SPRS Score Calculation Guide: Essential Steps for Defense Contractor Executives to Assess Supplier Performance Risk

Defense contractors often deal with Classified and Controlled Unclassified Information (CUI) which is vital information that should be protected from access by unauthorized parties to safeguard the United States’ interests in national security.

The U.S. government has recognized this need, leading to the standardized Controlled Unclassified Information (CUI) program implemented by the National Archives and Records Administration (NARA) in 2010. NARA’s responsibilities include defining CUI categories, maintaining a CUI registry, establishing handling procedures, providing training, and overseeing compliance.

Government data breaches can have significant consequences such as compromised national security, privacy violations, loss of public trust, financial loss, and operational disruptions. To mitigate these risks, robust cybersecurity practices are necessary, including risk assessment, training, access controls, encryption, incident response planning, continuous monitoring, and transparent communication.

Supplier Performance Risk Scoring (SPRS) is interconnected with cybersecurity. It involves assessing suppliers on their financial stability, reputation, past performance, security practices, and compliance. Cybersecurity considerations include threat detection, data protection, employee training, and incident response planning.

The number 110 in SPRS for the DoD Self-Assessment according to NIST 800-171 and 171A relates to a company processing CUI and contracting with the DoD. This score indicates the overall cybersecurity stance and is calculated based on 110 evaluation topics, including 42 controls worth 5 points, 14 controls worth 3 points, and 54 controls worth 1 point. A System Security Plan (SSP) is required, and points are deducted for each unmet control, with a minimum possible score of -203.

The detailed evaluation ensures that the company adheres to security standards such as FAR 52.204.21 and various levels of Cybersecurity Maturity Model Certification (CMMC). The resulting score reflects the organization’s overall cybersecurity risk and compliance and must be reported to the DoD as part of contractual obligations.

In conclusion, Controlled Unclassified Information (CUI) plays a crucial role in safeguarding sensitive but unclassified data within government and other organizations. The implementation of a standardized CUI program, such as the one established by the U.S. government, ensures consistent protection and handling of this valuable information, reducing the risk of unauthorized access, dissemination, or use.

However, despite the robust security measures put in place, security breaches remain a persistent challenge. Cyber threats continue to evolve, and even the most secure systems are not immune to potential vulnerabilities. Therefore, it is essential for organizations to remain vigilant and continuously update their cybersecurity practices to address emerging threats.

In response to security breaches, proactive incident response plans, timely reporting, and swift remediation are vital. Learning from such incidents can lead to the implementation of stronger security measures and further enhance the protection of CUI and other sensitive information.

Ultimately, safeguarding CUI and preventing security breaches demand a collaborative effort involving technology, personnel training, policy enforcement, and ongoing risk assessments. By prioritizing information security and diligently adhering to best practices, organizations can better protect CUI and preserve the integrity of their operations in an increasingly complex digital landscape.

Don’t feel ready for these changes? Don’t worry, we’re here to help!

Getting your organization fully prepared for CMMC requirements could take up to 12 months. But what would you say if you could identify relevant cybersecurity threats and gaps in requirements, on your own time and at your own pace? You’re in luck because we’ve done just that!

The team at Valor Cybersecurity is pleased to offer our FREE Cybersecurity Readiness Assessment, for a limited time. As a bonus for taking our assessment, we will provide you with recommended guidance for better protecting your business and a 30-minute consultation with our team of experts!

Whether the Valor Team can help you now or in the future, we remain poised to support your business’ success and protection.

Access our FREE ‘Cybersecurity For Defense Contractors‘ E-Book.

Author(s)Greg Tomchick and Valor Experts

The State of Cybersecurity for Defense Contractors in 2023

Defense contractors often deal with Classified and Controlled Unclassified Information (CUI) which is vital information that should be protected from access by unauthorized parties to safeguard the United States’ interests in national security.

