As a Managed Security Service Provider (MSSP) that helps small and medium sized DoD contractors comply with DFARS and prepare for CMMC, we are currently seeing large prime contractors take a more active role in assessing their own supply chains and enforcing DFARS compliance. Because of this, many DoD contractors are feeling pressure to accelerate their path to compliance.
Sysarc CEO, Tim Brennan, and a Chief Information Security Officer (CISO) from a large Prime contractor shared their insights on a recent Exostar webinar. The Prime contractor CISO said, “I can definitely say that we are leveraging SPRS scores as it relates to a data point in terms of the vulnerability within our supply chain — there is no doubt.” What this means is that the Prime, one of the world’s largest defense contractors, is looking at the SPRS scores of their suppliers to evaluate how secure their own supply chain is. He went on to say, “DFARS 7019 was a gift to Primes because now we can ask for a simple score… We say ‘what’s your SPRS score?’ and you either get a score or no response — both of which are valuable data as it relates to how you are going to use it to protect not just the functional security of your supply chain, but also the reputation as it relates to who you do business with.”
Another Prime took an even more aggressive stance. According to Brennan, “One of our customers recently received a letter from a Prime. The subject matter was new to us and our customer. This customer had submitted an SPRS score of 55, which if you know how SPRS is scored, isn’t that bad. Yet the Prime stated in the letter that they wouldn’t be able to send them CUI electronically any more, and they would have to send it via FedEx. This alarmed our customer because now they feel they’re not being viewed as where they need to be competitively.”
You can watch this conversation in the video below (We’ve preset the start time for you):
For more information on SPRS scores and what they mean to DoD suppliers, please see our guide to the DFARS Interim Rule.
This push by DoD prime contractors comes on the heels of the “Shields Up” advisory by the Department of Homeland Security’s (DHS) Cyber and Infrastructure Security Agency (CISA) — a response to the growing number of cyber threats due to the Russia/Ukraine conflict and the United States’ response to it. In light of this, it seems the whole Defense Industrial Base (DIB) is feeling top down pressure to protect their operations from being shut down and/or having sensitive information stolen by foreign adversaries.
If you are a DoD contractor concerned about the state of your organization’s cybersecurity and need help in easing those concerns, please feel free to give us a call or schedule a consultation. Our team has helped over 1000 DoD suppliers throughout the U.S. protect their IT infrastructure while complying with DFARS and preparing for CMMC.
For more information, please see our DFARS and CMMC compliance guides, and learn more about our NIST 800-171 assessment service which is the basis for finding out what your organization needs to do to become compliant.