The Department of Defense (DOD) issued a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) requiring Contracting Officers to use Supplier Performance Risk System (SPRS) assessments when evaluating proposals and considering a contractor’s responsibility. Federal Drive with Tom Temin spoke with PilieroMazza attorney Kevin Barnett about what the updated rule means for government contractors. Below is a transcript of Kevin’s interview, and visit this link to hear the audio version. For more coverage on this topic, please visit this link for a blog and this link for a webinar replay.
Tom Temin: This rule well, first of all, let’s start with the supplier performance risk system. There are a lot of these kinds of similar-sounding systems across the government. What is this one and what is it assessing risk for?
Kevin Barnett: So, the supplier performance risk system, it’s a DOD database that itself is not new. It’s DOD’s authoritative source of supplier and product performance information. And it tries to evaluate and monitor suppliers, track corporate business practices, identify parts of the supply chain that may increase the risk of performance or the risk of counterfeit parts. And it’s quite the multi-headed hydra. It has a supplier risk component where it generates a supplier risk score. It generates a price risk score and an item risk score. And it gets inputs from all kinds of systems all over the government, from the CPRS system, the contractor performance rating system, to the self-assessments about your cyber capabilities, as well as other contract performance reports and alerts that the government may issue.
Tom Temin: So, it’s a breath mint and a candy mint all wrapped in chocolate, you might say.
Kevin Barnett: You could say that. And I think some of the DOD contracting officers are using it. It is that delightful mix of a little bit of everything.
Tom Temin: Well, I guess the question then is why did there need to be a rule in the DFAR causing contracting officers to use it? Why would they not use it in the first place to evaluate bids?
Kevin Barnett: I think there have been instances where it has been used to evaluate bids. The new rule just puts everyone on notice that it must be used to evaluate bids, and that’s pretty significant for a variety of reasons. First and foremost, the system generates a new risk score, actually a new series of risk scores every single day. So, the new rule is putting contractors on notice that you really need to stay on top of your risk scores that are being produced by this system if you want to be competitive in future DOD evaluations. It is also starting to bring to the forefront some of the cybersecurity regulations that have been percolating and in place for a number of years now. For many years, the supplier performance risk system, most contractors’ exposure to it was the requirement to input their self-assessment of their compliance with NIST 800-171, which is the full breadth of best practices in cybersecurity. And it was just a go no go requirement. You need your evaluation in there. Now that these scores are actually going to be used in the evaluation, this is the first step along with CMMC coming out later this summer, that cybersecurity is going to be considered in all DOD procurements.
Tom Temin: And just to put a sharper point on this, it’s not really a bid evaluation tool so much as a contractor evaluation tool. Almost like third-party risk assessment done in the private sector. It doesn’t look at your pricing or your delivery schedule or your labor costs or any of those technical requirements that might be in the solicitation. But it looks at you as a company, correct?
Kevin Barnett: I would actually say it looks at both of those things. Instead of looking at the schedule and information that you put in your proposal. What this is now bringing to bear very clearly is the company’s history of performance. So, if you have a history of delayed performance or have a history of providing products that have manufacturing issues, or have noted vulnerabilities in your cybersecurity that have been identified in other contracts, it’s going to be brought into this system and will be reflected in future evaluations.
Tom Temin: Got it. We’re speaking with Kevin Barnett of PilieroMazza. He’s an attorney that specializes in these kinds of things. And in many ways, then it sounds as if it operates almost like a credit score with rules and things changing daily.
Kevin Barnett: That’s a great way to compare it. It’s three different credit scores for three different aspects of a company’s performance with respect to a certain product or service that they’re offering.
Tom Temin: And the environment changes a lot too. And it seems like that’s something that suppliers have to keep up with. What I mean specifically is that you mentioned special publication 800-171 from NIST that’s about to undergo a major revision. It’s out to comments now. So, when those are in and the final version comes out probably sometime in the fall, then that’s a whole exercise companies are going to have to do to make sure they are compliant or following the new guidelines in 171.
Kevin Barnett: Absolutely. This is going to hold them accountable for maintaining compliance with the latest cybersecurity. It’s also going to hold them accountable for maintaining the best supply chain risk management practices because all of that goes into these scores. If you’re using suppliers that have been identified as risky suppliers or have a history of supplying counterfeit parts that’s going to negatively impact your score going forward.
Tom Temin: And the big problem with some of these systems over the years has been supplier recourse if they feel they are flagged unfairly in some aspect of their business pricing or delivery or quality, whatever it might be. And can things be changed on appeal that are in this particular system?
Kevin Barnett: The technical answer is yes. The SPRS system has a challenge process where you can look in your score, identify some record that has been entered for consideration that’s negatively impacting your score and challenge it. It’s kind of an automated process pops up. You write an email, they say you need to provide objective quality evidence to dispute it. I don’t know what that means, except perhaps DOD likes another opportunity to create an acronym. The give and take of that process, though it’s unclear. It’s really DOD gets to give you a thumbs up, thumbs down, deny or accept your challenge, and contractors’ recourse, or at least intermediate recourse seems to be limited.
Tom Temin: And what is the actual limit of the obligation on the contracting officer if they’re asked to consider the supplier performance risk system (SPRS) do they have to follow necessarily if one bid is better on a price and delivery front? But the lesser of the two bids have a better rating in the SPRS. Are they obligated to pick that one?
Kevin Barnett: No. Well, I don’t know. The new final rule is very clear. Contractors must consider this information and it must consider each of the three scores that are produced the price risk score, the item risk score, and the supplier risk score. But how exactly that is used in comparison with the other evaluation criteria is not clear. I think this is going to be a fruitful area for a lot of clever bid protest arguments coming up in the future for exactly that reason is you have a must-use without a how-to-use requirement.
Tom Temin: Now, increasingly, some social types of impositions have been put on suppliers and that’s accelerated during this administration on their energy usage and their carbon footprint. If they can even figure that out, what they’re doing on DEI, their labor practices. Are those part of the sprays yet?
Kevin Barnett: They do not appear to be explicitly part of the SPRS yet. I could see those issues percolating their way up as part of the C part score, as those become requirements of the contract, and contractors fall short of those. They could get a bad C power rating which is then slipped into the SPRS rating. But as of now, there are no explicit requirements for some of those more progressive administration goals.
Tom Temin: Well, let’s wait a minute. And maybe it is going to happen eventually, but in the meantime, the best recourse for contractors then is to mind your Ps and Qs.
Kevin Barnett: Absolutely. Mind your Ps and Qs. Stay on top of your daily risk score. Know where those inputs are coming from and challenge it with your objective quality evidence. It’s interesting, one of the comments, or a large number of the comments on the proposed rule, which now became a final rule, were various contractors questioning the inputs, saying, well, this system is known for faulty, unreliable reports, or that system can easily be manipulated. And the general response from the agency, from DOD, was no, we’re going to use it in only this minimal way that mitigates those concerns. So, the skeptic in me doesn’t necessarily trust those assurances, but there is an opportunity for that to work.