Inside Cybersecurity

December 3, 2023

Daily News

Pentagon finalizes rulemaking directing contracting officers to consider supplier risk during evaluation process

By Sara Friedman / March 23, 2023

The Defense Department has finalized a rulemaking to revise the use of its supplier risk system platform for acquisition officials when evaluating bids for contracts, making a move that stakeholders see as a precursor for the Pentagon’s Cybersecurity Maturity Model Certification program becoming part of the formal acquisition process.

“This final rule is necessary to revise the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate the expanded capabilities of the Supplier Performance Risk System (SPRS), made possible by recent technical enhancements,” DOD said in a notice published Wednesday in the Federal Register.

The notice says, “SPRS is a DoD enterprise application that retrieves price, item, quality, delivery, and contractor performance data from Government reporting systems. SPRS collects quality and delivery data from Government systems to develop risk assessments. The system provides three risk assessments for contracting officer use in evaluations of quotations and offers: an item risk assessment, a price risk assessment, and a supplier risk assessment.”

“The objective of the final rule is to notify offerors, via the new solicitation provision at DFARS 252.204-7024, that SPRS collects performance data from a variety of Government sources on awarded contracts to develop item risk, price risk, and supplier risk assessments for contracting officers to consider during evaluation of quotations or offers. The final rule also requires contracting officers to consider the supplier risk assessment in the determination of contractor responsibility,” according to the notice.

The Pentagon issued an interim final rule in 2020 implementing the CMMC program along with setting up a system where contractors are required to submit scores into the SPRS regarding their compliance with NIST Special Publication 800-171. CMMC level two is based on the 110 controls in NIST 800-171 and will require a third party assessment.

Eric Crusius, partner at law firm Holland & Knight, commented, “With the new DFARS 252.204--7024, DoD is seeking to expand the use of the Supplier Performance Risk System (SPRS) to include other risk factors besides compliance with NIST SP 800-171 and will be a more comprehensive way for the government to identify risk.”

“While the new regulation does not touch directly on NIST SP 800-171, it will definitely encourage increased use of SPRS, which will make compliance with DFARS 252.204-7019/20 even more important and front of mind for contracting officers within the Government,” Crusius said.

He added, “With the new system looking at item and supplier risk, those categories of risk necessarily include cybersecurity risk and compliance.”

Robert Metzger of law firm Rogers Joseph O’Donnell said the final rule “steps back” the possibility of DOD eventually using “SPRS scores in the competitive evaluation of offers.”

The rule indicates that “SPRS cyber scores may be taken into account when a contracting officer considers supplier risk, but they are not controlling,” Metzger said. “The text of the final rule indicates that COs ‘shall use their discretion in considering the information available in SPRS’ on supplier risk. If SPRS-reported cyber scores themselves have high risk of being misleading or wrong, COs will be well within their discretion to give less weight to scores (high or low) unless supported by assessment-based validation.”

Metzger said, “I read the revised SPRS regulation as supporting the fundamental CMMC proposition that DoD needs objective, capable, third-party assessment of cyber compliance to have confidence in SPRS cyber scores. For the present, companies that volunteer for the Joint Surveillance Assessment can get an advantage where a high score result is entered into SPRS.”

“Companies that do poorly on a DIBCAC Medium Assessments may suffer selection risk when DIBCAC updates SPRS records. Until CMMC assessments are contractually required, however, use of the self-assessment results posted in SPRS likely will have modest impact on selection decisions,” Metzger said.

Metzger is a co-author of MITRE’s “Deliver Uncompromised,” and co-chair of Rogers Joseph O’Donnell’s Cybersecurity and Privacy Practice Group.

James Goepel of tech company FutureFeed commented, “The new DFARS 252.204-7024 clause is a big step forward for DoD. They are now requiring contracting officers to consider item risk, price risk, and supplier risk as part of their overall award decision. Supplier risk is defined as including supply chain risk.”

Goepel said, “As of the most recent version of SPRS (March 2023), the daily supplier risk score does not include the contractor’s NIST SP 800-171 self-assessment score (required under DFARS 252.204-7019 for contractors who handle CUI) into its calculations. But that could easily be changed at any time by DoD, and I suspect they are laying the groundwork for that kind of change.”

Goepel said, “Adding the self-assessment (and also the DIBCAC-conducted assessment) score the supplier risk score calculations would incentivize contractors to push toward the perfect 110-point self-assessment score prior to the implementation of the new CMMC rule. It could also reward those going through the Joint Surveillance Program by giving the DIBCAC high assessment a higher weight.”

Goepel is the general counsel and director of education and content at FutureFeed, a platform that automates compliance with NIST 800-171 controls and the upcoming CMMC requirements. He was a founding board member of the CMMC Accreditation Body. -- Sara Friedman (