If you have recently won a contract with the US Military or are a subcontractor to a prime who does business with the military, you may have recently received a request for a Supplier Performance Risk System (SPRS) score. 

If the email is from a contracting officer, this is usually a sign that your company is in the final stages of receiving a contract award. However, notices can come unexpectedly, including lines such as:

“Please note your company is noncompliant and needs to comply as soon as possible. If it fails to do so, [Redacted Military Customer] intends to cancel the purchase orders, and your company will be prevented from receiving any automated purchase orders from [Redacted Military Customer].”

‍

For small business owners, this is an urgent situation. Ensuring compliance is critical to keeping the contract.

What is SPRS and Why Does it Matter?

The Supplier Performance Risk System (SPRS) is the Department of Defense’s official database for monitoring contractor performance and cybersecurity compliance. Established under DFARS 252.204-7019/7020, it requires contractors handling Controlled Unclassified Information (CUI) to submit and maintain cybersecurity self-assessments—updated at least every three years or whenever remediation occurs.

Contracting officers use SPRS to quickly identify which suppliers are secure and reliable versus those that present higher risk. As a result, SPRS scores directly affect a contractor’s eligibility, competitiveness, and selection across the Defense Industrial Base (DIB). The database includes:

1. On-time delivery scores and quality ratings
   
2. Procurement risk data and assessments
3. Exclusion variables (e.g., suspensions, debarments)
4. Cybersecurity assessment scores

While most of this data comes from government records, cybersecurity scores must be submitted by contractors themselves.

Types of Cybersecurity Assessments

There are three levels of assessment tied to NIST 800-171 cybersecurity compliance: