Effective March 22, 2023, the Department of Defense (DOD) issued a final rule (Final Rule) amending the Defense Federal Acquisition Regulation Supplement (DFARS) requiring Contracting Officers (COs) to use Supplier Performance Risk System (SPRS) assessments when evaluating proposals and considering a contractor’s responsibility. Federal government contractors should be aware of the changes, how the government can use SPRS assessments, and the potential effects on cybersecurity compliance and bid protests. On June 6, 2023, PilieroMazza attorneys will present “Cybersecurity for Government Contractors: Success Through Compliance Readiness” to cover these and other cybersecurity-related topics. Visit this link to register. 

What is SPRS? 

SPRS is a DOD application that gathers contract award and delivery data about contractor performance to compute a Supplier Risk Score, Price Risk and Confidence Score, and Item/Price Risk Report. Although access to SPRS risk assessments is limited to government officials and the individual offeror, a poor score in any of these three categories alerts COs to potential risks in an offeror’s supply chain. 

To compute these scores, SPRS aggregates data from various sources (the Federal Procurement Data System, the Defense Contract Management Agency, the Contractor Performance Assessment Report System, etc.) and assesses ten different performance factors, including (1) delivery time, (2) providing suspected counterfeit items, and (3) corrective action requests. The Price Risk and Confidence Score determines if a proposed price is similar to historical prices (since 2010) paid for that item. Lastly, the Item/Price Risk Report identifies whether an item is high risk by looking at, for example, whether an item’s manufacturer or supplier discontinued production or whether a component has an increased counterfeiting risk.  

The Final Rule intersects with other substantive cybersecurity areas, such as NIST Special Publication 800-171 (rev. 2) (NIST SP 800-171). NIST SP 800-171 broadly recommends security requirements for protecting the confidentiality of Controlled Unclassified Information in non-federal systems. SPRS contains contractors’ NIST SP 800-171 assessments, which include confidence levels and individual System Security Plans. These obligations mirror the requirements of DFARS 252.204-7012, which requires defense contractors to implement NIST SP 800-171’s recommended requirements to demonstrate they have adequate security to protect covered defense information. Thus, COs will now have information describing a company’s cybersecurity policies more readily available when it comes time to make an award decision.  

SPRS Assessments Now Mandatory Considerations in Procurement Evaluation 

The most notable change is that COs must use SPRS assessments when making award decisions, including using that information as part of an evaluation factor or when assessing a contractor’s responsibility.  That said, it is unclear how the CO will use the information. SPRS assessments will not be stand-alone source selection factors, but part of the broader evaluation scheme. In other words, the assessments will be just one of many factors to be used in a source selection decision. Evaluation of these assessments will be required for quotes or offers submitted in response to DOD solicitations for supplies and services, including commercial item/service acquisitions. If a contractor does not have a SPRS assessment readily available, they will be rated neither favorably nor unfavorably. Ultimately, the CO has discretion in choosing which information within SPRS to consider.  

New Grounds for Bid Protest? 

While not expressly mentioned in the Final Rule, these assessments appear to be fertile grounds for a bid protest challenging award of a contract. As noted above, COs have discretion to use some, all, or none of the information present in the SPRS assessment during evaluations. This may present situations where a CO disregards certain information in the SPRS for one purpose but may be compelled to consider this information as “too close at hand” to ignore under past performance. This hypothetical is well within the realm of possibility since SPRS assessments consider an offeror’s past performance on certain contracts. Under such a scenario, protesters could argue that the CO failed to comply with the solicitation’s requirements by not adequately reviewing or evaluating an apparent successful offeror’s SPRS score when it is known that they had poor past performance. Or, vice versa, the agency ignored positive past performance information from the SPRS assessment that prejudiced an offeror’s ability to win an award. 

Protests also could challenge the CO’s use of the SPRS information. As written, the Final Rule includes some ambiguity about how the CO is supposed to use the SPRS information. On the one hand, COs must evaluate an offerors’ SPRS score. Yet, on the other hand, COs have discretion to consider any or all information within that SPRS. It remains to be seen how much, or how little, COs will rely on these scores to upgrade or downgrade offerors’ evaluations during the source selection process and to what extent the U.S Government Accountability Office (GAO) and the U.S. Court of Federal Claims (COFC) will define the boundaries of COs’ discretion on that front. As a result, the SPRS assessment could provide yet another weapon in a protester’s ‘arsenal’ when deciding whether to challenge an award.  

Key Takeaways 

  1. Shape Procurements Based on Your SPRS Score. For the time being, contractors should be aware of the potential use of SPRS assessments in award decisions. If you have a higher risk score under one of the three categories and a solicitation places greater emphasis on SPRS assessments during evaluation, it may not be worth the time and resources to submit a proposal. To the contrary, if you have a particularly low risk score, it may be prudent to ask a question during the solicitation’s question-and-answer stage emphasizing the CO’s required use of this information to better your chances of receiving an award.  
  2. Keep Your SPRS Score Updated. As your firm updates its cybersecurity policies to maintain compliance with NIST SP 800-171, you would be wise to also update the information in SPRS to ensure contracting officials have the most recent information regarding your security practices. Failing to do so could lead to a failed responsibility finding, thereby jeopardizing a contract award.  
  3. Protest (Maybe?). If you are a disappointed offeror under a DOD contract, the CO’s use of the information in SPRS (or lack thereof) could be grounds for a bid protest at GAO or COFC. The use of this information is now mandated in the DFARS, and certain provisions are required to be included in the solicitation. Thus, failing to use SPRS information, or information “too close at hand,” could be evidence of a violation of procurement law and regulation.  

If you have questions about SPRS scoring, or any other cybersecurity-related questions, please contact Kevin Barnett or Daniel Figuenick, the authors of this blog, or another member of PilieroMazza’s Government Contracts or Cybersecurity & Data Privacy practice groups. Remember to visit this link to register for the June 6, 2023, webinar “Cybersecurity for Government Contractors: Success Through Compliance Readiness”.