1400 - 1430 (Peeling) SPRS_NIST_Industry Day FINAL.pptx Automatically Extracted Text
DLA Distribution Industry Day SPRS/NIST SP 800-171 Overview What is SPRS and why/how is it used? Where does SPRS get its data? What Information is collected? How can contractors access SPRS and view their scores? NIST SP 800-171 implementation Why does Cybersecurity/NIST matter to you? What requirements are/are not covered? Accessing NIST within SPRS Helpful Resources 2 What is SPRS? Supplier Performance Risk System (https://www.sprs.csd.disa.mil) Web-enabled, Department of Defense enterprise-wide application – DFARS primary retrieval system for supplier performance information (formerly PPIRS-SR) Required evaluation factor for ALL solicitations for Supplies AND Services (inc. commercial), regardless of dollar value Provides three* risk analysis tools designed to be used in supplier performance evaluations for supplies and services: Price Item Supplier *NIST cyber score may be added as an additional evaluation factor, when/where applicable
3 SPRS – Regulatory Requirements FAR 9.105-1(c) SPRS data is utilized in making Responsibility Determinations FAR 12.206 – Commercial Items Use of past performance data (inc. SPRS) for every evaluation/award FAR 13.106-2(b)(3)(d) – Simplified Acquisitions SPRS may be used in evaluation of other factors for simplified acquisitions FAR 15.305 – Negotiated Acquisitions Proposal evaluation may consider information obtained from “any other sources” DFARS 217.207 – Options SPRS for incumbent contractor must be verified prior to exercising an option
Where does SPRS get its information? 5 For Auto Awards SPRS data is updated daily How does SPRS work? 6 Collects quality and delivery data to calculate delivery scores and quality classifications by CAGE and commodity
Quality and Delivery Scores Price Risk Item Risk Supplier Risk Calculates average price paid for an item and the expected range for future buys
Bids/Offers are classified as high, low, or “within range” Probability that a product or service will introduce counterfeit or nonconforming material entering the DoD supply chain
Based on criticality of use and history of counterfeiting or non-conformance Scores vendors based on 3 years of supplier performance data for all efforts (overall assessment)
Vendors without SPRS history are regarded as “netural” in past performance evaluations SPRS 7 Why is SPRS Important to you?
ALL solicitations (streamlined, combined synopsis/solicitation, formal, etc) and responsibility determinations will utilize overall SPRS scores and/or the individual various risk elements as part of the past performance and responsibility determinations.
Contractors may only view their own classifications in SPRS; you are STRONGLY ENCOURAGED to review your SPRS scores by using the “Contractor Summary Report”
DLA generally pulls Performance Information by PSC/FSC. Individual records are accessible via hyperlink. SPRS and NIST – What’s the connection? 8 SPRS is the one-stop gateway to Past Performance Information and NIST SP 800-171 assessments for all of DoD Per DoD Instruction 5000.79, Supplier and Product Performance Information (PI) will be shared for supplies and services across DoD. CAGE codes are the primary identifier used in the collection of PI. With the passage of recent DFARS clauses, DoD is considering cybersecurity as a responsibility determination and as an additional on-going performance risk factor. Consoliditation within SPRS reduces redundancies and conflicts between different contracts and agencies, reducing contractors’ administrative burden and providing “supply chain illumination”.
Cybersecurity/NIST Why is cybersecurity/NIST element important to you? It’s the Law – per DFARS 252.204-7019, contractors must have a current (within 3 years) NIST SP 800-171 assessment in order to be considered for award. NIST SP 800-171 has automatic subcontractor flow down. It’s the first step toward meeting Cybersecurity Maturation Model Certification (CMMC), scheduled for implementation in Fall 2025. Basic Cyber Hygiene has been required for Federal Contract Information (FCI) via FAR 52.204-21 – the 15 controls required for meeting this clause cross-map to NIST SP 800-171. Controlled Unclassified Information (CUI) residing on contractor IT systems is increasingly being targeted by adversaries and bad actors.
9 DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting Mandatory for all contracts except for contracts solely for the acquisition of COTS items Requires contractors/subcontractors to: Safeguard covered defense information that is resident on or transiting through a contractor’s internal information system or network. Report cyber incidents that affect covered defense information or that affect the contractor’s ability to perform requirements designated as operationally critical support. Submit malicious software discovered and isolated in connection with a reported cyber incident to the DoD Cyber Crime Center. If requested, submit media and additional information for damage assessment.
10 Covered Defense Information (CDI) Defined Unclassified controlled technical information (CTI) or other information as described in the CUI Registry that requires safeguarding or dissemination controls, AND is either Marked or otherwise identified in the contract, task order, or delivery order and provided to a contractor by or on behalf of, DoD in support of the performance of the contract; OR Collected, developed, received, transmitted, used, or stored by, or on behalf of, the contractor in support of the performance of the contract. 11 Consult the Statement of Work (SOW), CDRLs, and/or Contracting Officer to know if CDI is required for contract performance NIST SP 800-171 Assessment Scoring To be eligible for NIST-covered awards, a contractor must complete the first level called a Basic Assessment. If all security requirements are implemented, a contractor is awarded a score of 110, consistent with the total number of NIST SP 800-171 security requirements. For each security requirement not met, the associated value is subtracted from 110. The score of 110 is reduced by each requirement not implemented, which may result in a negative score. Certain requirements have more impact on the security of the network and its data than others. Contractors may revise their NIST assessments in SPRS at any time. 12 NIST Assessment Requirements are incorporated via DFARS 252-204-7019 (Provision) & 252.204-7020 (Clause)
13 SPRS/NIST is accessed through PIEE (https://piee.eb.mil)
Assessing SPRS/NIST The SPRS home page has dedicated links for Supplier scores and NIST SP 800-171 Assessments
14 Accessing SPRS/NIST The NIST link allows vendors to enter/edit their summary-level cyber score (must have SPRS “Cyber Vendor” user role). Higher level assessments, if performed by DoD, will also appear here
Once recorded in SPRS, NIST scores are available to all DoD Components to be used in NIST SP 800-171 determinations
Resources PIEE – SPRS Web Based Training Provides interactive training on SPRS, including an explanation of roles and their associated permissions https://pieetraining.eb.mil/wbt/xhtml/wbt/sprs/index.xhtml
SPRS User’s Guide for Awardees/Contractors Comprensive manual covering system access, navigation, reporting functions and methodology, and reference material https://www.sprs.csd.disa.mil/pdf/SPRS_Awardee.pdf
NIST SP 800-171 SPRS Information Page Landing page providing training, tutorials, FAQs, and contacts pertaining to NIST SP 800-171 implementation https://www.sprs.csd.disa.mil/nistsp.htm
NIST SP 800-171 Rev. 2 Official site of the current version of NIST SP 800-171 https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
15 Questions? 16 Backup – Information System Security Requirements 17