Welcome to Supplier Performance Risk System (SPRS) Frequently Asked Questions

A:  All SPRS users (government and vendor) access SPRS via the Department of Defense Procurement Integrated Enterprise Environment (PIEE). There are various user roles based on what information the user requires access. The Contractor Administrator (CAM) for vendors or the Government Administrator (GAM) for government employees approve user role requests. If the only CAM for a CAGE requests SPRS access they must contact the PIEE Help Desk to request activation.

Contracting Officers (1102s, [military specialties]) and some government purchase card holders automatically receive access to SPRS and will see SPRS on their landing page after logging into PIEE.

To learn how to obtain a PIEE account and SPRS access, go to Access Instructions.

A: DoD Acquisition Professionals and Vendor personnel designated by companies contracting with the Department of Defense (DoD).

DoDI 5000.79 identifies SPRS as “…the authoritative source to retrieve supplier and product PI assessments for the DoD [Department of Defense] acquisition community to use in identifying, assessing, and monitoring unclassified performance.” DFARS Section 204.7603 states that “The contracting officer shall consider price risk and supplier risk, if available in SPRS, as a part of the award decision. For procurement of an end product identified by a material identifier that is available . . . the contracting officer shall also consider assessments of item risk, if available, as a part of the award decision.”

Vendors are encouraged to monitor their data in SPRS. The Contractor/Vendor role provides access to this information.

To learn how to obtain a PIEE account and SPRS access, go to Access Instructions.

A: Vendor - The Company’s assigned Contractor Account Administrator (CAM) approves user role requests. Please contact your CAM directly for expedited processing.

If there is only one CAM, and this person is applying for a SPRS User role, they must request User role activation from PIEE help desk. PIEE Help Desk: 866.618.5988

Government – The units Government Account Administrator (GAM) approves user role requests. Please contact your GAM directly for expedited processing. Contracting Officers (1102s, [military specialties]) and some government purchase card holders automatically receive access to SPRS may not need to apply for access.

If there exists a CAM/GAM for your CAGE/location code and you do not know who they are, see PIEE GAM/CAM lookup tool: https://piee.eb.mil/xhtml/unauth/lookup/gamLookup.xhtml

A: SPRS is primarily designed for Department of Defense (DoD) civilian acquisition employees and for vendors/suppliers to access their own company information. The Vendor Threat Mitigation (VTM) report is the only SPRS report available to government support contractors. It is intended for Operational Contract Support (OCS) activities in Combatant Command (CCMD) Areas of Responsibility (AOR). Users can request access to VTM by adding the “VTM Acquisition Professional” role to their PIEE account.

A: Yes, government employees can request SPRS Acquisition Professional Access to SPRS. To access Supplier Risk, Enhanced Vendor Profile, Cyber Reports and Market Research for SCRM research capabilities.

A: Vendors must be registered in the System for Award Management (SAM) before registering in PIEE. If you do not plan to register in SAM contact     SPRS Customer Support to request assistance.

A:  SPRS may be used for market research by members of the DoD acquisition community (DoDI 5000.79) only. SPRS data is designated Controlled Unclassified Information (CUI). Vendors are allowed to view their data only. SPRS reports are not releasable under the Freedom of Information Act (FOIA).

A: No. Any DoD government member (military or civilian) with a Common Access Card (CAC) may view the National Security Systems Restricted List.

A: SPRS uses algorithms to calculate three areas of risk. Supplier, Price, and Item.

• Supplier:
  • Quality and Delivery Performance: Quality and Delivery records within a Supply Code, and dated within 3-years, are used to calculate a numerical and color score indicating supplier ranking within that supply code.
  • Supplier Risk Score: The Supplier Risk Score considers 10 factors of performance information regardless of supply code, and uses the last three (3) years of recent and relevant data to calculate an overall Risk Score.
• Price: Price Risk determines whether a proposed price is consistent with historical prices paid for that item. SPRS calculates an “Expected Range” based on the population of historical prices for a particular item.
• Item: Item Risk is based on additional risks associated with employing an item or the increased risks associated with procuring an item which may result in safety issues, mission degradation, or monetary loss.

The SPRS Evaluation Criteria Manual details how each of these risk areas are calculated. Additional information can be found on the SPRS public page within the SPRS Reports buttons and within References link from the Menu.

A: SPRS provides contracting officials a score for the overall assessment of contracting officials can identify “riskier” suppliers and assess the likelihood of the non-fulfillment of terms of contract, unsuccessful performance, or delivery delays.

