DoD Publishes new DFARS Rule Impacting SPRS

by Rachel Leidy | Director of Compliance Education, CCA, CCP, CISSP

The United States Department of Defense recently published a notice that a new rule, DFARS 252.204-7024, will be published soon. In her recent article (available here for free), Sara Friedman publishes analysis of that new rule, including comments from Robert Metzger, Eric Crusius, and me.

The biggest takeaway I see is that DoD is laying a foundation for rewarding contractors who are preparing for CMMC. Basically, while we wait for the CMMC 2.0 rule(s) to work its/their way through the machinery that is DOD (and the broader government, including #congress and the U.S. Small Business Administration), DoD’s contracting officers are allowed to consider the information in SPRS, including supply chain risk information, when making an award decision.

The new rule’s language is a bit ambiguous, in that it says the contracting officer “shall consider” SPRS-generated risk information and supply chain risk, but it doesn’t say what weight to give it. That’s probably good, because contracting officers have some flexibility depending on the sensitivity of the information/program involved.

800-171-based SPRS scores, and even other SPRS-generated risk information, also aren’t mandatory under the -7024 rule. That is a good thing, because otherwise new companies entering the market, and those who aren’t yet subject to DFARS 252.204-7019’s score reporting requirements, could have been penalized.

But it DOES create a scenario where, especially when sensitive programs/information are involved, contracting officers can base an award decision on the company that is better prepared to protect that information. That’s a big step forward for DoD.

If you are a government contractor and are still waiting for the CMMC rules to be finalized before you begin your NIST SP 800-171 compliance journey, you’re making a mistake. Hopefully this new rule will help provide more motivation to get off the sidelines and start that process. From what we hear from our clients at FutureFeed, it is a 6–18-month journey…so, you’re better off starting now.

And if you are thinking about becoming a government contractor, start getting your ducks in a row. Do the gap analysis, create your POA&Ms to close those gaps, and most importantly, start closing the gaps. That will make submitting a score to SPRS a piece of cake and help make you more competitive against established peers.

March 3rd, 2023

Authors

Tags