Supplier Performance Risk System
SPRS
Also known as: SPRS, the DoD supplier risk / NIST 800-171 score system
Visit SPRS →Operated by Department of Defense (Navy)
At a Glance
- Official site
- sprs.csd.disa.mil
- Run by
- Department of Defense (Navy)
- When you use it
- For DoD work — to post your NIST 800-171 assessment score before award
- Cost
- Free — access by government-granted account
- Scope
- DoD contracts (not civilian-agency procurements)
What It Is
The Supplier Performance Risk System, SPRS, is the Department of Defense's authoritative source for supplier and product risk information. It aggregates data DoD uses to assess the risk of doing business with a supplier — including item risk, price risk, and supplier performance and quality signals — for use in DoD source selection. SPRS has become most prominent as the home of the cybersecurity self-assessment scores required under the DFARS: a defense contractor that handles covered defense information must perform a NIST SP 800-171 assessment and post its score in SPRS under DFARS 252.204-7019 and 252.204-7020, and a current score is a condition of DoD award. SPRS is DoD-specific — it does not govern civilian-agency procurements — and access is by government-granted account. For a defense-facing supplier, SPRS is where two things a contracting officer cares about live: how risky you look as a supplier, and whether your cybersecurity posture meets the DoD baseline.
When You Touch It
- Before a DoD award — you generally must have a current NIST SP 800-171 assessment score posted in SPRS.
- When handling covered defense information — the DFARS cybersecurity rules require the SPRS score.
- To monitor your supplier risk profile — SPRS aggregates item, price, and quality risk DoD evaluators see.
- As DoD cybersecurity requirements evolve — SPRS is the mechanism tied to the NIST 800-171 / CMMC baseline.
Key Features
| Feature | What It Means |
|---|---|
| DoD-specific | SPRS governs Department of Defense procurements; it does not apply to civilian-agency buys. |
| Home of the 800-171 score | Defense contractors handling covered defense information must post a NIST SP 800-171 self-assessment score in SPRS. |
| A condition of DoD award | Under DFARS 252.204-7019/7020, a current SPRS score is generally required before a covered DoD contract is awarded. |
| Supplier risk beyond cyber | SPRS also aggregates item, price, and quality risk signals DoD uses to assess a supplier in source selection. |
What It Means for an SDVOSB
For an SDVOSB that sells to the Department of Defense, SPRS is a gate you have to clear before your set-aside status even comes into play: without a current NIST SP 800-171 score posted in SPRS, a covered DoD contract generally cannot be awarded to you, no matter how strong your SDVOSB position. The practical move is to treat the cybersecurity self-assessment as a standing requirement, not a one-time task — complete the 800-171 assessment, post the score, and keep it current, because a missing or stale score is a self-inflicted disqualification. This baseline also feeds the broader DoD cybersecurity-maturity direction, so the sooner a defense-facing SDVOSB gets its posture and score in order, the more DoD work stays open to it. On civilian-agency set-asides SPRS does not apply, so scope your compliance to where you actually bid.
Watch Out For
- No current score, no DoD award — a missing or expired NIST 800-171 score in SPRS can disqualify you from covered DoD contracts.
- Assuming it applies everywhere — SPRS is DoD-only; civilian-agency procurements do not use it.
- Treating the assessment as one-and-done — scores must be kept current as your systems and requirements change.
- Overlooking non-cyber risk — SPRS also carries item, price, and quality risk signals DoD evaluators weigh.
Run the Numbers
Frequently Asked
What is SPRS?
SPRS, the Supplier Performance Risk System, is the Department of Defense's authoritative source for supplier and product risk information, used in DoD source selection. It aggregates item, price, quality, and performance risk signals, and it is the system where defense contractors must post the NIST SP 800-171 cybersecurity self-assessment score required under DFARS 252.204-7019 and 252.204-7020. SPRS is specific to DoD procurements and access is by government-granted account.
Does an SDVOSB need an SPRS score to win DoD work?
If the DoD contract involves covered defense information subject to the DFARS cybersecurity clauses, then generally yes — the contractor must have a current NIST SP 800-171 self-assessment score posted in SPRS, and that is a condition of award. This applies regardless of SDVOSB status, so a service-disabled veteran-owned firm pursuing covered DoD work must complete the assessment and keep its SPRS score current, or it can be ineligible for award.
Does SPRS apply to civilian-agency contracts?
No. SPRS is a Department of Defense system and applies to DoD procurements. Civilian-agency procurements do not use SPRS or require the DFARS-based NIST SP 800-171 score in it. An SDVOSB that bids only civilian-agency set-asides does not need an SPRS score, though it should still meet any cybersecurity requirements in its specific solicitations, such as the basic safeguarding clause FAR 52.204-21.
Primary Sources
- DFARS 252.204-7020 — NIST SP 800-171 DoD Assessment Requirements
- DFARS 252.204-7019 — Notice of NIST SP 800-171 DoD Assessment Requirements
- SPRS — Supplier Performance Risk System
Plain-English reference, not legal advice. Government systems are periodically consolidated, renamed, or migrated to new addresses, and the FAR/DFARS sections that govern them are amended from time to time — always confirm the current system, its URL, and its requirements against the official site and the actual solicitation before relying on it, and consult qualified counsel for your specific situation.
Change log (1)
- LaunchedPublished the federal contracting systems & databases reference covering the online systems an SDVOSB registers in, is found in, and is evaluated through — SAM.gov (FAR Subpart 4.11), the Unique Entity ID (FAR 52.204-6), VetCert (13 CFR Part 128), SAM.gov Contract Opportunities (FAR 5.201), the Dynamic Small Business Search (FAR 19.202-2), SBA SubNet (FAR Subpart 19.7), the Federal Procurement Data System (FAR Subpart 4.6), USAspending.gov (FFATA/DATA Act), CPARS (FAR Subpart 42.15), FAPIIS (FAR 9.104-6), the Supplier Performance Risk System (DFARS 252.204-7019/7020), the electronic Subcontracting Reporting System (FAR 52.219-9), and the FFATA Subaward Reporting System (FAR 52.204-10) — each with an at-a-glance quick-facts card showing the official site and operating agency, a when-you-touch-it list, a key-features table, an SDVOSB-specific angle, watch-outs, FAQPage, Article, Dataset, and BreadcrumbList structured data, primary-source citations, and cross-links into the glossary, how-to guides, forms, clauses, FAQ, and the set-aside eligibility, size-standard, win-probability, price-to-win, and subcontracting calculators.