Welcome to Supplier Performance Risk System (SPRS) Frequently Asked Questions

A: All SPRS users (government and vendor) access SPRS via the Department of Defense Procurement Integrated Enterprise Environment (PIEE). There are various user roles based on what information the user requires access. The Contractor Administrator (CAM) for vendors or the Government Administrator (GAM) for government employees approve user role requests. If the only CAM for a CAGE requests SPRS access they must contact either SPRS Customer Support or the PIEE Help Desk to request activation.

Contracting Officers (1102s, [military specialties]) and some government purchase card holders automatically receive access to SPRS may not need to apply for access.

To learn how to obtain a PIEE account and SPRS access, go to Access Instructions.

A: DoD Acquisition Professionals and Vendor personnel designated by companies contracting with the Department of Defense (DoD).

Per DoDI 5000.79 the DoD Acquisition community uses SPRS as “…the authoritative source to retrieve supplier and product PI (performance information) assessments…”.

A: Vendor - The Company’s assigned Contractor Account Administrator (CAM) approves user role requests. Please contact your CAM directly for expedited processing.

If there is only one CAM, and this person is applying for a SPRS User role, they must request User role activation from PIEE help desk. PIEE Help Desk: 866.618.5988

Government – The units Government Account Administrator (GAM) approves user role requests. Please contact your GAM directly for expedited processing. Contracting Officers (1102s, [military specialties]) and some government purchase card holders automatically receive access to SPRS may not need to apply for access.

If there exists a CAM/GAM for your location code and you do not know who they are, see PIEE GAM/CAM lookup tool https://piee.eb.mil/xhtml/unauth/lookup/gamLookup.xhtml.

A: SPRS is primarily designed for Department of Defense (DoD) civilian acquisition employees and for vendors/suppliers to access their own company information. The Vendor Threat Mitigation (VTM) report is the only SPRS report available to government support contractors. It is intended for international acquisition professionals supporting contracting activities in Combatant Command (CCMD) Areas of Responsibility (AOR). Users can request access to VTM by adding the “SPRS- VTM Acquisition Professional” role to their PIEE account.

A: Vendors must be registered in the System for Award Management (SAM) before registering in PIEE. If you do not plan to register in SAM contact SPRS Customer Support to request assistance.

A: SPRS may be used for market research by members of the DoD acquisition community (DoDI 5000.79) only. SPRS data is designated Controlled Unclassified Information (CUI). Vendors are allowed to view their data only. SPRS reports are not releasable under the Freedom of Information Act (FOIA).

A: No. Any DoD government member (military or civilian) with a Command Access Card (CAC) may view the National Security Systems Restricted List.

A: SPRS uses algorithms to calculate three areas of risk. Supplier, Price, and Item.

• Supplier:
  • Quality and Delivery Performance: Quality and Delivery records within a Supply Code are used to calculate a numerical and color score indicating supplier ranking within that supply code.
  • Supplier Risk Score: The Supplier Risk Score considers 10 factors of performance information, regardless of supply code, including the last three (3) years of recent and relevant data for a supplier.
• Price: Price Risk determines whether a proposed price is consistent with historical prices paid for that item. SPRS calculates an “Expected Range” based on the population of historical prices for a particular item.
• Item: Item Risk is based on additional risks associated with employing an item or the increased risks associated with procuring an item which may result in safety issues, mission degradation, or monetary loss.

The SPRS Evaluation Criteria Manual details how each of these risk areas are calculated. Additional information can be found on the SPRS public page within the SPRS Reports buttons and within References link from the Menu.

A: SPRS provides contracting officials a score for the overall assessment of the supplier performance and supplier risk. Using the Supplier Risk Score, contracting officials can identify “riskier” suppliers and assess the likelihood of the non-fulfillment of terms of contract, unsuccessful performance, or delivery delays.

A: SPRS uses 10 factors of performance information to calculate Supplier Risk Scores. These factors are individually weighted (based on age and relative importance) and summed to produce a numerical and color score for every company which has performance data.

