Over the last half-decade or more, the prevalence of cyberattacks on the government has only increased. Moreover, it’s not just attacks on the government agencies themselves that matter, but also attacks against the contractors and subcontractors working with those government agencies.
These are known as supply chain attacks, and they’re a way to use weak spots in vendor software or even hardware to compromise systems that use it along up the chain, even if those systems are otherwise secure and doing everything right. The infamous Solarwinds hack from 2019 is the highest-profile example in recent memory, but it’s far from the only example.
Since then, the government has been pushing harder and harder to improve cybersecurity across all threat surfaces, including agency-level, contractor-level, and sub-contractors all the way down the chain.
Among the many frameworks, requirements, processes, and systems used to ensure security across the board is the SPRS. What is it, what is an SPRS score, how is it calculated, and what do you need to keep in mind with regard to the system? Read on to find out more.
BLUF - Bottom Line Up Front
Cyberattacks on government and its contractors have increased, highlighting the importance of securing Controlled Unclassified Information (CUI). The Supplier Performance Risk System (SPRS) measures compliance with NIST SP 800-171 guidelines. A good SPRS score aims for 110, but achieving it directly is challenging. Scores below zero are possible, and misrepresentations can lead to severe penalties. Accurate assessments and compliance are crucial for government collaboration.
What is SPRS?
SPRS is the Supplier Performance Risk System. It is a tool used primarily by the United States Department of Defense (DoD) to analyze the risk of using contractors and subcontractors for the management of Controlled Unclassified Information (CUI).
CUI is information that is important enough to be controlled but not important enough to be classified or secret in some way. It’s still important to secure this information, but it’s not as devastating as, say, the nuclear launch codes. CUI can include things like personally identifiable information for government employees, technical information for certain systems, or proprietary business information. We’ve covered this in greater detail in another post, so give it a read if you need to.
SPRS is an assessment system with a score attached. It is based on the National Institute of Standards and Technology (NIST) Special Publication 800-171, formally known as Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. NIST SP 800-171 is currently on Revision 3, which was released in May of 2024, making it among the most updated NIST publications as of this writing.
What is NIST SP 800-171?
As mentioned above, NIST SP 800-171 is the document for Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. It includes 97 security controls across 17 control families.
Note: If you’re familiar with NIST SP 800-171, these numbers may seem wrong to you. This is a change in Revision 3 of the document. Formerly, there were 14 control families and 110 controls. In the new revision, several controls were removed, 9 new controls were added, and some were reorganized. It will be important to familiarize yourself with the latest version for the best results.
The control families are: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment and Monitoring, System and Communications Protection, System and Information Integrity, Planning, System and Services Acquisition, and Supply Chain Risk Management. For obvious reasons, we won’t be listing every security control here, but you can read the full document on NIST’s site instead.
What is an SPRS Score?
An SPRS Score is a numerical value calculated based on the security controls outlined in NIST SP 800-171. It is part of the government’s overall system security and is part of CMMC certification. SPRS has a workflow for evaluating SPRS scores as part of the overall process for certification. It’s a critical step for all government prime contractors and subcontractors working with the DoD.
In order to calculate and submit an SPRS score, a business needs to:
- Create and develop a System Security Plan, or SSP, as a roadmap to achieving full compliance with NIST SP 800-171.
- Conduct a self-assessment using the SP 800-171 Assessment Methodology. This provides you with a baseline SPRS score.
- Submit your score to the DoD SPRS website.
- For substandard scores, develop a Plan of Action and Milestones (POAM) document to illustrate how to achieve full compliance.
SPRS is a relatively private metric. The only people who can see your SPRS score are your own company, the DoD, and the limited list of DoD Acquisition Community members. Otherwise, SPRS scores are treated as CUI themselves and are protected.
How is the SPRS Score Calculated?
The SPRS Score is a subtractive score. You start with a pool of points, 110 in total. With that pool of points, you go through and assess different specific factors for security controls across different risk vectors. These are outlined in the NIST SP 800-171 and the Assessment Methodology documents.
For each area where your business falls short of the mark, points are deducted from the pool. Failure to comply is measured on a scale where limited impact deducts one point, specific impacts deducts three points, and significant risks deducts five points.
Once you have gone through the full methodology and deducted any points necessary according to your current security posture and compliance with NIST SP 800-171, you are left with your total score. And, yes, this score can be negative; the full scale is 110 at the highest and -203 for the absolute worst possible performance. Achieving a full 110 on the first attempt is nearly impossible, but it’s also your overall goal.
Your score is also weighted according to some complex and individualized calculations. Certain factors can influence how important a given flaw may be or even remove the detriment from a gap in security if special circumstances mean it’s inapplicable. A system with no user accounts or authentication required won’t be penalized for not implementing multi-factor authentication, to use an unlikely example.
What is a Good SPRS Score?