Because the disclosure of said information has a high potential to put the nation’s security at risk, it is critical that defense contractors follow the highest of standards in defending it against cyber-threats. Having a strong cyber defense is more important than ever today, as attackers are constantly exploring newer, faster, and cheaper ways to exploit cyber vulnerabilities within the Defense Sector. There are various trends within this field occurring right now that are changing the very nature of cyber warfare. The cyber landscape has never experienced change as fast as it is today, which is why learning about the newest threats and vulnerabilities is a sure way to ensure your business is prepared for the worst…

This article will introduce you to some current important trends within the cyber landscape that are especially prevalent within the Defense Sector and provide recommendations that your business can employ to be equipped to efficiently secure restricted information and continue to win contracts with the government. 

Current Direction

We have entered the “Machine vs. machine era.” What does that mean exactly? Obviously, AI in its youth has already rapidly changed the fabric of how people do things and has no signs of slowing down. Similar to the way everyday people use AI as a tool to quickly perform tasks like research and generating quick solutions, cyber attackers are using it to develop better methods of exploiting businesses’ data and sensitive information. Think about it… the number of connected Internet of Things (IoT) devices is increasing rapidly and constantly, which results in the amount of data produced also increasing rapidly and constantly. It’s at the point where it impossible for humans to analyze all of this data without the assistance of technology. Enter AI. 

Unfortunately, the benefits of AI are just as appealing to attackers as they are to the good guys. Attackers use machine learning models to create malicious code that can be spread throughout various enterprises. In addition, they also create more realistic phishing schemes by using AI to construct highly professional emails that are seemingly authentic and harmless. These are just a couple examples of the wide range of methods that AI can be weaponized. 

Fortunately, it can be argued (at least right now) that the pros of AI outweigh the cons with regards to cybersecurity for defense contractors. Businesses can employ machine learning models to essentially do the job of cybersecurity analysts that work to prevent and detect cyber risks and attacks. Because AI does not get tired, it can be used to continuously monitor a business’s IT infrastructure and recognize patterns of fraudulent activity both externally and internally. For example, AI has the capability to point out malicious code, phishing attempts, and other threats by comparing it to vast amounts of data and accounts of past cyber events. It can also detect when an employee is not following best practices like setting weak passwords and using unprotected networks. The approach of spotting external threats and alerting management of internal weak points are what makes AI very attractive. Defense contractors who are responsible for the protection of highly sensitive information can benefit greatly from utilizing this growing technology. 

The Dangerous Cloud

The Department of Defense (DoD) has awarded contracts with four major cloud service providers, including Amazon Web Services, Google, Microsoft, and Oracle. In addition to that, many medium to large sized government contractors are served by cloud service vendors like Cloudfare, Akamai, and Slack to name a few. Cloud computing infrastructure has skyrocketed in the recent years and is continuing to do so. Businesses are attracted to the cloud because it offers a flexible and cost-effective way to sustainably handle data and provide valuable business insight. There is no denying that cloud computing has changed the way businesses operate for the better, but there are still some disadvantages that come with it and require awareness. 

Cloud services have a high dependence on internet connectivity. If you lose that connection, there could be downtime in which a business may be unable to access data. Cloud services also entails many users active over the same network, which could make it harder to identify when is an actor is committing malpractice. Basically, because businesses are letting important data be stored in the cloud instead of on local servers, they are letting go of some of the control they once had and are relying more on cloud service vendors, thus adding more pieces to what was already a convoluted puzzle. This is not necessarily a bad thing; it just means that all the players (the vendor and the customer) must comply with strict security standards. 

Cyber Supply Chain

One of the most prominent difficulties that the DoD faces is dealing with a complicated supply chain for attaining components for defense systems, including the software, hardware, and other important pieces. What’s even more difficult is maintaining these defense systems, as hardware parts quickly become obsolete and difficult to replace, software is constantly in need of patching and debugging, and microelectronic components are highly susceptible to latent vulnerabilities. This topic is always a high priority when discussing the Defense Sector because the navigating the cyber supply chain is the only way that critical weapon systems get built. Unfortunately, the DoD currently lacks a single cohesive program that allows for collaboration and communication between the government and contractors to assist each other in the prevention and detection of cyber-threats. There is no program where contractors can easily find information on the provenance of certain components and the vulnerabilities they may contain. 