A: SPRS uses 10 factors of performance information to calculate Supplier Risk Scores. These factors are individually weighted (based on age and relative importance) and summed to produce a numerical and color score for every company which has performance data.

The SPRS Evaluation Criteria Manual details how each Supplier Risk Factor is calculated. Additional information about Supplier Risk can be found on the SPRS public page for Supplier Risk.

A: SPRS ranks the Supplier Risk scores by magnitude and assigns a color score to each supplier according to the SPRS 5-color scoring standard. The color score is a percentile ranking representing a normal statistical distribution.

The threshold values between colors can change each time the Supplier Engine is run. As a result, suppliers with numerical scores near the threshold values may have a change in color score without a corresponding change in numerical score.

The SPRS Evaluation Criteria Manual provides details on the Supplier Color Legend. Additional information about Supplier Risk can be found on the SPRS public page for Supplier Risk.

A: Users can submit a Challenge in the SPRS Summary Report Module. Instructions for submitting a Challenge are provided in the SPRS Software User’s Guide for Awardees/Contractors , Appendix D & Section 5.3.1

A: Contact the Defense Logistics Agency (DLA) WebSDR Help: 877.352.2255      dlacontactcenter@dla.mil. Or, create and submit a Post Award Request (PAR) through the DLA Internet Bid Board System (DIBBS) .

A: A “SPRS Cyber Vendor User” role is required for entering and editing CMMC and NIST SP 800-171 Assessment results in SPRS.

Select the Vendor user role when first establishing your PIEE profile. Then select the “SPRS Cyber Vendor User” role to allow you to enter/edit NIST SP 800-171 Assessment details. For detailed instructions refer to SPRS Access Cyber Reports guide.

A: An error messages that reads:

• Error: There are no Contractor Administrators in the system for the Location Code (CAGE code). Please verify that the Location Code entered is correct, or contact your eBusiness POC as listed in the System for Award Management (SAM) or the WAWF help desk to establish a group for the Location code…

This error indicates that there is currently no Contractor Account Administrator (CAM) associated with the CAGE. The CAM is the gatekeeper that authorizes users requesting access to your company. The CAM must be the Electronic Business point of contact listed in the System for Award Management (SAM) or their designee.

A CAGE must be registered in PIEE and a CAM established prior to requesting user roles in PIEE. If the only CAM for a CAGE requests SPRS access they must contact the PIEE Help Desk to request activation. PIEE Help Desk 866.618.5988.

Messages that state there are no groups in the system indicate that your CAGE code is not recognized by PIEE. Call the PIEE Help Desk to add your CAGE. PIEE Help Desk: 866.618.5988

For further information see PIEE’s Getting Started Help page.

A: Select “Vendor” for the PIEE user type to register for a “SPRS Cyber Vendor User” role or SPRS “Contractor/Vendor (Support Role)” in PIEE. If a “Security Awareness Training” date or DoDAAC are requested during registration “Vendor” was not selected as the user type.

Contact the PIEE Help Desk to update your registration,   866.618.5988 or     disa.global.servicedesk.mbx.eb-ticket-requests@mail.mil.

A: Location Code = CAGE code for vendors. If you don’t know your company CAGE refer to the CAGE Search and Inquiry page. Additional information about the Commercial and Government Entity (CAGE) program is available at, https://cage.dla.mil/Info/about.

A: A Department of Defense Activity Address Code (DoDAAC) is a six position code that uniquely identifies a Department of Defense unit, activity, or organization.

A DoDAAC is required for government officials to obtain SPRS access.

A DoDAAC is not required for private industry registering in PIEE.  Be sure to select “Vendor” as your user type when registering in PIEE.

A DoDAAC is not a required entry for CMMC or BASIC Confidence Level NIST SP 800-171 Assessment summary results.

A: SPRS imports CAGE information from Defense Logistics Agency (DLA) and System for Award Management (SAM). Review the SAM registrations of the missing CAGEs to confirm the correct immediate level owner and highest level owner information is listed. Update as required.

Ownership changes in SAM will typically flow to SPRS within 48hrs. For assistance updating Ownership information in SAM, refer to the Federal Service Desk (fsd.gov) Frequently Asked Question: How do I report a change in my entity’s ownership information?

For additional information click this link to FAR 52.204-17 Ownership or Control of Offeror.

A: There are two common possibilities: information is missing from the SAM CAGE registration(s) or the “SPRS Cyber Vendor User” role has not been selected/authorized in PIEE.

SPRS imports CAGE information from Defense Logistics Agency (DLA) and System for Award Management (SAM). Review the SAM registrations of the missing CAGEs to confirm the correct immediate level owner (ILO) and highest level owner (HLO) information is listed. Update as required.

