• blogangle-right
  • SPRS and CMMC: How to Get a Current CMMC Status to Stay Eligible for DoD Contracts After November 2025

SPRS and CMMC: How to Get a Current CMMC Status to Stay Eligible for DoD Contracts After November 2025

  • September 16, 2025
Author

Anna Fitzgerald

Senior Content Marketing Manager

Reviewer

Rob Gutierrez

Senior Cybersecurity and Compliance Manager, CISA, CCSK, CMMC RP

Now that CMMC 2.0 rulemaking is officially complete, the CMMC phased rollout will begin on November 10, 2025. In this first phase, most new defense contracts will start requiring at least CMMC Level 1 and Level 2 self certification.

That means defense contractors must be able to demonstrate that they’re certified at the CMMC level required in their contracts—or risk becoming ineligible for awards. To do so, they must submit their self-assessment results, score, and executive affirmations of compliance to a system referred to as “SPRS” as soon as possible.

This guide explains exactly what the SPRS is and how it fits into the CMMC 2.0 program, what score you need for different certification levels, and how to submit your assessment information before the deadline to avoid delays in your CMMC certification. Let’s get started.

What is the Supplier Performance Risk System (SPRS)?

The Supplier Performance Risk System (SPRS) is a web-based app used by the Department of Defense (DoD) to submit for and evaluate supplier performance and risk. It serves as a centralized database for critical information, including:

  • Supplier risk assessments and scores 
  • Supplier performance data, including on-time delivery scores
  • Cyber reports, including CMMC and NIST SP 800-171 self-assessment results 

SPRS was an existing DoD database before CMMC 2.0 was introduced, but the 32 CFR CMMC Program rule expanded the use of SPRS to include CMMC status, certification assessment scores, and affirmations. 

Let’s take a look at why SPRS is integral to CMMC 2.0 and the DoD’s expansive DIB cybersecurity improvement effort.

Recommended reading

What is the Cybersecurity Maturity Model Certification? An Overview of CMMC 2.0 Changes

Why SPRS is key to CMMC 2.0

The purpose of CMMC 2.0 is to provide the DoD with increased assurance that contractors and subcontractors are meeting the cybersecurity requirements for adequately protecting sensitive unclassified information, including Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). 

The SPRS provides that assurance by offering a centralized view of contractor cybersecurity and performance data. 

This visibility benefits:

  • The DoD by enabling better decision-making and risk management in acquiring or maintaining relationships with vendors and suppliers that are capable of protecting sensitive unclassified information on their behalf. 
  • Contractors, subcontractors, and other members of the defense supply chain by ensuring their CMMC compliance is documented and visible. This helps them achieve and maintain eligibility for DoD contracts and foster trust with federal agencies, primes, and other stakeholders. 

To actually reap these benefits for the DoD and DIB, CMMC 2.0 introduced requirements for contractors and subcontractors to submit their CMMC self-assessments, scores, and/or affirmations of compliance to the SPRS. 

Let’s take a closer look at why and how these requirements were introduced under CMMC 2.0. 

If you’re new to CMMC 2.0, check out our on-demand webinar that explains what this framework requires, who it applies to, and how to get certified.

Are SPRS scores mandatory for CMMC 2.0 certification?

Short answer: yes. 

The longer answer is that organizations must have a current CMMC status—which is based on its assessment score and affirmation of compliance—in the SPRS to achieve CMMC 2.0 certification and be eligible for contract awards that contain CMMC requirements.

To understand why the SPRS is a mandated part of the CMMC 2.0 certification process, we must take a step back and understand the purpose of this program overhaul. 

CMMC 2.0 is not the first program to introduce cybersecurity requirements to the DIB. Since DFARS 252.204-7012 went into effect in 2017, contractors have been required to provide adequate security for covered defense information and to include this clause in subcontracts for which performance will involve this type of information or operationally critical support. However, because DFARS 7012 lacked a verification requirement, many defense contractors and subcontractors fell short in putting the required safeguards in place, which left the DoD exposed to cybersecurity risks and gaps that adversaries could exploit to siphon off sensitive military data.

