Does DFARS 252.204-7024 Include Your NIST SP 800-171 Self-Assessment?

DFARS

The new Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7024 final rule is here! It was recently implemented by the Department of Defense (DoD) to revise how contracting officers use the Supplier Performance Risk System (SPRS) when evaluating bids for contracts. The final rule requires contracting officers to consider item risk, price risk, and supplier risk data when evaluating a supplier’s offer and responsibility. In the few days following the March 22, 2023, effective date, there has been lots of buzz around what this means for defense contractors and quite a bit of it has been misleading. In this post, we’ll explain what exactly DFARS 252.204-7024 requires, how it may affect you, and what to do next. 

252.204-7024 Notice on the Use of the Supplier Performance Risk System (Mar 2023) 

There are three main action items in DFARS 252.204-7024: 

  1. The Supplier Performance Risk System (SPRS) will be used in the evaluation of the Quoter or Offeror’s performance. SPRS retrieves item, price, quality, delivery, and contractor information on contracts from Government reporting systems in order to develop risk assessments.[1] 
  2. The Contracting Officer will consider SPRS risk assessments during the evaluation of quotations or offers, specifically item risk, price risk, and supplier risk.[1] 
  3. The Contracting Officer may consider any other available and relevant information when evaluating a quotation or an offer.[1] 

Essentially, contracting officers are required to check risk assessment data in SPRS before awarding a contract. The risks outlined are as follows: 

Item Risk: the probability that a product, based on intended use, will introduce performance risk resulting in safety issues, mission degradation, or monetary loss. Item risk will be considered to determine whether the procurement represents a high performance risk to the Government. [1] 

Price Risk: a measure of whether a proposed price for a product or service is consistent with historical prices paid for that item or service. Price risk will be considered in determining if a proposed price is consistent with historical prices paid for a product or a service or otherwise creates a risk to the Government. [1] 

Supplier Risk: the probability that an award may subject the procurement to the risk of unsuccessful performance or to supply chain risk. Supplier risk, including but not limited to quality and delivery, will be considered to assess the risk of unsuccessful performance and supply chain risk. [1] 

The Big Question: Does DFARS 252.204-7024 Include Your NIST SP 800-171 Self Assessment? 

The quick answer is not explicitly, but let me give you some backstory. DFARS 252.204-7019 has required defense contractors to demonstrate their compliance with NIST SP 800-171, which requires compliance with 110 security controls, the development of a System Security Plan (SSP), and a Plan of Action and Milestones (POAM). The 7019 rule also requires that contractors submit the results of an assessment and a score as to their compliance with NIST SP 800-171. It is this Basic Assessment, or self-assessment and score, that many are wondering whether it is included in the items that must now be considered by contracting officers. However, your NIST SP 800-171 score is not included in the item risk, price risk, or supplier risk. 

Source: SPRS Evaluation Criteria Manual 

So why did I say not explicitly instead of a simple no? DFARS 252.204-7024 does state that “the Contracting Officer may consider any other available and relevant information when evaluating a quotation or an offer.” This “available and relevant information” could very well include your NIST 800-171 self-assessment. While it’s true, many don’t find this score to be very accurate due to the number of inaccuracies that the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) has already found in the Medium Assessments they’ve conducted, it is still visible for contracting officers to see now that they are checking risk data in SPRS. 

False Claims Act (FCA) 

If you’re thinking “whoa, whoa, whoa, one legislation at a time,” I don’t blame you, but I do want to keep you informed. I have come across quite a few posts on the web and a common theme I’m finding points to the belief that SPRS scores, specifically NIST SP 800-171 self-assessment scores, are just inaccurate and unreliable. A fact, I don’t disagree with, especially if the assessments weren’t assisted by a trained Registered Practitioner (RP)/Registered Practitioner Organization (RPO). But this doesn’t mean the score doesn’t matter or that an inaccurate score can’t be detrimental. 

Learn more about the different types of assessments.  

In early October 2021, the Department of Justice announced that a new Cyber-Civil Fraud Initiative would seek to leverage the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients. Punishable offenses include knowingly providing deficient cybersecurity products or services, knowingly violating obligations to monitor and report cybersecurity incidents and breaches, and knowingly misrepresenting cybersecurity practices or protocols. This means that if a falsified score was uploaded into SPRS, you could be subjected to a civil penalty of up to $10,000.  

What This Means For You? 

  •  The Cybersecurity Maturity Model Certification is coming! I won’t deny it’s been a bit of a crawl, but recent reports now have implementation dated for 2024 which means if you haven’t at least satisfied DFARS 252.204-7019 and made a plan for CMMC, it’s time to get started. It does take time to get compliant and depending on where you are in meeting the security requirements, 2024 may be here sooner than you’d like. 
  • It’s hard to directly say that a good NIST SP 800-171 Basic Assessment (or self-assessment) score will give you some great competitive advantage, especially with how the scores are currently viewed, as mentioned above. However, if you’ve done the work and earned a good score, there are ways to make your score stand out. A DCMA DIBCAC Medium Assessment score holds far more weight than a self-assessment score as it’s stood up to a professional audit. There are also C3PAOs (CMMC Third-Party Assessment Organization) conducting voluntary CMMC assessments through the Joint Surveillance Voluntary Assessment Program for early certification, and remember, CMMC certification is the end goal. I recommend visiting the CyberAB’s website to find qualified C3PAOs.  
  •  The time for low SPRS scores is coming to an end. This regulation is a step forward in how the DoD is improving its supply chain risk management and how cybersecurity is a part of a business. We are seeing the mechanism for how companies will not win contracts put in place with this regulation. Combined with DOJ changes, we are also seeing how companies with contracts either falsely claiming a high score or potentially even reporting a low score when they are already required to be compliant could be prosecuted. It’s important for business leaders to not just look at this new rule as some technical cyber regulation but rather as an important indication of how business must be done in the future.  

What Now? 

It’s never a bad idea to get your house in order. Now is the time to make sure SPRS is current and accurate. You need to meet DFARS 252.204-7019 and should be making getting a NIST SP 800-171 self-assessment score of 110 a priority for your business. This regulation has been in place since 2020 and is required of defense contractors. Ardalyst has free resources to help you not only meet 7019 but also get ready for CMMC quickly and affordably.  

  • FREE Risk Assessments that meet the requirements for CMMC RA.L2-3.11.1 as part of our Free Tesseract Program Trial. This is a great way to not only assess your business but identify ways to improve your security and ensure compliance with NIST SP 800-171. 
  • NIST SP 800-171 Self-Assessment tool to instantly receive and download your informational score. 
  • Get your free consultation! The experts at Ardalyst can help you identify your goals, next steps, and even develop an affordable, comprehensive cybersecurity program to get CMMC compliant. 

1. Acquistion.GOV. (2023). DFARS 252.204-7024 Notice on the Use of the Supplier Performance Risk System. https://www.acquisition.gov/dfars/252.204-7024-notice-use-supplier-performance-risk-system.