A “SPRS Cyber Vendor User” role is a privileged role that allows the user to view, add, and edit assessments for that company’s entire hierarchy. Access instructions are available in the SPRS Access Cyber Reports.

If a “SPRS Cyber Vendor User” role is confirmed to be active in PIEE, company hierarchy structure confirmed to be accurate in SAM, and there are still questions, contact SPRS Customer Support, sprs-helpdesk@us.navy.mil, for additional assistance.

A: The “SPRS Cyber Vendor Role” user role is required to enter results into SPRS.

If a user has access to SPRS but is missing the “Add New CMMC Level 1 Self-Assessment” or the “Add New CMMC Level 2 Self-Assessment” button, the user does not have an active “SPRS Cyber Vendor Role”.

Entry instructions for CMMC can be found on the Cyber Reports (CMMC & NIST) page. Also in the following: CMMC Quick Entry Guide – Level 1 (Self), CMMC Quick Entry Guide – Level 2 (Self), and CMMC Level 1 Entry Tutorial.

Supplemental guidance, including the CMMC Level 1 Scoping Guide, CMMC Level 1 Self-Assessment Guide, CMMC Level 2 Scoping Guide, and the CMMC Level 2 Assessment Guide can be found at: https://dodcio.defense.gov/cmmc/Resources-Documentation/

If a “SPRS Cyber Vendor User” role is confirmed to be active but there are still buttons or functionality missing, it could be the internet browser.

Optimal browsers for best application performance: Google Chrome, Microsoft Edge or Mozilla Firefox. Confirm you are using the latest version.

A: Only certain CMMC Status Types can be edited. If available, click the pencil icon to edit an assessment.

For Level 1 Self-Assessments, CMMC Status Type “Incomplete” and “Pending Affirmation” are available for editing. If a mistake was made, delete the record and create a new assessment.

CMMC Status Type “No CMMC Status” and “Final Level 1 Self-Assessment” are not available for editing. If a mistake was made, delete the record and create a new assessment.

For Level 2 Self-Assessments, “Incomplete”, “Pending Affirmation”, “No CMMC Status”, and “CMMC L2 Conditional Self-Assessment” are available for editing.

If a mistake was made on a “CMMC L2 Final Self-Assessment”, the assessment can be Canceled. Use the “X” button in the Cancel/Delete column to cancel the assessment; the assessment will display as “(Retracted by Vendor)”.

A: Assessing Scope definitions for CMMC are:

• Enterprise - an organization with a defined mission/goal and a defined boundary, using information systems to execute that mission, and with responsibility for managing its own risks and performance
• Enclave – a set of system resources that operate in the same security domain and that share the protection of a single, common, continuous security perimeter [NIST]

Questions related to technical interpretation of these CMMC Level 1 supplemental guidance documents may be directed to osd.pentagon.dod-cio.mbx.cmmc-inquiries@mail.mil . Do not submit questions requesting interpretation or modification of NIST source documents, which are outside the CMMC Program’s purview.

A: As defined in 32 CFR 170.4, the Affirming Official (AO) is the senior level representative from within each Organization Seeking Assessment (OSA) who is responsible for ensuring the OSA’s compliance with the CMMC Program requirements and has the authority to affirm the OSA’s continuing compliance with the security requirements for their respective organizations. (CMMC-custom term)(§ 170.4)

A: It is likely that one or more of the CAGEs reported by the C3PAO are not in your SAM.gov hierarchy. Verify the accuracy of the CAGE data with SAM and the C3PAO.

A: The “SPRS Cyber Vendor Role” user role must be active.

If a user has access to SPRS but is missing the “Add New NIST Assessment” button, the user does not have an active “SPRS Cyber Vendor Role”.

Refer to the SPRS NIST SP 800-171 Quick Entry Guide and SPRS Cyber Vendor Entry Tutorial for detailed entry instructions.

If a “SPRS Cyber Vendor User” role is confirmed to be active but there are still buttons or functionality missing, it could be the internet browser.

Optimal browsers for best application performance: Google Chrome, Mozilla Firefox or Microsoft Edge. Confirm you are using the latest version.

A: For NIST SP 800-171 preparation information including the assessment methodology refer to the Defense Pricing and Contracting (DPC) Cyber page at Policy – Safeguarding Covered Defense Information and Cyber Incident Reporting.

For specific questions about conducting the assessment please contact your Program Office or Contracts representative or the Defense Contract Management Agency (DCMA) general mailbox, DCMA_7012_Assessment_Inquiry@mail.mil for assistance.

