With nation-state-sponsored cyber attacks on the rise, we must prioritize protecting the businesses holding our nation’s secrets. Today, there are increasing opportunities for small and medium-sized businesses to contribute their inventions and ideas to serve and support the Defense Industrial Base (DIB). However, they’re quickly becoming targets of nation-state actors intent on stealing their data or disrupting their operations. According to our DIB Cybersecurity Maturity Report, 2024, 59% of companies experienced four or more user accounts or endpoints compromised in the past year and 46% say cybersecurity-related incidents have cost their company $100,000 or more.
The way forward is to increase the cybersecurity posture of these SMBs that service the DIB. It’s the reason I came out of retirement: To better protect SMBs in the DIB against nation-state cyber threats. Fortunately, the Department of Defense (DoD) is acting as a forcing mechanism to ensure that its contractors stay safe. Here’s why their supplier performance risk system (SPRS) matters and how to improve your security, lower your risk and increase your chances of getting a contract.
SMBs are increasingly becoming the targets of attacks. These small companies create mighty innovations that serve to support national defense initiatives both domestically and around the globe. Yet, while they work with national security data, they often don’t have cybersecurity capabilities to protect that data. By not having robust cybersecurity processes in place, these SMBs become easy targets for nation-state actors looking to disrupt supply chains and steal valuable IP.
Because of these rising risks, the DoD is actively protecting their contractors and the nation by issuing new cyber security compliance requirements. These compliance requirements will create a security baseline so that SMBs that are part of the DIB or U.S. critical infrastructure (CI) can keep their sensitive information and IP protected from malicious actors.
One of these initiatives is submitting your risk score to the SPRS — something you may be aware of but have yet to understand why it’s important to your company and the nation.
The supplier performance risk system (SPRS) is a database maintained by the DoD that “utilizes suppliers’ performance data in areas of product delivery and quality to rate performance and predict potential risk.” It does this by tracking a risk score for each company based on their compliance with NIST 800-171 and other security requirements like corrective action plans, program assessment reports and suspected counterfeits.
The SPRS process can undoubtedly be confusing or daunting. Some may think they can enter any score and be done with it, or they may enter an “aspirational” score that they plan to achieve later on but aren’t compliant with today. Or they may simply be confused over how to calculate the score since it’s a self-assessment. However, reporting an erroneous score can have catastrophic consequences for the CEO and company — like a false claims lawsuit.
Ultimately, SPRS matters because security matters. By requiring a baseline of security adherence, the DoD is taking action to keep everyone protected from attack and potentially losing valuable data, IP, or national secrets.
If you’re in the process of determining your SPRS score and know you need to take steps to improve your security posture, start with the following four steps. They will enable you to quickly increase your SPRS score, report with confidence, and improve your cybersecurity maturity model certification (CMMC) readiness.
1. Conduct a NIST 800-171/CMMC self-assessment.
Assess where you currently stand by honestly assessing your compliance posture state. There are great compliance management tools available today that can facilitate and streamline a self-assessment process. Alternatively, you might enlist the support of a compliance consultant. Interpreting the intent of framework objectives can be daunting, and making an accurate, audit-ready self-assessment can be challenging.
2. Remediate low-hanging fruit.
Certain requirements are easier to achieve than others. Once your self-assessment is complete, identify requirements having the lowest cost to remediate and tackle these first. A compliance management tool and/or consultant will be of great help identifying where low-hanging fruit opportunities exist.
3. Transfer compliance adherence for hard-to-achieve requirements.
There are certain requirements that are harder and more costly to realize. For these, it is worth considering transferring adherence to third-party technologies and/or service providers who can take the requirement off your plate. Some of the costliest and hardest to achieve requirements include: threat monitoring, threat investigations and logging, 24×7 incident response, and vulnerability management. These capabilities require the purchase of technology staffed by experts. When evaluating vendors, ensure they themselves plan to become fully compliant with CMMC, as this is essential for ensuring the transfer of adherence responsibility.
4. Conduct another self-assessment and report.
With the above complete, you will find yourself in a much stronger compliance position. Perform another self-assessment to validate the remediations you’ve implemented and check-off as done those requirements you’ve successfully transferred to a third-party provider. Once the self-assessment is complete, you are ready to submit an SPRS score that has integrity, and eliminates the risk of false claim acts.
Taking the above steps will help ensure your business is optimally positioned to compete for government contracts today and when the CMMC rule goes into full effect early next year (by most estimates). These steps will also reduce your risk of experiencing a damaging cybersecurity incident like ransomware. You will also find your company harder to compromise by nation state sponsored cyber spies that seek to steal your inventions in support of an agenda that likely runs contrary to the best interests of America.