What is the Suppliers Performance Risk System, and why is it important?
Do you need to update your Suppliers Performance Risk System (SPRS) information?
Have you heard of SPRS but don’t know what it is or how it impacts your business?
If so, read on for a quick guide on SPRS, how to create an account, and submit your data.
SPRS is a risk management tool that helps organizations meet Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7019 and 252.204-7012 compliance. These clauses require companies supporting Department of Defense contracts or subcontracts to complete a self-assessment and protect Controlled Unclassified Information (CUI) in compliance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. This post will discuss how to create a Procurement Integrated Enterprise Environment (PIEE) account, create an SPRS account, and the information that SPRS requires. We will also touch on how Alluvionic can help with a third-party NIST SP 800-171 assessment, System Security Plan, and Plans of Actions and Milestones (POA&M).
What are DFARS 252.204-7012, DFARS 252.204-7019, and NIST SP 800-171?
DFARS 252.204-7012 is a Department of Defense regulation that requires suppliers who support Department of Defense contracts or subcontracts to comply with the NIST SP 800-171. This regulation protects Controlled Unclassified Information (CUI) confidentiality in non-federal systems. It includes 14 families of security controls, each of which has multiple controls. DFARS 252.204-7019 is a DoD clause that requires a self-assessment against NIST SP 800-171 and identifies the requirement to upload the result to SPRS.
For more information on DFARS 252.204-7012, see our article DFARS Compliance: What You Need to Know.
What is the Procurement Integrated Enterprise Environment (PIEE) system?
To comply with DFARS 252.204-7019, companies must first create a PIEE account.
The Department of Defense’s PIEE system is an online portal that is the primary enterprise procurement to payment application for the Department of Defense and its associated agencies. It includes invoicing, contract deficiency reporting, and property and document management capabilities required for all Department of Defense contracts.
Once you have created and verified your PIEE account at https://piee.eb.mil, you can create your SPRS account. Here’s a helpful checklist from the Department of Defense on setting up your PIEE account (SPRS Access for NIST SP 800-171).
Read on to find out more.
What is SPRS?
SPRS is a risk management tool used by the Department of Defense to assess and manage risk related to supplier performance. The system collects and analyzes data from various sources to identify, evaluate, and monitor risk associated with supplier performance. This information is used to make informed decisions about whether or not to continue doing business with a particular supplier.
The SPRS was created in response to DFARS 252.204-7019, which requires companies supporting DoD contracts or subcontracts to complete a self-assessment compliance with NIST SP 800-171. DFARS 252.204-7012 protects the sensitive information often shared between contractors and suppliers. By using SPRS, the DoD can quickly identify and assess risk related to contractor performance and decide which contractors to do business with.
How do I create an SPRS account, and what information is required?
To create an SPRS account, you will need to log on through PIEE and provide your company’s name, System Security Plan name, CAGE code, SPRS self-assessment score, date of self-assessment, and expected date to reach a 110 score. You will also need to provide contact information for the individual responsible for managing the SPRS account. The contact information will include the individual’s name, email address, and phone number.
Here’s a link to a handy checklist from the Department of Defense for you to use (NIST SP 800-171 Quick Entry Guide) with step-by-step instructions.
What does the SPRS Score Mean?
What is the highest possible SPRS Score?
110 is the “perfect” SPRS Score. This indicates that a
company complies with the 110 practices within the NIST 800-171 framework.
Is a negative SPRS Score bad?
If you have a negative SPRS Score, you are likely in good
company with many other defense industrial base (DIB) contractors. Having a
negative SPRS score is common. The important thing to do is identify your plan
of action and milestones to remediate areas of partial or non-compliance.
This will help you iterate your SPRS score from red to green.
What is the low to high range for an SPRS Score?
It is possible to have an SPRS Score between negative 203
and positive 110. The SPRS score is weighted. For each area of partial or
non-compliance a company will lose 1, 3 or 5 points depending on the scoring
guidelines for that practice.
How do you enter your SPRS Score?
Here’s a link to a handy checklist from the Department of
Defense for you to use (NIST
SP 800-171 Quick Entry Guide) with step-by-step instructions.
How often should I update my SPRS Score?
There is not a set frequency for updating your SPRS score,
however it is a best practice to ensure the score is reviewed and updated a
minimum of once per year. It is certainly a good idea to keep up with your
POAMs and make frequent updates. A company may choose to enter updates to their
SPRS Score each time compliance with a new practice is achieved – daily,
weekly, monthly, quarterly, etc.
How can Alluvionic help with compliance with DFARS 7012, DFARS 7019, and NIST SP 800-171 requirements for DoD contractors or subcontractors?
Alluvionic can help you comply with DFARS 252.204-7012, DFARS 252.204-7019, and NIST SP 800-171 requirements. We can help you with risk management, which is essential to protect your company’s most critical assets and operations. Alluvionic can help you create and maintain your PIEE and SPRS accounts, including providing the information that SPRS requires. Furthermore, Alluvionic provides third-party NIST SP 800-171 assessments, System Security Plans, and POA&Ms. These services are essential for any DoD contractor or subcontractor to comply with DFARS 252.204-7012, DFARS 252.204-7019, and NIST SP 800-171 requirements. Let us help you stay safe and compliant!
Learn more about Suppliers Performance Risk System by downloading our SPRS Checklist.