SPRS provides storage and retrieval for the NIST SP 800-171 assessment results only.

A: Users with an active “SPRS Cyber Vendor User” role have access to edit Basic confidence level NIST SP 800-171 assessment summary results for any CAGE within their company‘s hierarchy.

Click “Details” Button to open the Details View. Select the pencil icon within the far-left column to edit a record. The data entry form will open with the existing data populated. Make the necessary changes and select save.

The SPRS NIST SP 800-171 Quick Entry Guide and SPRS NIST SP 800-171 Vendor Entry Tutorial provide detailed instructions on how to enter and/or edit assessment summary results into the SPRS application.

A: The definitions associated with the Assessing Scope data choices are:

• Enterprise – Entire company’s network is under the CAGEs listed
• Enclave – Standalone under Enterprise CAGE as business unit (test enclave, hosted resources, etc.)
• Contract – Contract specific SSP review

For specific questions about interpreting these definitions please contact your Program Office or Contracts representative or the Defense Contract Management Agency (DCMA) general mailbox,    DCMA_7012_Assessment_Inquiry@mail.mil for assistance.

A: Before you enter SPRS you should have completed your NIST SP 800-171 assessment, identified your score, and completed a System Security Plan (SSP) for your company. Below are resources to support these tasks.

NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1, June 24, 2020. Page 12 is where the assessment score card begins. www.acq.osd.mil/asda/dpc/cp/cyber/docs/safeguarding/NIST-SP-800-171-Assessment-Methodology-Version-1.2.1-6.24.2020.pdf

or

Small Businesses Project Spectrum: https://projectspectrum.io/#!/

SSP Guide & Template: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
(assist with creation of your company System Security Plan - required by the program)

For specific questions about conducting the assessment please contact your Program Office or Contracts representative or the Defense Contract Management Agency (DCMA) help desk,  DCMA_7012_Assessment_Inquiry@mail.mil for assistance.

NIST SP 800-171 assessment scores (cyber scores) are considered Controlled Unclassified Information (CUI) for federal government employees. SPRS data is UNCLASSIFIED for companies viewing their own information. Access is controlled by the company Contractor Account Administrator (CAM). Apply for SPRS access through the Procurement Integrated Enterprise Environment (PIEE). Access instructions available SPRS Access Cyber Reports.

If the cyber score of a subcontractor is required, contact them directly. SPRS reports are not releasable under the Freedom of Information Act (FOIA).

A: A “SPRS Cyber Vendor User” role is required for at least one CAGE within each Highest Level Owner (HLO) CAGE hierarchy. A “SPRS Cyber Vendor User” role is a privileged role that allows the user to view, add, and edit assessments for any CAGE in that hierarchy. There is no limit to the number of “SPRS Cyber Vendor User” roles a user may obtain. For access instructions see SPRS Access Cyber Reports.

A: The NIST SP 800-171 Assessments link in the menu on the SPRS web page is for government only. Only Government employees with the proper Public Key Infrastructure (PKI) access on their Common Access Card (CAC) can access NIST SP 800-171 Assessments through the menu link on the SPRS web page. All other users must access this data through the SPRS application.

Vendor access to the SPRS application is managed via the Department of Defense Procurement Integrated Enterprise Environment (PIEE). Users must register in PIEE and obtain a PIEE User role for access to SPRS.

To learn how to obtain a PIEE account and SPRS access, go to Access Instructions.

A: Government Users can view current CAGE Hierarchies in SPRS Enhanced Vendor Profile (EVP) module. Simply search by CAGE code and navigate to the CAGE Hierarchy tab. Any required corrections must be made by the vendor in System for Award Management (SAM).

A: Effective 15 JAN 2020, NMCI implemented a change to effectively disable hyperlinks in emails.
To resolve:

• Copy the URL from the email.
• Paste it into your browser address bar.
• Delete “noclick_” wherever it appears in the address.
• Verify the address and press enter.

To read more about this policy, please reference the NMCI User Awareness User Communication #20200115.

A: Microsoft Internet Explorer is no longer supported and may not show all buttons or have proper functionality.

Optimal browsers for best application performance: Google Chrome, Mozilla Firefox or Microsoft Edge.

A: Optimal browsers for best application performance: Google Chrome, Mozilla Firefox, or Microsoft Edge.

A: Browser and network performance may vary. For optimal performance select a maximum of 10 records to challenge at one time. If you continue to have difficulties, please email the helpdesk with your PIEE ID, the time the incident occurred, and a screenshot of the error message you received.