There are obviously things that the government is doing to address this problem, and 2023 has so far been a decently promising year for improving the nation’s cybersecurity. This is seen through:

1)  The eventual requirement of Cybersecurity Maturity Model Certification (CMMC) 2.0, which will ensure that contractors are up to the government’s standards before they sign any contracts. 

2)  Defense Federal Acquisition Regulation Supplement (DFARS) 252.204 – 7012, which became effective on June 9, 2023, requires that defense contractors enhance their protection of unclassified Covered Defense Information (CDI) by following the updated guidelines of the National Institute of Standards and Technology (NIST) 800-171 assessment. 

3)  The Department of Homeland Security’s proposed new regulations which could give them authority on providing standards for defense contractors on handling CUI and requiring them to report to the DHS on cyber incidents in a timely manner depending on the severity of the incident. 

How Your Business Can Stay Prepared

Valor has some recommendations for you to ensure that your business is as informed as it can be on the cyber landscape in the Defense Sector. Therefore, you and your business will be ready in the worst-case scenario of a cyber-attack against your important assets. In this world, you can never be too safe. 

CMMC 2.0

Valor recommends that your business becomes compliant with CMMC 2.0 as soon as possible. Reaching this status will show the government that your business is primed to handle CUI and Federal Contract Information (FCI) in a secure manner. It also shows the government that your business is diligent in complying with high standards, which will likely make the road to winning a contract less of a headache. 

DFARS and NIST Requirements

As mentioned earlier, the DFARS and NIST requirements have recently been updated, and will continue to do so. It’s important to stay up to date with these updates to stay familiar with the latest trends in cyber-threats. 

Investing in AI

AI clearly has the potential to serve as a money-saving, highly efficient tool to monitor your business’s infrastructure. Although it may be a bit of an investment at first, adopting a machine learning model to be on the lookout and send alerts for external and internal threats at a much faster rate than humans ever could prove to be a highly valuable asset. Of course, it is crucial to remember that this technology is still young, but as its capabilities become clearer in the years to come, it would be advantageous for your business to already have some skin in the game. 

Addressing Employee Burnout

It’s no secret that working in the Defense Sector can be highly stressful, as employees are dealing with high stakes information that needs to be handled with the utmost attention and care. Employees working for defense contractors may feel burnt out as attackers constantly bombard them with new ways to exploit cyber vulnerabilities. It’s important to constantly teach them about best practices, update them on the latest trends, and encourage them to do their own research on the subject. Also, make sure all employees are aware of the standards of the CMMC, DFARS, and NIST and they should be more than capable to anticipate and react to cyber-attacks.


Valor has decades of experience working with defense contractors to assist them in finding the gaps between what they are doing right what they need to improve on to be more secure. Well versed in the understandably overwhelming language of government orders, Valor is able to help businesses much faster than they could on their own, and time is money. Valor also possesses a strong understanding of cloud computing and AI, and it can help your business adopt these services safely. 

The main thing to remember is that defense contractors at the end of the day are businesses. Sure, they sell extremely advanced defense systems and products to the DoD instead of soda pop to the locals, but customers are customers. Every business should strive to do everything in their power to make their customer have trust in them and feel assured that their precious data is being handled as safely as possible. Every business should also strive to do so in a manner that is cost-effective, timely, and with high internal morale. Adopting good cybersecurity practices can help address all these things for any business, but especially for those in the Defense Sector. The stakes of national security are simply too high to not stay up to date with the requirements of the DoD.

Don’t feel ready for these changes? Don’t worry, we’re here to help!

Getting your organization fully prepared for CMMC requirements could take up to 12 months. But what would you say if you could identify relevant cybersecurity threats and gaps in requirements, on your own time and at your own pace? You’re in luck because we’ve done just that!

