DOD Issues Final Rule Regarding Use of SPRS Assessments in Procurement
WHAT: The U.S. Department of Defense (DOD) issued a final rule that requires contracting officers to consider Supplier Performance Risk System (SPRS) risk assessments when evaluating contractors’ proposals and quotes and when determining contractor responsibility. The rule amends the Defense Federal Acquisition Regulation Supplement (DFARS) to add clauses that require contracting officers to consider price risk, item risk, or supplier risk data, if available in SPRS, as part of evaluating bids and in making pre-award determinations of responsibility.
WHEN: The final rule was published March 22, 2023.
WHAT DOES IT MEAN FOR INDUSTRY: The final rule implements an expansion of the DFARS SPRS provisions, which until now had more targeted applications. Although the rule requires contracting officers to consider SPRS risk assessments, the final rule gives contracting officers discretion in how they do so. It thus remains to be seen how contracting officers will use SPRS in practice at this broader scale. Contractors should become familiar with the SPRS, if they are not already; monitor their SPRS scores; and ensure any required submissions (including NIST SP 800-171 assessments) are current.
What is SPRS? SPRS is a DOD application that gathers, processes, and displays data about supplier performance for use by DOD acquisition professionals. SPRS uses statistical algorithms to analyze data inputs and identify risks. For example, SPRS analyzes data from government systems to calculate “on time” Quality and Delivery Scores, develop risk assessments, and generate enhanced vendor profiles. SPRS also stores and maintains the National Security System (NSS) Restricted List, which provides a list of contractors and products not authorized for use by DOD and summary results from contractors’ NIST SP 800-171 assessments.
SPRS collects data from several sources, including the Contractor Performance Assessment Reporting System (CPARS), the Product Data Reporting and Evaluation Program (PDREP), the Defense Contract Management Agency’s Supplier Risk System (SRS), SAM.gov, and the Defense Logistics Agency’s contract and quality data. Contractors can view, maintain, and download their own reports after registering with the system. Additionally, contractors may challenge SPRS records that they believe are inaccurate.
How will SPRS risk assessments be used? The rule requires contracting officers to consider SPRS risk assessments in two ways:
- Evaluating quotations or proposals submitted in response to solicitations for supplies and services, and
- Determining contractor responsibility.
The risk assessments are not intended to be a mandatory, standalone evaluation factor for source selections, however. The final rule included revisions to clarify that contracting officers shall ‘‘consider’’ the risk assessments, if available, as part of broader evaluation factors and when determining contractor responsibility. The rule also provides that bidders without a risk assessment in SPRS shall not be considered favorably or unfavorably.
The new solicitation provision at DFARS 252.204-7024 states that contracting officers will consider item, price, and supplier risk assessments. Those SPRS risk assessments incorporate a variety of factors:
- Item risk will be considered in acquisitions of products to determine whether the procurement represents a higher performance risk to the Government. The SPRS item risk assessment flags items identified as “High Risk.” Inputs that may affect the item risk assessment include safety or application concerns, increased risk of suspected counterfeiting or material failures, and other reasons identified by government agencies or military services.
- Price risk will be considered in determining if a proposed price is consistent with historical prices paid for a product or service or otherwise creates a risk to the Government. SPRS analyzes all prices, escalated for inflation, paid by the Government for an item since 2010. Based on those inputs, SPRS calculates an average price and identifies whether a proposed price is high, low, or within range of historical prices paid for that item.
- Supplier risk will be considered to assess the risk of unsuccessful performance and supply chain risk. SPRS scores over 63,000 vendors each day based on contract performance factors, including quality and delivery. The SPRS algorithm uses three years of past performance data to calculate a numerical supplier risk score. SPRS then assigns the supplier a color rating based on where the supplier risk score falls over a standard distribution compared to other vendors.
As mentioned above, the rule also requires contracting officers to consider the supplier risk assessments when determining contractor responsibility, but it does not provide further direction on how or to what extent contracting officers should consider the information in their responsibility determinations.
Practical Considerations: SPRS risk assessments are generated daily, and contractors can access their risk assessments. Contractors should consider monitoring these scores and the underlying records. Much like for a personal credit report, contractors may be able to challenge inaccurate records through procedures found in the SPRS user guide (available here). Additionally, contractors should monitor and update any required submissions to SPRS. For example, contractors are already required under the DFARS 252.204-7019 and -2020 clauses to demonstrate their compliance with cybersecurity standard NIST SP 800-171 by scoring their implementation of the NIST controls and uploading their score to SPRS.
All in all, the final rule shows that DOD is finding ways to utilize the data gathered on contractors. Wiley’s Government Contracts attorneys will continue to monitor developments in this area.