CMMC 2.0 was designed to strengthen DFARS 7012 to address this widespread noncompliance across the DIB and improve national security. Specifically, the 48 CFR CMMC Acquisition rule introduced two new DFARS clauses to shift how the DoD would enforce CMMC 2.0 compliance:

  • DFARS 252.204-7019 requires contractors to perform a NIST SP 800-171 Basic self-assessment and submit their score to SPRS before award. It also requires SPRS scores to be updated at least every three years.
  • DFARS 252.204-7020 builds on 7019 by giving the DoD the right to validate a contractor’s self-assessment score through a Medium or High DoD-led assessment and requiring contractors to flow these requirements down to their subcontractors, which includes ensuring subcontractors have a current CMMC status in SPRS.

Together, these clauses shift CMMC 2.0 away from DFARS 7012’s “trust but verify later” approach to a “prove it before and during the contract” enforcement model—and SPRS is a key mechanism for this enforcement.

Recommended reading

What is DFARS? A Guide to the Four Clauses Behind CMMC 2.0

Recommended reading

Everything You Need To Know About CMMC 2.0 Certification: Requirements, Assessments, And Costs

Are CMMC SPRS requirements in effect?

CMMC SPRS requirements will officially go into effect on November 10, 2025, sixty days after the 48 CFR CMMC Acquisition Rule was published in the Federal Register. Starting on this day, DoD contracting officers will be required to check SPRS and not award a contract, task order, or delivery order to an offeror that does not have a current CMMC status posted in SPRS at the CMMC level required by the solicitation, or higher. 

Similarly, prime contractors must confirm subcontractors have a valid CMMC status in SPRS at the required level before awarding them subcontracts. However, primes don’t have to wait until November 10 to do so—they can start enforcing this at any time. Lockheed Martin, for example, started reaching out to suppliers that had not yet implemented CMMC controls back in June

To get ahead of the CMMC deadline or requests from primes like Lockheed, members of the DIB can enter CMMC Level 1 and Level 2 self-assessment results into the SPRS now (as some have been doing so since Level 1 became available in December 2024 and Level 2 in February 2025).

Submitting this information now ensures that Level 1 and non-critical Level 2 contractors and subcontractors are ready when CMMC enforcement begins. Starting in November and continuing throughout the phased rollout, DoD contracting officers will not award, extend, or renew a contract unless the contractor has both:

  • the passing results of a current self-assessment or certification assessment for the required CMMC level
  • an executive affirmation of continuous compliance with the security requirements in the SPRS

What this means for the DIB: To avoid disruption to existing contracts and remain eligible for new business, contractors, subcontractors, and other organizations in the DIB should take proactive steps now to complete their required assessments and enter results in SPRS before enforcement begins.

CMMC 2.0 Timeline with November 2025 enforcement deadline

Recommended reading

The CMMC 2.0 Timeline: When Did CMMC 2.0 Go Into Effect & What's The Latest Compliance Deadline?

What SPRS score is needed for CMMC 2.0 certification?

The answer to this question is likely an SPRS score of 110, which is needed for final CMMC Level 2 certification.

But the CMMC scoring methodology is more complicated than that answer makes it seem, and applies to all levels of certification. The more correct answer would be: the SPRS score or assessment result you need depends on the CMMC level and status you’re seeking. 

First, let’s make sure we understand how the CMMC scoring methodology works. As described in 32 CFR § 170.24, each security requirement evaluated during a CMMC assessment (no matter what type or level required) results in one of three possible findings:

  • MET: All applicable objectives for the security requirement are satisfied based on evidence.
  • NOT MET: One or more applicable objectives for the security requirement is not satisfied.
  • NOT APPLICABLE (N/A): A security requirement and/or objective does not apply at the time of the CMMC assessment.

Level 2 and 3 scoring are both based on the number of MET and UNMET requirements, but the assigned values to each requirement and maximum scores differ. Level 1 scoring is different altogether. 

Let’s take a closer look at the CMMC scoring methodology for each level below.