The team at Valor Cybersecurity is pleased to offer our Cybersecurity Readiness Assessment for $1199, for a limited time. As a bonus for taking our assessment, we will provide you with recommended guidance for better protecting your business and a 30-minute consultation with our team of experts!

Whether the Valor Team can help you now or in the future, we remain poised to support your business’ success and protection.

Access our FREE ‘Cybersecurity For Defense Contractors‘ E-Book.

Author(s)Greg Tomchick and Joe Chang

Is ChatGPT Taking Over Your Business? Balancing Factors and Weighing Costs and Benefits

Artificial Intelligence (AI) has become a transformative force across industries, including business. As AI technologies continue to advance, business owners face the decision of whether to integrate AI into their operations. While AI offers numerous benefits, such as improved efficiency and decision-making, it also raises concerns and tradeoffs that need to be carefully considered. This edition of the our expert cyber insights aims to provide an unbiased and informative breakdown of the main factors influencing AI adoption in business, including business leadership, execution, cybersecurity, business growth, and risk management. By examining these factors and the associated difficulties, business owners can make informed decisions about integrating AI into their operations.

Key Considerations

Business Leadership: Guiding the AI Adoption Journey

Implementing AI in a business requires strong leadership and vision. Business leaders play a crucial role in setting strategic goals, identifying AI use cases, and aligning AI initiatives with business objectives. However, they must also navigate the challenges associated with AI adoption. One such challenge is the need for upskilling and reskilling the workforce to leverage AI technologies effectively. Balancing investment in AI talent and resources is essential for successful AI integration.

Execution: Translating AI Ambitions into Reality

While AI holds great potential, the execution of AI initiatives can be complex. The successful deployment of AI systems relies on factors such as data quality, infrastructure, and integration with existing systems. Collecting and preparing relevant data for AI models is a critical step, as it influences the accuracy and reliability of AI-driven insights. Moreover, businesses must consider ethical considerations, such as bias mitigation and transparency, during the AI development process.

Cybersecurity: Safeguarding Business Data and AI Systems

As businesses increasingly rely on AI-powered solutions, cybersecurity becomes a paramount concern. AI systems often handle large volumes of sensitive data, making them attractive targets for cyber threats. Business owners must invest in robust cybersecurity measures to protect their AI systems, data, and customer information. Ensuring proper encryption, authentication, and regular security audits can help mitigate risks associated with AI adoption.

Business Growth: Accelerating Innovation and Efficiency

One of the most significant advantages of AI integration is its potential to drive business growth. AI technologies can automate routine tasks, enabling employees to focus on higher-value activities. Advanced AI algorithms can uncover valuable insights from vast amounts of data, empowering businesses to make data-driven decisions and gain a competitive edge. Furthermore, AI can fuel innovation by identifying new market opportunities and improving product development processes.

Risk Management: Addressing the Challenges of AI Adoption

AI adoption is not without its risks. While AI can enhance decision-making, it also introduces new vulnerabilities and ethical concerns. AI models may exhibit bias or make incorrect predictions, potentially leading to unintended consequences. Proper risk management strategies, such as thorough testing and monitoring, can mitigate these risks. Transparency and explainability in AI systems are crucial, ensuring accountability and regulatory compliance.

Tradeoffs and Difficulties: Finding the Right Balance

When considering AI integration, business owners must recognize the tradeoffs involved. The benefits of AI, such as increased productivity and efficiency, must be weighed against potential drawbacks, such as upfront costs, implementation challenges, and ethical considerations. It is essential to assess the readiness of the business and the impact AI will have on existing processes and employee roles. Collaborative decision-making involving stakeholders from various departments can help identify potential challenges and devise effective solutions.

The Significance of Impact Assessment: Making Informed Decisions

When deciding on the extent of AI integration, it is crucial to assess the impact on the business, employees, and customers. An impact assessment can identify areas where AI can add value and highlight potential risks or disruptions. By considering the specific needs and goals of the business, owners can determine the appropriate level of AI integration that aligns with their objectives. Additionally, clear communication and change management strategies are vital to ensure smooth transitions and minimize resistance from employees.

