Complete Guide for SPRS

If your organization works with the Department of Defense (DoD) and handles Controlled Unclassified Information (CUI), you are required to submit a cybersecurity self-assessment score to the Supplier Performance Risk System, also known as SPRS. That score, derived from a structured evaluation of your NIST SP 800-171 & CMMC compliance, is no longer just a regulatory checkbox. Since Cybersecurity Maturity Model Certification (CMMC) enforcement began with the Title 48 CFR taking effect in November 2025, contracting officers have been actively reviewing SPRS scores as part of the contract award process.

In this guide, we'll explain what SPRS is, what a valid self-assessment must include, where organizations commonly go wrong, and how SSE helps defense contractors approach the process with accuracy and confidence.

What Is SPRS?

What the Supplier Performance Risk System Is

The Supplier Performance Risk System (SPRS) is a DoD web-based platform that consolidates supplier and product performance data to support procurement decisions. In the cybersecurity context, SPRS serves as the central repository for defense contractors to submit and store the results of their NIST SP 800-171 & CMMC assessments. Contracting officers use this data to evaluate a contractor's cybersecurity risk posture before awarding contracts involving CUI.

SPRS does not perform assessments, but it stores the results. The actual evaluation of your security program and environment happens before you log in to the system.

How SPRS Connects to NIST 800-171 & CMMC Requirements

Your SPRS score is a direct output of evaluating your organization against the 110 security controls defined in NIST SP 800-171 & CMMC Levels 1 and 2. These controls span 14 security domains, including Access Control, Incident Response, System and Communications Protection and more, and they are specifically designed to protect CUI within non-federal systems.

The DoD Assessment Methodology assigns point values to each control based on the security impact of failing to meet it. Your compliance with each control determines your final score, which is then submitted to SPRS under DFARS clause 252.204-7019.

Why SPRS Scores Matter for Contractors

SPRS scores carry real consequences for contract eligibility and competitive standing. Since CMMC enforcement began with the Title 48 CFR taking effect on November 10, 2025, DoD contracting officials now consult SPRS scores during supplier risk evaluations, not as an advisory metric, but as an active factor in contract-award decisions.

Scores must be no more than three years old to remain valid. If a score is outdated or missing entirely, a contractor may be unable to compete for DoD contracts. Beyond initial eligibility, the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) is authorized under DFARS 252.204-7020 to audit and validate submitted scores. Submitting an inaccurate or inflated score exposes organizations to significant legal and financial risk under the False Claims Act.

Prime contractors are also increasingly setting minimum SPRS score thresholds for their subcontractors. A low or missing score can effectively rule your organization out of consideration before a formal evaluation even begins.

What Must Be Included in a Valid Self-Assessment and Submission to SPRS

Assessing All NIST 800-171 & CMMC Security Controls

A valid SRPS score and submission requires a thorough, control-by-control evaluation of your organization's information systems against all 110 requirements in NIST SP 800-171 & CMMC. For each control, you must determine whether it is:

• Fully Implemented: The requirement is in place and functioning as intended
• Partially Implemented: Some aspects of the control are addressed, but gaps exist
• Not Implemented: The control has not been addressed

Partial implementation does not earn partial credit under the DoD Assessment Methodology. A control is either fully implemented or not, and the scoring reflects that distinction. Organizations should base their evaluation on a review of their System Security Plan (SSP), which documents how each control is applied within their covered information systems.

Calculating the Self-Assessment SPRS Score

The DoD Assessment Methodology assigns each of the 110 NIST SP 800-171 controls a weighted point value (1, 3, or 5) based on the control's security impact. The scoring works as follows:

• A perfect SPRS score is 110, representing full implementation of all controls
• You begin scoring from the perspective of a perfect 110 and subtract points for each control that is not fully implemented
• There is no partial credit; a control either earns its full value or results in a deduction

Higher-weighted controls (3 or 5 points) reflect requirements that have a greater impact on protecting CUI. Failing to implement these carries a steeper penalty and can no longer be carried forward as POAMs in achieving CMMC certification. Organizations targeting CMMC Level 2 certification should aim for a score of 110, with a minimum of at least 88 required to achieve conditional certification status when progressing with a third-party assessment.

Required Documentation and Evidence

A self-assessment is only as credible as the documentation behind it. Your System Security Plan is the foundation that describes how your organization implements each security control, defines the scope of your covered information systems, and serves as the primary artifact reviewed during any government audit.

Beyond the SSP, organizations must maintain supporting evidence that validates their implementation claims. This documentation may also be requested during a Medium or High Assessment conducted by DoD or DIBCAC.

Policies, procedures, and technical evidence

Supporting artifacts vary by control family, but commonly include:

• Written information security policies (e.g., access control policy, incident response policy)
• Documented procedures that operationalize each policy
• Network diagrams and system boundary documentation
• User access logs and access control configurations
• Vulnerability scan results and patch management records
• Multi-factor authentication (MFA) configuration evidence
• Audit log exports and monitoring configurations
• Training completion records for security awareness programs
• Encryption configurations for data at rest and in transit

The goal is to demonstrate that each implemented control is functioning as documented, not just described in the SSP as an intention. Note that artifacts and supporting evidence must be retained for six years.