A good SPRS score is the highest score you can obtain, a 110. Your eventual goal is to achieve this 110. However, given the difficulty of achieving this score out of the gate, the DoD and other federal agencies recognize that it’s not always possible. That’s why it’s a score and not a simple binary approval.
That said, the lower your score is, the higher a risk you are to work with. You have to put together a POAM to outline how you intend to remedy the situation and achieve more complete compliance, including a full timeline and identification of the people responsible for ensuring compliance happens. You can read more about POAMs and how they work in our guide here.
If you’re curious, an assessment performed across over 500 contractors found that the average score on the first self-assessment is -27. This was from several years ago – standards have increased since then – but it’s still good to know that it’s not uncommon to receive something below zero on the first attempt. The initial self-assessment isn’t the important score; what you do about it is.
While your overall goal is to achieve the full 110, you may not actually need to, depending on your specific circumstances. CMMC Level 2 certification only requires 88 points on a third-party assessment, with a POAM for the remaining gap, to achieve conditional certification.
As we’ve mentioned in our POAM guide, certain security controls are deemed important enough to be an automatic fail and are ineligible for a POAM. Keep in mind that the raw numerical data might not reflect this gap, but since you can’t pass the third-party audit with those gaps in place, it might as well be an immense detriment.
What Happens if Your SPRS Score is Low?
The lower your score is, the worse things are for you.
A low score means that you are deemed riskier to work with. In rare cases, an agency might decide to work with you anyway, but often, a low enough score means that the agency in question is more likely to look elsewhere instead. This is assuming it’s even possible to work with the government with a low enough score. You will fail to achieve certification with CMMC or other frameworks, you won’t be able to pass a third-party assessment, and you won’t be able to submit a POAM. Effectively, a low enough score indicates you aren’t taking things seriously, and you won’t be able to work with the government.
What Happens if Your SPRS Score is Wrong?
Since the SPRS score is so important, it can be tempting to fudge the numbers and exaggerate how well you perform on your self-assessment. It’s all the more tempting when it’s a full self-assessment rather than a third-party audit, as well. Unfortunately, fudging the numbers and exaggerating your score can get you in a lot of trouble.
For one thing, before you can continue operating with the government, you need to pass a third-party assessment along the same criteria, and it’s vastly unlikely that a 3PAO is going to go along with your exaggerations unless you’re lying to them and misrepresenting the state of your security. This is fraud and can even be considered criminal activity, so the government takes it very seriously.
For another thing, DIBCAC can and will periodically perform random audits, which can catch misrepresentations. It’s also always possible that someone internal to your team doesn’t want to be party to such fraud and reports you.
Generally, if your score is misrepresented, an investigation will follow. If it’s found to be an honest error, you may get away with nothing untoward happening beyond being told to prioritize fixing the issue.
If there’s any more deliberate inflation, misrepresentation, or lying involved, much worse penalties come up. You will very likely lose your government contract entirely. You may also be prohibited from holding another for a number of years. It’s also possible that you can be fined under the False Claims Act, with a fine potentially reaching 3x the contract’s face value. As we said, the penalties are steep.
What are the Most Common Mistakes Made with SPRS?
There are a handful of common mistakes businesses make in their self-assessments. Ideally, these are caught before they become problems, but they can still slip through the cracks and become issues down the line if you aren’t careful.
You mark a control as implemented without fully meeting every criterion. It’s distressingly common to handwave a couple of “minor” details when assessing a security control. However, this disconnect is a prime source of score inflation and needs to be taken seriously.
You assume that your score can’t drop below zero. It’s a sort of nonsensical system to range from -203 to 110 and feels very arbitrary, so it’s not intuitive that it works with negative numbers. However, a score of 0 is much higher than it could potentially be when you have a lot of issues, so don’t assume your score stops there.
You’re marking inappropriate controls as N/A. The Not Applicable flag can only apply to five specific controls. Even if it doesn’t seem like other controls apply to you, they actually do, and failing to implement them cannot be handwaved away with an N/A flag.
You overuse the special statuses. Controls can be marked one of eight statuses. Of these, four are common:
- Implemented
- Partially Implemented
- Official Partial Credit
- Not Applicable
The other four are special statuses that require very careful analysis and special circumstances to apply:
- Alternative Measures
- Temporary Deficiency
- Enduring Exception
- Risk Acceptance
Without an extremely solid justification and explanation of why you choose one of these statuses, don’t use them.
Your SPRS Score is a critical part of the process of achieving certification to work with the DoD and adjacent federal agencies. There are no shortcuts in this process. Yes, it takes a long time and a lot of work. But, when the alternative is a potentially devastating compromise of critical information from the government, it makes sense that they take it seriously.
If you need help, as a certified third-party assessment organization, we here at Ignyte are well-versed in the analysis and performance of these kinds of assessments. Feel free to reach out with questions or book a demo with the Ignyte Platform to see what we can do for you!
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.