As we previously discussed, the United States Department of Defense (“DoD”) recently published a new federal regulation that gives contracting officers significant flexibility and additional arrows in their quiver when it comes to enforcing supply chain security requirements as part of government contracts. This clause, DFARS 252.204-7024 (the “DFARS -7024 clause”), requires that contracting officers review and consider a variety of information from DoD’s Supplier Performance Risk System (“SPRS”) when making a contract award decision.
SPRS includes a wide range of information about contractors, including:
- past performance information (“CPARS information”),
- whether the goods supplied are suspected of being counterfeit,
- overall quality,
- whenever corrective action requests (“CARs”) were issued, and corrective action plans (“CAPs”),
- survey information from previous government customers,
- price confidence data, and
- an item risk report.
The goal of the -7024 clause is to give contracting officers the information they need to assess overall contract risk. The -7024 clause even allows contracting officers to “consider any other available and relevant information when evaluation a quotation or an offer”. Contracting officers can use this information to weigh the relative strengths and risks of given proposals and make awards that best meet DoD’s risk appetite for a given program or project.
One thing the -7024 clauses does not permit contracting officers to do, however, is to impose minimum DoD Assessment Methodology scores (frequently referred to as “SPRS scores”, which can vary from -203 to 110), let alone perfect scores, for contractors submitting or associated with a proposal. In fact, doing so for contracts which do not involve the dissemination, collection, development, receipt, transmission, use, or storage (collectively “handling”) of Controlled Unclassified Information (“CUI”) by the contractor(s) is contrary to DFARS 252.204-7012 (referred to as the “DFARS -7012 clause”). This is because the DFARS -7012 is, by definition, only applicable when an information system owned, or operated by or for, a contractor handles covered defense information or other information as defined in the CUI registry (see the definitions of “covered contractor information system” and the related “covered defense information” definition, and how covered contractor information system is used in (b)(2)).
For contracts that do involve handling CUI by contractors, the imposition of minimum DoD Assessment Methodology scores by contracting officers is contrary to the DoD Memorandum to contracting officers issued June 16, 2022 which, in the second full paragraph on page 2, states:
Contractors must implement all of the NIST SP 800-171 requirements and have a plan of action and milestones (per NIST SP 800-171 Section 3.12.2) for each requirement not yet implemented. Failure to have or to make progress on a plan to implement NIST SP 800-171 requirements may be considered a material breach of contract requirements.
Note that the memorandum reinforces the requirements in DFARS 252.204-7012 (referred to as the “DFARS -7012 clause”), which are that the contractor implement all of the requirements in NIST SP 800-171 or have plans of action and milestones for each requirement not yet implemented.
Still further, DFARS 252.204-7019 (the “DFARS -7019 clause”), which is the basis for contractors reporting DoD Assessment Methodology scores to the SPRS system, merely requires that contractors submit scores. It does not permit contracting officers to establish minimum SPRS scores, let alone to require perfect SPRS scores.
Protecting our nation’s sensitive information is critical to our national security. However, contracting officers should be careful to not get too far ahead of the DoD’s own policies, otherwise they risk increasing the likelihood of bid protests that slow the contract award and delivery processes.