Understanding Cybersecurity Maturity Model Certification (CMMC)
[ZOOM EVENT] Wednesday, June 23, 2021 @ 11AM-12PM ET
REGISTER HERE

WHAT IS THE SUPPLIER PERFORMANCE RISK SYSTEM?

Staying competitive with the DoD acquisition process


By Ken Michael

When it comes to working with the United States Department of Defense (DoD), it can be challenging for many manufacturers and other suppliers to meet regulations. There are a plethora of requirements both primes and subcontractors must meet regarding cybersecurity from the Defense Federal Acquisition Regulation Supplement (DFARS) and National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) to the newly implemented cybersecurity maturity model certification (CMMC). This is where the Supplier Performance Risk System (SPRS) comes in.

What is the SPRS?

The SPRS is a shared web-enabled data warehouse that details a vendor’s performance on current or completed contracts. Compliance with DFARS, NIST 800-171, and other requirements, whether short-term or long-term, are verified through the SPRS with the submission of assessment results as well. The SPRS application is available to Acquisition officials with the need to know and contractors who are able to view their own data on the SPRS. The SPRS is the DoD’s single, authorized application to retrieve suppliers’ performance information.

Procurement Integrated Enterprise Environment

All SPRS users from government agencies to vendors access the warehouse through the Department of Defense Procurement Integrated Enterprise Environment (PIEE). This platform allows a single sign-on capability for a variety of acquisition-related applications. Government vendors, suppliers, and contractors can access the SPRS and their company data through PIEE registration.

Vendor Threat Mitigation

Housed within the SPRS are vendor threat mitigation (VTM) reports. The VTM is a process to assess and mitigate the risks posed by vendors and suppliers supporting the DoD operations outside of the U.S. This was previously referred to as “vendor vetting.” The VTM Module in the SPRS provides acquisition professionals with visibility of vendor threat vetting outcomes so contracts can be awarded to company’s found to be in compliance with government requirements.

SPRS Resources for Vendors

There are many resources for primes and subcontractors available on the SPRS website such as a Vendor Threat Mitigation Quick Entry Guide. There’s also a tutorial video on entering vendor threat mitigation records available. The government’s SPRS Software User’s Guide for Awardees and Contractors can be quite useful in understanding the steps for using the platform, gaining access, challenging data, entering assessment results, and more as a DoD vendor or supplier.

Self-Assessments

One of the requirements for winning a DoD contract may involve your company conducting a self-assessment of its basic cybersecurity procedures, policies, and processes including the handling of controlled unclassified information (CUI). Even if your organization doesn’t believe it has any CUI, it is best to complete the self-assessment or allow a third-party provider to do it for you. You can find and download a NIST SP 800-171 Self-Assessment DoD Score Worksheet here.

The results of the self-assessment along with other compliance audit reports should be submitted to the SPRS. A contract officer may disqualify a company for not having an assessment so it’s best to have one on file in the SPRS to be safe.

Having your proverbial ducks in a row and your company registered with the PIEE is imperative if your organization wishes to conduct business with the DoD. Furthermore, your business information needs to be uploaded to the SPRS to allow your business to remain competitive in the DoD acquisition process.

Dox Electronics is happy to assist businesses and organizations of every size with self-assessments, submittal of reports to the SPRS, and other regulation compliance. For more information, visit Dox online or call (585) 473-7766. The call is free and there is no obligation.
Share This Posting
Copyright ©   DoxWeb Design & SEO by Scriptable Solutions