and thorough understanding. They will not be permitted by DoD without documenting sufficient justification and/or formal approvals.
- Alternative Measures
- Temporary Deficiency
- Enduring Exception
- Risk Acceptance
- We strongly recommend contacting DoD compliance experts like Peerless to advise where it might be appropriate to use one of these other statuses and how to best document justification for each specific use.
- Improper Scope / Compliance Boundary
- Proper evaluation of controls and your overall compliance with DFARS 7012 requires a clear determination of what is in-scope and out-of-scope.
- The compliance boundary of your information system must be clearly defined, described, and diagrammed; along with every other system connecting to, supporting, or exchanging data with it.
- Scope review must include not only your internal network and enclaves, but also anything associated with them. For example: cloud providers, vendors, Software as a Service (SaaS) products, physical facilities, network infrastructure, and external systems that connect to your system or with which you exchange data.
- Many contractors lack the expertise to make accurate scope determinations, missing things that are in-scope and including things that are out-of-scope.
- Improper scoping results in not only an inaccurate SPRS Score but also expensive surprises, such as the urgent need to change solutions and vendors.
- Lack of Policy Documentation
- Many assessment objectives cannot be met by technical solutions alone.
- At least 59 of the 110 controls (164 points) contain assessment objectives that require policy-related documentation.
- This means some controls are impossible to meet without sufficiently documented policies, processes, and procedures.
- Not Having a Proper SSP or POA&M
- The System Security Plan (SSP) is a required document that is mandatory to submit an SPRS Score. It describes your system and the implementation of controls.
- The Plan of Action & Milestones (POA&M) is a required document that tracks remediation of controls that are not fully implemented.
- The SSP must clearly describe your information system and sensitive data, indicate the evaluated status for all 110 controls, and provide details on how those controls' 320 assessment objectives have been implemented.
- The SPRS system does not store SSPs or POA&Ms; however, the Government can request to review them at any time. Prime contractors and partners may also request your SSP and POA&M for review.
- The Defense Contract Management Agency (DCMA) has been conducting random spot-checks of contractors’ SSPs and SPRS Scores to determine due diligence and SPRS Score accuracy.
- The SSP and POA&M Templates from NIST SP 800-171 are not recommended because it was never updated to meet the DoD Assessment Methodology requirements and DoD / Federal audit expectations. Peerless has found that many SSP Templates have these shortcomings.
- Reliance on Control Explanations or Layman’s Terms
- Controls can only be evaluated as Implemented (Met) if the required assessment process has been followed and all the control assessment objectives have been fully met.
- Unofficial control explanations, examples, summaries, simplifications, and layman’s terms should not be used, as they are sometimes incorrect and will almost never fully address the required assessment objectives.
- While they can be useful in trying to understand some of the controls in plain language, they should never be relied on to evaluate controls.
- Following the NIST Handbook 162
- The NIST Handbook 162 must not be used as the basis for a self-assessment and SPRS Score.
- It can be useful to help understand some of the controls in plain language, but it does not cover the required assessment objectives and can be very misleading in its simplicity.
- NIST withdrew the NIST Handbook 162 because it conflicts with the official Assessment Guide.
- Lack of DoD Compliance Expertise
- There is no substitute for hands-on experience with DoD assessments, expert interpretation of control requirements, and meeting the expectations of DoD / Federal auditors. In the future, this will include CMMC Third-Party Assessment Organizations (C3PAOs).
- The DoD Assessment Methodology and its required CMMC 2.0 / NIST SP 800-171 Assessment Guides can be very complex. Almost no guidance has been provided by DoD as to how control objectives should be interpreted or met.
- Interpreting the requirements of each control’s assessment objectives needs multiple levels of specialized knowledge and experience:
↪ General Compliance
↪ DoD Compliance and Audits
- If your employees, consultants, and third-party partners do not have those layers of experience, we highly recommend that you leverage the help of a company like Peerless that applies highly specialized experience across cybersecurity, compliance, engineering, and managed services (MSP).
How to Get an Accurate SPRS Score
- Avoid tools that oversimplify the process, such as websites and spreadsheets that don’t offer explanations or even refer to the required assessment objectives within each control.
- These tools can be misleading about what DoD requires and sometimes do not accurately calculate the SPRS Score given proper inputs.
- Manually check your score, against the DoD Assessment Methodology, Annex A (Scoring Template) before submission to the SPRS system.
- Tools that clearly show the calculation for each control make it much easier to manually check the score.
- Ensure you have policy documents that thoroughly cover the CMMC 2.0 / NIST SP 800-171A assessment objectives.
- Leverage help from engineers and consultants that are experienced in DoD compliance.
- Partner with a Managed Service Provider (MSP) that is experienced in DoD compliance.
- Conduct a proper third-party Gap Assessment / Gap Analysis to evaluate the controls, generate the SPRS Score, and create your System Security Plan (SSP).
- This will result in a much more accurate score and demonstrates due diligence to Prime contractors, partners, and the DoD.
- Beware of companies that do not follow the required DoD Assessment Methodology, are too quick-and-easy, or are too cheap to be true. A good assessment company should demonstrate industry experience and provide hours of control evaluation by a qualified, professional compliance analyst.
- Peerless offers very affordable, expert assessments at two levels:
- The abridged assessment is designed for companies needing the bare minimum of a quick, highly conservative estimate of their compliance, a System Security Plan (SSP), and an SPRS Scoresheet. We also offer thorough Policy Templates for an immediate score improvement.
- The full assessment is much more in-depth, providing a more extensive System Security Plan (SSP); detailed Plan of Action & Milestones (POA&M); SPRS Scoresheet; and a presentation of Cybersecurity and Compliance findings and recommendations that cover the SPRS Score in addition to other common DoD / Federal regulations and Cybersecurity best practices. We also offer thorough Policy Templates for an immediate score improvement.
Getting an accurate SPRS Score is a matter of following the right process and leveraging the right expertise. Not only will an accurate SPRS Score show due diligence, it will also help your business improve its cybersecurity and prepare for the future. An accurate score will support important strategic decisions for your investments in cybersecurity and compliance.
- DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting. (GSA, December 2019)
- DFARS Interim Rule: Assessing Contractor Implementation of Cybersecurity Requirements. (Federal Register, September 2020)
- Contractual Remedies to Ensure Contractor Compliance with Defense Federal Acquisition Regulation Supplement Clause 252.204-7012. (OSD A&S, June 2022)
- New Civil Cyber-Fraud Initiative. (DOJ, October 2021)