Skip to content

SPRS Score Calculation Guide: Essential Steps for Defense Contractor Executives to Assess Supplier Performance Risk

Defense contractors often deal with Classified and Controlled Unclassified Information (CUI) which is vital information that should be protected from access by unauthorized parties to safeguard the United States’ interests in national security.

The U.S. government has recognized this need, leading to the standardized Controlled Unclassified Information (CUI) program implemented by the National Archives and Records Administration (NARA) in 2010. NARA’s responsibilities include defining CUI categories, maintaining a CUI registry, establishing handling procedures, providing training, and overseeing compliance.

Government data breaches can have significant consequences such as compromised national security, privacy violations, loss of public trust, financial loss, and operational disruptions. To mitigate these risks, robust cybersecurity practices are necessary, including risk assessment, training, access controls, encryption, incident response planning, continuous monitoring, and transparent communication.

Supplier Performance Risk Scoring (SPRS) is interconnected with cybersecurity. It involves assessing suppliers on their financial stability, reputation, past performance, security practices, and compliance. Cybersecurity considerations include threat detection, data protection, employee training, and incident response planning.

The number 110 in SPRS for the DoD Self-Assessment according to NIST 800-171 and 171A relates to a company processing CUI and contracting with the DoD. This score indicates the overall cybersecurity stance and is calculated based on 110 evaluation topics, including 42 controls worth 5 points, 14 controls worth 3 points, and 54 controls worth 1 point. A System Security Plan (SSP) is required, and points are deducted for each unmet control, with a minimum possible score of -203.

The detailed evaluation ensures that the company adheres to security standards such as FAR 52.204.21 and various levels of Cybersecurity Maturity Model Certification (CMMC). The resulting score reflects the organization’s overall cybersecurity risk and compliance and must be reported to the DoD as part of contractual obligations.

In conclusion, Controlled Unclassified Information (CUI) plays a crucial role in safeguarding sensitive but unclassified data within government and other organizations. The implementation of a standardized CUI program, such as the one established by the U.S. government, ensures consistent protection and handling of this valuable information, reducing the risk of unauthorized access, dissemination, or use.

However, despite the robust security measures put in place, security breaches remain a persistent challenge. Cyber threats continue to evolve, and even the most secure systems are not immune to potential vulnerabilities. Therefore, it is essential for organizations to remain vigilant and continuously update their cybersecurity practices to address emerging threats.

In response to security breaches, proactive incident response plans, timely reporting, and swift remediation are vital. Learning from such incidents can lead to the implementation of stronger security measures and further enhance the protection of CUI and other sensitive information.

Ultimately, safeguarding CUI and preventing security breaches demand a collaborative effort involving technology, personnel training, policy enforcement, and ongoing risk assessments. By prioritizing information security and diligently adhering to best practices, organizations can better protect CUI and preserve the integrity of their operations in an increasingly complex digital landscape.

Don’t feel ready for these changes? Don’t worry, we’re here to help!

Getting your organization fully prepared for CMMC requirements could take up to 12 months. But what would you say if you could identify relevant cybersecurity threats and gaps in requirements, on your own time and at your own pace? You’re in luck because we’ve done just that!

The team at Valor Cybersecurity is pleased to offer our FREE Cybersecurity Readiness Assessment, for a limited time. As a bonus for taking our assessment, we will provide you with recommended guidance for better protecting your business and a 30-minute consultation with our team of experts!

Whether the Valor Team can help you now or in the future, we remain poised to support your business’ success and protection.

Access our FREE ‘Cybersecurity For Defense Contractors‘ E-Book.

Author(s)Greg Tomchick and Valor Experts

Cybersecurity Expert Insights

Unfilled Cybersecurity Positions Threaten the Future of Businesses Everywhere

Your cybersecurity team can have an outsize impact on your business, your customers, and the economy. Make sure you're staffing
Learn More

Guarding Your Business in Uncertain Times

A non-tech savvy owners guide to cybersecurity and financial stability.
Learn More

6 Cybersecurity Tips for Securing Startup Success

Lack of cybersecurity is the biggest deficiency facing founders today. Here's how you can get out in front of it.
Learn More