Column: DOD Issues Final Rule Updating SPRS Assessment Procedures for Federal Contractors

By Kevin Barnett, counsel, and Daniel Figuenick III, associate, PilieroMazza PLLC

      Effective March 22, the Defense Dept. (DOD) issued a final rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) requiring Contracting Officers to use Supplier Performance Risk System (SPRS) assessments when evaluating proposals and considering a contractor’s responsibility.

      Federal government contractors should be aware of the changes, how the government can use SPRS assessments, and the potential effects on cybersecurity compliance and bid protests.

What is SPRS?

      SPRS is a DOD application that gathers contract award and delivery data about contractor performance to compute a Supplier Risk Score, Price Risk and Confidence Score, and Item/Price Risk Report. Although access to SPRS risk assessments is limited to government officials and the individual offeror, a poor score in any of these three categories alerts COs to potential risks in an offeror’s supply chain.

      To compute these scores, SPRS aggregates data from various sources (Federal Procurement Data System, Defense Contract Management Agency, Contractor Performance Assessment Report System, etc.) and assesses 10 different performance factors, including (1) delivery time, (2) providing suspected counterfeit items, and (3) corrective action requests.

      The Price Risk and Confidence Score determines if a proposed price is similar to historical prices (since 2010) paid for that item. Lastly, the Item/Price Risk Report identifies whether an item is high risk by looking at, for example, whether an item’s manufacturer or supplier discontinued production or whether a component has an increased counterfeiting risk.

      The final rule intersects with other substantive cybersecurity areas, such as NIST Special Publication 800-171 (rev. 2). The NIST publication broadly recommends security requirements for protecting the confidentiality of Controlled Unclassified Information in non-federal systems.

      SPRS contains contractors’ NIST SP 800-171 assessments, which include confidence levels and individual System Security Plans. These obligations mirror the requirements of DFARS 252.204-7012, which requires defense contractors to implement NIST SP 800-171’s recommended requirements to demonstrate they have adequate security to protect covered defense information. Thus, contracting officers now will have information describing a company’s cybersecurity policies more readily available when it comes time to make an award decision.

SPRS Assessments Are Mandatory

      The most notable change is that contracting officers must use SPRS assessments when making award decisions, including using that information as part of an evaluation factor or when assessing a contractor’s responsibility.

      That said, it is unclear how the contracting officers will use the information. SPRS assessments will not be stand-alone source selection factors, but part of the broader evaluation scheme. In other words, the assessments will be just one of many factors to be used in a source selection decision. Evaluation of these assessments will be required for quotes or offers submitted in response to DOD solicitations for supplies and services, including commercial item/service acquisitions. If a contractor does not have a SPRS assessment readily available, they will be rated neither favorably nor unfavorably. Ultimately, the CO has discretion in choosing which information within SPRS to consider.

New Grounds for Bid Protest?

      While not expressly mentioned in the final rule, these assessments appear to be fertile grounds for a bid protest challenging award of a contract.

      As noted above, contracting officers have discretion to use some, all, or none of the information present in the SPRS assessment during evaluations. This may present situations where a contracting officer disregards certain information in the SPRS for one purpose but may be compelled to consider this information as “too close at hand” to ignore under past performance. This hypothetical is well within the realm of possibility since SPRS assessments consider an offeror’s past performance on certain contracts. Under such a scenario, protesters could argue that the contracting officer failed to comply with the solicitation’s requirements by not adequately reviewing or evaluating an apparent successful offeror’s SPRS score when it is known that they had poor past performance. Or, vice versa, the agency ignored positive past performance information from the SPRS assessment that prejudiced an offeror’s ability to win an award.

      Protests also could challenge the contracting officer’s use of the SPRS information. As written, the final rule includes some ambiguity about how contracting officers are supposed to use the SPRS information. On the one hand, they must evaluate an offeror’s SPRS score. Yet, on the other hand, they have discretion to consider any or all information within that SPRS. It remains to be seen how much, or how little, the officers will rely on these scores to upgrade or downgrade offerors’ evaluations during the source selection process and to what extent the Government Accountability Office and the U.S. Court of Federal Claims will define the boundaries of contracting officers’ discretion on that front. As a result, the SPRS assessment could provide yet another weapon in a protester’s ‘arsenal’ when deciding whether to challenge an award.

Key Takeaways

1. Shape Procurements Based on Your SPRS Score:

         For the time being, contractors should be aware of the potential use of SPRS assessments in award decisions. If you have a higher risk score under one of the three categories and a solicitation places greater emphasis on SPRS assessments during evaluation, it may not be worth the time and resources to submit a proposal.

         To the contrary, if you have a particularly low risk score, it may be prudent to ask a question during the solicitation’s question-and-answer stage emphasizing the CO’s required use of this information to better your chances of receiving an award.

2. Keep Your SPRS Score Updated:

         As your firm updates its cybersecurity policies to maintain compliance with NIST SP 800-171, you would be wise to also update the information in SPRS to ensure contracting officials have the most recent information regarding your security practices. Failing to do so could lead to a failed responsibility finding, thereby jeopardizing a contract award.

3. Protest (Maybe?):

         If you are a disappointed offeror under a DOD contract, the contracting officer’s use of the information in SPRS (or lack thereof) could be grounds for a bid protest at GAO or the federal claims court. The use of this information is now mandated in the DFARS, and certain provisions are required to be included in the solicitation. Thus, failing to use SPRS information, or information “too close at hand,” could be evidence of a violation of procurement law and regulation.

More information:
Final rule:https://tinyurl.com/39yyhbzf

If you have questions about SPRS scoring, or any cybersecurity-related questions, please contact Kevin Barnett or Daniel Figuenick, the authors of this blog, or another member of PilieroMazza’s Government Contracts or Cybersecurity & Data Privacy practice groups. (www.PilieroMazza.com) This column was reprinted with permission.

SDBs led the pack in 2021-2022 new entrants to gov contracting

Court impacts SBA small biz size standards

House, Senate panels OK 2024 NDAAs

Do you know your supplier risk scores?

SBA in dispute with OIG on Covid fraud

Fed procurement hits record $705B in FY22

EEO-1 portal to remain open

Column: DOD Issues Final Rule Updating SPRS Assessment Procedures for Federal Contractors

Washington Insider: