In this article, we’ll identify many common mistakes that DoD contractors make in determining their SPRS Score and provide recommendations to help you ensure an accurate one.
For many contracts, the Department of Defense (DoD) requires contractors, sub-contractors, and suppliers to submit an attestation of cybersecurity compliance in the form of a Supplier Performance Risk System (SPRS) Score. Many Prime Contractors and teaming partners are requiring this score, as well.
The DoD Assessment Methodology (DoDAM) that must be followed to generate the SPRS Score has a complex and confusing assessment process, especially for those without extensive DoD compliance and audit experience. This leads businesses to make mistakes when attempting to conduct an in-house self-assessment to determine their score.
In submitting an SPRS Score, misrepresentation of compliance and security violations that reveal non-compliance can result in the Government taking adverse actions.3 These may include criminal and civil penalties under the False Claims Act (FCA)4, loss of contracts, fines, and/or suspension of the ability to continue doing business with the U.S. Government.
An accurate SPRS Score based on a proper assessment gives you a clear view of where your business really is with compliance, where your business needs to be, and the path to get there. It shows due diligence that your business is acting in good faith to meet compliance requirements and protect sensitive Government data. It also supports important strategic decisions on investments of time, effort, and money to improve your cybersecurity and meet compliance requirements.
Getting an accurate SPRS Score is a matter of following the right process and leveraging the right expertise. Not only will an accurate SPRS Score show due diligence, it will also help your business improve its cybersecurity and prepare for the future. An accurate score will support important strategic decisions for your investments in cybersecurity and compliance.