You can also discover the requirements for each CMMC level and how they’re calculated in your SPRS score in the Requirement Explorer tool on CMMC.com

CMMC Level 1

CMMC Level 1 contractors and subcontractors must fully implement all 15 security requirements set forth in 48 CFR 52.204-21(b)(1)(i) through (xv). None of these 15 requirements can be unmet and included on a Plan of Action and Milestones (POA&M) to be remediated after the initial assessment. 

Because all 15 requirements must be implemented in full, Level 1 self-assessment results are scored as MET or NOT MET in their entirety—not with a numerical value. That’s why there is not a score column for Level 1 in the Requirement Explorer tool

Think of Level 1 as a pass/fail system whereas Levels 2 and 3 are more like scored systems.

CMMC Level 2

Unlike Level 1, CMMC Level 2 contractors and subcontractors receive a numerical score and can have some NOT MET requirements on a POA&M. 

Here’s how the scoring methodology for this level works: CMMC Level 2 scoring ranges from -203 to 110. Why the negative number instead of zero? Because each MET requirement does not equal one point; instead, each of the 110 NIST 800-171 requirements is assigned a value of one (1), three (3), or five (5) points. 

These assigned values reflect the potential adverse effect of NOT meeting the requirement:

  • 5 points if it could lead to significant exploitation of the network or exfiltration of CUI
  • 3 points if it would have a specific and confined effect on the security of the network and its data,
  • 1 point if it would have a limited or indirect effect on the security of the network and its data.

Here’s a look at how some Level 2 requirements in the same control family (AC) are scored differently:

Image source: CMMC.com Requirement Explorer

So, before their Level 2 assessment details are entered into SPRS (by themselves or into eMASS by their C3PAO), organizations start with the lowest score possible, -203. For every requirement that achieves a finding of MET, they earn one, three, or five points for a maximum score of 110. For every requirement that is NOT MET, either one, three, or five points stays subtracted from their total score, which may ultimately result in a negative score.

The maximum score, 110, indicates full compliance with NIST SP 800-171 requirements, meaning each requirement was assessed as MET or NOT APPLICABLE. It is the only score that will result in a Final Level 2 (Self) or or Final Level 2 (C3PAO) CMMC status.

If an organization falls short of the maximum score, it can still achieve a conditional CMMC status if it:

  • achieves a score no lower than 88 (or 0.8)
  • documents any unmet requirements in a POA&M
  • does not include any of the requirements listed in 32 CFR 170.21(a)(2)(iii) in the POA&M

Any deviations identified in the POA&M must be remediated promptly no later than six months after their Conditional Level 2 (Self) or Conditional Level 2 (C3PAO) status was issued to achieve final Level 2 certification.

Bottom line: An organization with an SPRS score lower than 110 can still demonstrate a strong security posture through its System Security Plan (SSP), POA&M, and compliance documentation and be eligible for contract award. However, this score is designed to aid the DoD in gauging risk and awarding contracts. So the closer an organization is to 110, the better positioned they will be to win DoD contracts.

CMMC Level 3

Like Level 2, CMMC Level 3 contractors and subcontractors receive a numerical score and can have some NOT MET requirements on a POA&M.

But, unlike Level 2, CMMC Level 3 does not use varied scoring. Each MET requirement equals one point and each requirement assessed as NOT MET is one point subtracted from the total score. 

Image source: CMMC.com Requirement Explorer

Level 3 requirements are based on a subset of 24 NIST SP 800-172 requirements. Organizations must implement all 24 to achieve a maximum score and CMMC status of Final Level 3 (DIBCAC). 

If an organization falls short of the maximum score, it can still achieve a Conditional Level 3 (DIBCAC) status if it:

  • Implements at least 20 of the 24 requirements from NIST 800-172, achieving a score no lower than 80% (or 0.8)
  • documents any unmet requirements in a POA&M
  • does not include any of the requirements listed in 32 CFR 170.21(a)(a)(3)(ii) in the POA&M

As with Level 2, any items in the POA&M must be remediated no later than six months after their conditional status was issued to achieve final Level 3 (DIBCAC) certification.