The SPRS Evaluation Criteria Manual details how each Supplier Risk Factor is calculated. Additional information about Supplier Risk can be found on the SPRS public page for Supplier Risk.

A: SPRS ranks the Supplier Risk scores by magnitude and assigns a color score to each supplier according to the SPRS 5-color scoring standard. The color score is a percentile ranking representing a normal statistical distribution.

The threshold values between colors can change each time the Supplier Engine is run. As a result, suppliers with numerical scores near the threshold values may have a change in color score without a corresponding change in numerical score.

The SPRS Evaluation Criteria Manual provides details on the Supplier Color Legend. Additional information about Supplier Risk can be found on the SPRS public page for Supplier Risk.

A: Users can submit a Challenge in the SPRS Summary Report Module. Instructions for submitting a Challenge are provided in the SPRS Software User’s Guide for Awardees/Contractors , Appendix D & Section 5.3.1

A: Contact the Defense Logistics Agency (DLA) WebSDR Help: 877.352.2255    dlacontactcenter@dla.mil. Or, create and submit a Post Award Request (PAR) through the DLA Internet Bid Board System (DIBBS)

A: A “SPRS Cyber Vendor User” role is required for entering and editing NIST SP 800-171 Assessment results in SPRS.

Select the Vendor user role when first establishing your PIEE profile. Then select the “SPRS Cyber Vendor User” role to allow you to enter/edit NIST SP 800-171 Assessment details. For detailed instructions refer to the SPRS Access for NIST SP 800-171 guide.

A: An error messages that reads:

• Error: There are no Contractor Administrators in the system for the Location Code (CAGE code). Please verify that the Location Code entered is correct, or contact your eBusiness POC as listed in the System for Award Management or the WAWF help desk to establish a group for the Location code…

This error indicates that there is currently no Contractor Account Administrator (CAM) associated with the CAGE. The CAM is the gatekeeper that authorizes users requesting access to your company. The CAM must be the Electronic Business point of contact listed in the System for Award Management (SAM) or their designee.

A CAGE must be registered in PIEE and a CAM established prior to requesting user roles in PIEE. If there is only one CAM and this person is applying for a user role, they must request user role activation from PIEE help desk or SPRS Customer Support.

Messages that state there are no groups in the system indicate that your CAGE code is not recognized by PIEE. Call the PIEE Help Desk to add your CAGE. PIEE Help Desk: 866.618.5988

For further information see PIEE’s Getting Started Help page.

A: Select “Vendor” for the PIEE user type to register for a “SPRS Cyber Vendor User” role or SPRS “Contractor/Vendor (Support Role)” in PIEE. If a “Security Awareness Training” date or DoDAAC are requested during registration “Vendor” was not selected as the user type.

Contact the PIEE Help Desk to update your registration, 866.618.5988.

A: Location Code = CAGE code. If you don’t know your company CAGE refer to the CAGE Search and Inquiry page. Additional information about the Commercial and Government Entity (CAGE) program is available here, https://cage.dla.mil/Info/about.

A: A DoDAAC is not required for private industry registering in PIEE. Be sure to select “Vendor” as your user type when registering in PIEE.

A DoDAAC is not a required entry for BASIC Confidence Level NIST SP 800-171 Assessment summary results.

A: The “SPRS Cyber Vendor User” role is required to enter NIST SP 800-171 summary results into SPRS.

If a user has access to SPRS but is missing the “+ Create New HLO CAGE” button, the user does not have an active “SPRS Cyber Vendor User” role.

Refer to the SPRS NIST SP 800-171 Quick Entry Guide and SPRS NIST SP 800-171 Entry Tutorial for detailed entry instructions.

If a “SPRS Cyber Vendor User” role is confirmed to be active but there are still buttons or functionality missing, it could be the internet browser. Internet Explorer is no longer supported and may not show all buttons or have proper functionality.