Submitting the Score to SPRS

Once your assessment is complete and your score has been calculated, you must submit it to SPRS through the Procurement Integrated Enterprise Environment (PIEE). Access requires a registered account with the "SPRS Cyber Vendor User" role. Once logged in, contractors enter their assessment data through the Per DFARS 252.204-7020, the following information must be included:

• The version of NIST SP 800-171 and/or CMMC Level against which the assessment was conducted
• All CAGE codes associated with the assessed information systems
• A brief description of the System Security Plan architecture, if multiple plans exist
• The summary-level score
• The date the assessment was conducted
• The expected date all requirements will be fully implemented (i.e., when a score of 110 will be achieved if submitting a NIST 800-171 Assessment score)

Common Self-Assessment Challenges

Misinterpreting NIST 800-171 & CMMC Controls

NIST SP 800-171 & CMMC controls are written with precision, and small differences in language carry significant meaning. Organizations frequently misread the technical depth a control requires or apply an interpretation that is broader or narrower than the standard intends.

For example, "limiting system access to authorized users" involves much more than having login credentials. It encompasses role-based access control, least-privilege principles, and formal access provisioning and deprovisioning processes.

Misinterpretation leads to controls being marked as implemented when, under proper scrutiny, they are only partially met. This inflates the SPRS score and creates compliance risk if the organization is later audited.

Overestimating Control Implementation

One of the most common pitfalls in a self-assessment is marking controls as fully implemented without sufficient evidence to support that conclusion. Organizations often rely on general awareness that a security tool or policy exists, rather than confirming it is configured correctly and actively functioning within the scope of covered systems.

A firewall that is in place but not properly configured to enforce access restrictions, for instance, does not satisfy the corresponding control. If that claim is challenged during a government review, the discrepancy between the submitted score and actual implementation can result in serious legal and contractual consequences.

Lack of Documentation

Security practices that are not documented cannot be reliably verified; in the context of a DoD assessment, they may as well not exist. Many organizations operate with informal security processes that their teams follow consistently, but that are never captured in written policies, procedures, or technical records.

This gap becomes a significant liability during audits. A strong technical security posture can be undermined entirely by the absence of supporting documentation, because assessors evaluate implementation based on evidence, not good intentions.

Difficulty Translating Technical Security into SPRS Scoring

Many defense contractors have invested in cybersecurity tools and practices, but struggle to translate those real-world implementations into the specific language and scoring framework of the DoD Assessment Methodology. Security controls are evaluated against 320 individual assessment objectives, each with specific criteria that must be met for the control to count as fully implemented.

Without direct experience with this methodology, organizations often leave valid points on the table by failing to recognize which of their existing security requirements and practices satisfy specific objectives. The inverse is also true: some organizations assume coverage where none actually exists.

How SSE Helps Organizations Navigate Self-Assessments and Submissions to SPRS

As an accredited Registered Provider Organization (RPO) through The Cyber AB, SSE brings both the technical expertise and the regulatory knowledge needed to approach an SPRS self-assessment with confidence.

CMMC Gap Assessments

Before submitting a score, organizations need a clear picture of where they actually stand. SSE conducts structured Gap Assessments that evaluate your current environment against all 110 NIST SP 800-171 & CMMC security controls. This process establishes an accurate baseline by identifying which controls are fully implemented, partially addressed, or missing entirely before a score is calculated and submitted.

Rather than discovering compliance gaps after the fact, a Gap Assessment provides your organization with the information it needs to make informed decisions about your security posture and SPRS submission.

Gap Identification and Remediation Planning

Identifying a gap is only part of the work. SSE helps organizations prioritize remediation efforts based on both the impact of unmet controls and the resources required to address them. This includes developing a Plan of Action and Milestones (POAMs), a required document for any contractor whose score falls below 110, that outlines how and when each security gap will be resolved.

With a clear remediation roadmap, organizations can improve their SPRS score over time, reduce their risk profile, and demonstrate to the DoD that gaps are being actively addressed.

Documentation and Compliance Support

SSE assists contractors in creating or organizing the documentation that a valid SPRS self-assessment requires. This includes developing or refining the System Security Plan, drafting security policies and procedures, and compiling technical evidence artifacts that support implementation claims across each control family.

With SSE's templatized policy documentation and experienced team, contractors can build a documentation foundation that holds up under government scrutiny, not just at the time of submission, but through ongoing audits and contract performance.

Confidence in Submitted SPRS Scores

The stakes of an inaccurate SPRS score are significant. An inflated score can result in False Claims Act liability; an unnecessarily low score can cost your organization contracts it was otherwise positioned to win. SSE's involvement ensures the score you submit is accurate, fully supported by documentation, and aligned with how the DoD evaluates NIST 800-171 & CMMC compliance.

When your SPRS score is defensible, backed by evidence and reviewed by experts with direct experience in DoD cybersecurity requirements, you can submit with confidence rather than uncertainty.

Get Expert Help with Your Self-Assessment and Submission to SPRS

Accurately completing a NIST 800-171 or CMMC self-assessment and submission to SPRS requires a clear understanding of the DoD Assessment Methodology, thorough documentation, and an honest evaluation of your security environment. For many defense contractors, that is a significant undertaking, particularly alongside the day-to-day demands of running a business.

SSE works with defense contractors at every stage of the self-assessment and SPRS submission process, from readiness assessments and gap identification to documentation development and score validation. Our team has years of experience supporting organizations through NIST 800-171 & CMMC compliance, and we bring that experience directly to your self-assessment process.

Contact SSE today to start a conversation about where your organization stands and how we can help you move forward with confidence.