Key Risk Decisions

Data Security and Privacy: Business owners must assess the potential risks associated with data security and privacy when implementing AI. They should determine how sensitive data will be handled, stored, and protected throughout the AI lifecycle. This includes evaluating encryption protocols, access controls, and data governance policies to safeguard against unauthorized access or data breaches.

Ethical Use of AI: Ethical considerations surrounding AI adoption cannot be overlooked. Business owners should establish guidelines and policies to address potential biases, discrimination, and the transparency of AI systems. They must ensure that AI applications are aligned with legal and regulatory frameworks and promote fairness, accountability, and transparency.

Vendor Selection and Due Diligence: When choosing AI vendors or technology partners, business owners need to conduct thorough due diligence. This involves assessing the vendor’s reputation, track record, and security protocols. It is important to understand the vendor’s AI algorithms, data handling practices, and any potential risks associated with their offerings.

Risk Assessment and Mitigation: Prior to implementing AI, a comprehensive risk assessment should be conducted to identify potential vulnerabilities, threats, and risks specific to the business. This assessment helps business owners understand the potential impact of AI on their operations and allows them to develop risk mitigation strategies and contingency plans.

Employee Training and Change Management: The successful integration of AI requires employees to adapt to new technologies and processes. Business owners need to assess the potential risks associated with employee resistance, job displacement, or skill gaps. They should invest in comprehensive training programs to upskill and reskill employees, fostering a smooth transition and maximizing the benefits of AI adoption.

Regulatory Compliance: Business owners must stay abreast of relevant regulations and compliance requirements related to AI adoption in their industry. They should assess the potential risks and legal implications of AI integration, ensuring adherence to privacy laws, data protection regulations, and industry-specific guidelines. Compliance with these regulations mitigates legal and reputational risks.

Monitoring and Auditing: Implementing robust monitoring and auditing mechanisms is essential to ensure the ongoing performance and ethical use of AI systems. Business owners should establish regular monitoring practices to detect and address potential biases, system failures, or data drift. Conducting periodic audits of AI algorithms and processes helps maintain transparency, accountability, and adherence to established guidelines.

Contingency Planning: Despite careful planning, unforeseen circumstances and risks may arise during AI implementation. Business owners should develop contingency plans to address potential disruptions, such as system failures, cybersecurity breaches, or unintended consequences. These plans should outline steps to mitigate risks, ensure business continuity, and minimize the impact of any potential setbacks.

By addressing these immediate risk decisions, business owners and executives can proactively manage potential challenges and ensure a responsible and successful integration of AI technologies. It is essential to approach AI adoption with a focus on risk management, compliance, and ethical considerations to maximize the benefits and minimize potential downsides.

As AI technologies continue to evolve, business owners will continue to face the critical decision of whether to embrace AI in their operations. Regardless of the chosen approach, it is essential to prioritize impact assessment, addressing potential challenges, and fostering a culture of adaptability and continuous learning. With careful consideration and strategic planning, AI can be a powerful tool to drive innovation and growth in businesses of all sizes and industries.

Want to find out if your company is at risk from using AI and ChatGPT? Don’t worry, we’re here to help!

The team at Valor Cybersecurity is pleased to offer our AI Detection and Policy Assessment Service today. As a bonus for taking our best-practice assessment, we will provide you with recommended guidance for better protecting your business! We can also help you to identify your current AI exposure and ways to minimize risk going forward. Whether the Valor Team can help you now or in the future, we remain poised to support your business’ success and protection.

Author(s): Greg Tomchick 

If you like our content, please subscribe today and check out our other channels.

The Digital Risk Digest Newsletter: https://www.linkedin.com/newsletters/…

YouTube: https://www.youtube.com/@valor-cybers…

LinkedIn: https://www.linkedin.com/company/valo…

Twitter: https://twitter.com/valorcyber