Optimal browsers for best application performance: Google Chrome, Mozilla Firefox or Microsoft Edge.

A: The SPRS NIST SP 800-171 Quick Entry Guide and SPRS NIST SP 800-171 Entry Tutorial provide detailed instructions on how to enter assessment summary results into the SPRS application.

SPRS provides storage and retrieval for the NIST SP 800-171 assessment results only. A NIST SP 800-171 assessment and System Security Plan (SSP) must be complete prior to logging into SPRS to enter summary results. A CAGE Code is required for all NIST Assessment entries into SPRS.

A: For NIST SP 800-171 preparation information including the assessment methodology refer to the Defense Pricing and Contracting (DPC) Cyber page at Policy – Safeguarding Covered Defense Information and Cyber Incident Reporting.

For specific questions about conducting the assessment please contact your Program Office or Contracts representative or the Defense Contract Management Agency (DCMA) general mailbox, DCMA_7012_Assessment_Inquiry@mail.mil for assistance.

SPRS provides storage and retrieval for the NIST SP 800-171 assessment results only.

A: Yes. Users with an active “SPRS Cyber Vendor User” role have access to edit Basic confidence level NIST SP 800-171 assessment summary results for any CAGE within their company’s hierarchy.

Click “View Details” Button to open the Details View. Select the pencil icon within the far left column to edit a record. The data entry form will open with the existing data populated. Make the necessary changes and select save.

The SPRS NIST SP 800-171 Quick Entry Guide and SPRS NIST SP 800-171 Entry Tutorial provide detailed instructions on how to enter and/or edit assessment summary results into the SPRS application.

A: The definitions associated with the Assessing Scope data choices are:

• Enterprise – Entire company’s network is under the CAGEs listed
• Enclave – Standalone under Enterprise CAGE as business unit (test enclave, hosted resources, etc.)
• Contract – Contract specific SSP review

For specific questions about interpreting these definitions please contact your Program Office or Contracts representative or the Defense Contract Management Agency (DCMA) general mailbox, DCMA_7012_Assessment_Inquiry@mail.mil for assistance.

A: SPRS imports CAGE information from the Defense Logistics Agency (DLA) and the System for Award Management (SAM). Review the SAM registrations of the missing CAGEs to confirm the correct immediate level owner and highest level owner information is listed. Update as required.

Ownership changes in SAM will typically flow to SPRS within 48hrs. For assistance updating Ownership information in SAM, refer to the Federal Service Desk (fsd.gov) Frequently Asked Question: How do I report a change in my entity’s ownership information?

For additional information on FAR 52.204-17 Ownership or Control of Offeror.

A: There are two common possibilities: information is missing from the SAM CAGE registration(s) or the “SPRS Cyber Vendor User” role has not been selected/authorized in PIEE.

SPRS imports CAGE information from the Defense Logistics Agency (DLA) and the System for Award Management (SAM). Review and update the SAM registrations of the missing CAGEs to confirm the correct immediate level owner and highest level owner information is listed. Update as required.

Ownership changes in SAM will typically flow to SPRS within 48hrs. For assistance updating Ownership information in SAM, refer to the Federal Service Desk (fsd.gov) Frequently Asked Question: How do I report a change in my entity’s ownership information?

For additional information on FAR 52.204-17 Ownership or Control of Offeror.

A “SPRS Cyber Vendor User” role is a privileged role that allows the user to view, add and edit assessments for that company’s entire hierarchy. Access instructions are available in the SPRS Access for NIST SP 800-171.

If a “SPRS Cyber Vendor User” role is confirmed to be active in PIEE, company hierarchy structure confirmed to be accurate in SAM, and there are still questions, contact SPRS Customer Support for additional assistance.

A: Refer to the SPRS NIST SP 800-171 Quick Entry Guide and SPRS NIST SP 800-171 Entry Tutorial for detailed instructions on viewing and entering NIST SP 800-171 assessment summary details.

NIST SP 800-171 assessment scores (cyber scores) are considered Controlled Unclassified Information (CUI) for federal government employees. SPRS data is UNCLASSIFIED for companies viewing their own information. Access is restricted to company personnel with approved access. Apply for SPRS access through the Procurement Integrated Enterprise Environment (PIEE). For access instructions see SPRS Access for NIST SP 800-171.

If the cyber score of a subcontractor is required, contact them directly.

SPRS reports are not releasable under the Freedom of Information Act (FOIA).

A: SPRS NIST Assessments are organized by a company’s Highest Level Owner (HLO) headers. The system recognizes a CAGE code belongs to a parent organization and inputs that HLO based on the corporate hierarchy imported from the System for Award Management (SAM) and the Defense Logistics Agency (DLA). By creating a header with a Basic confidence level you are beginning the data entry process. You are not making a statement about the security of your parent company.

After creating a header, enter assessment results and select save. The HLO CAGE is not considered assessed unless it is listed in the “Included CAGE(s)/entity” data field.

If an assessment is not entered immediately after creating a new header, the user will need to select the gold “View Details” button for the row with the “Basic” confidence level. This will open the Detail View and display the gold “+Add New Assessment” button; click to open the data entry form. Add your assessment per instructions in the SPRS NIST SP 800-171 Quick Entry Guide. CAGE(s) included in the assessment can be selected from the CAGE Tree by clicking the “Open CAGE Hierarchy” button to choose the CAGE(s) from the populated list.

SPRS imports CAGE information from the Defense Logistics Agency (DLA) and the System for Award Management (SAM). CAGE data can be viewed at CAGE.DLA.Mil and/or SAM.gov.

Changes to company hierarchy structure can be made by updating CAGE registrations via SAM. Updates in SAM will typically flow to SPRS within 48hrs. Ownership changes in SAM will typically flow to SPRS within 48hrs. For assistance updating Ownership information in SAM, refer to the Federal Service Desk (fsd.gov) Frequently Asked Question: How do I report a change in my entity’s ownership information?

For additional information on FAR 52.204-17 Ownership or Control of Offeror.

A: A “SPRS Cyber Vendor User” role is required for at least one CAGE within each Highest Level Owner (HLO) CAGE hierarchy. A “SPRS Cyber Vendor User” role is a privileged role that allows the user to view, add, and edit assessments for any CAGE in that hierarchy. There is no limit to the number of “SPRS Cyber Vendor User” roles a user may obtain. For access instructions see SPRS Access for NIST SP 800-171.

A: The NIST SP 800-171 Assessments link in the menu on the SPRS web page requires a Public Key Infrastructure (PKI) certificate. Only Government employees with the proper PKI access on their Common Access Card (CAC) can access NIST SP 800-171 Assessments through the menu link on the SPRS web page. All other users must access this data through the SPRS application.

Vendor access to the SPRS application is managed via the Department of Defense Procurement Integrated Enterprise Environment (PIEE). Users must register in PIEE and obtain a PIEE User role for access to SPRS.

To learn how to obtain a PIEE account and SPRS access, go to Access Instructions.

A: Government Users can view current CAGE Hierarchies in SPRS Enhanced Vendor Profile (EVP) module. Simply search by CAGE code and navigate to the CAGE Hierarchy tab. Any required corrections must be made by the vendor in SAM.

A: Effective 15 JAN 2020, NMCI implemented a change to effectively disable hyperlinks in emails.
To resolve:

• Copy the URL from the email.
• Paste it into your browser address bar.
• Delete “noclick_” wherever it appears in the address.
• Verify the address and press enter.

To read more about this policy, please reference the NMCI User Awareness User Communication #20200115.

A: Microsoft Internet Explorer is no longer supported and may not show all buttons or have proper functionality.

Optimal browsers for best application performance: Google Chrome, Mozilla Firefox or Microsoft Edge.

A: Optimal browsers for best application performance: Google Chrome, Mozilla Firefox, or Microsoft Edge.