It’s also important to note that an organization is only eligible to initiate a Level 3 certification assessment once they have achieved a maximum score on the Level 2 certification assessment. 

Plan of Action & Milestones (POA&M) Template

The POA&M is a strategic document used to identify and track the actions required to address gaps in your organization’s controls that were identified during an internal or third-party assessment. Use this template to demonstrate ongoing efforts to achieve and maintain CMMC compliance to third-party assessors.

How to enter a CMMC self-assessment into the SPRS

If you’re ready to enter CMMC Level 1 or 2 Self-Assessment reports in the SPRS, follow the steps below to understand exactly how to do it.

To access the SPRS, you first need access to the Procurement Integrated Enterprise Environment (PIEE) portal. If you don’t, follow step 1A. If you do, skip to step 1B. 

Step 1A (If you are a new PIEE user): Register as PIEE user & add “SPRS Cyber Vendor User” role

  • To start, navigate to the PIEE portal and click “New User.” You’ll have to complete all the steps in the PIEE’s Vendors - Getting Started Help guide here, including:
  • Register with the System for Award Management (SAM) to get a Unique Entity ID. Here’s a checklist with more info about the process.
  • During this process, you will also be assigned a Commercial and Government Entity (CAGE) code if one doesn't already exist. 
  • Contact the PIEE Help Desk to supply your CAGE code and company name to have them set up your vendor group with your CAGE code.
  • Designate a Contractor Administrator (CAM) to act as the “gate keeper” to control user access for the company. 
  • Have the CAM Self-Register in PIEE.
  • After reviewing and completing these preliminary steps, click “Register.”
  • Read the Privacy Statement and click “Agree.”
  • Select user type “Vendor.”
  • Select authentication method
  • Complete “User Profile” and “Supervisor / Agency” information.
  • Select “SPRS – Supplier Performance Risk System” from Application list
  • Select “SPRS Cyber Vendor User” role from the User Roles list and click “Add Roles.”

Step 1B (If you are an existing PIEE user): Access the SPRS though the PIEE

  • To start, navigate to the PIEE portal and click “Log In.” 
  • Select SPRS.
  • Click on the Cyber Reports link in the SPRS navigation menu.

Step 2: Select company hierarchy

  • Use the drop-down menu to select your company’s hierarchy. The CAGE codes associated with your profile will appear.
  • Select the appropriate CAGE and hierarchy combination and click “Run Cyber Reports.”

Step 3: Add a New CMMC Level 1 or 2 Self-Assessment

  • Navigate to the CMMC Assessments tab.
  • Click the “Add New CMMC Level 1 Self-Assessment” or “Add New CMMC Level 2 Self-Assessment” button. Note: Only users with the privileged role of SPRS Cyber Vendor User will be able to see this button.

Step 4: Enter CMMC Assessment Details

For Level 1 self-assessments:

  • Enter the Assessment Date in the MM/DD/YYYY format.
  • Select the Assessing Scope: “Enterprise” or “Enclave.” : Enterprise refers to an organization with a defined mission/goal and a defined boundary, using information systems to execute that mission, and with responsibility for managing its own risks and performance. Enclave refers to a set of system resources that operate in the same security domain and that share the protection of a single, common, continuous security perimeter (NIST).
  • Provide the total number of employees applicable to this assessment.
  • Select “Yes” to confirm compliance with security requirements for FAR clause 52.204-21.
  • Use the Open CAGE Hierarchy button to add relevant CAGE codes. You can also paste a comma-delimited list of codes.
  • Click the “Continue to Affirmation” button.

For Level 2 self-assessments:

  • Check off Met, Not Met, or N/A for all NIST 800-171 Revision 2 requirements. These are organized by control family, so you’ll start with Access Control (AC). Once you’ve select the applicable compliance status for all requirements in the AC family, then you select Save and Continue and repeat for all families.
  • All requirements must be answered before continuing to next section, where you’ll add the Assessing Scope, Employe Count, and CAGE codes like you would for Level 1 self.
  • Click the “Save and Continue” button.
  • Your final score and CMMC status will appear. If you see a CMMC L2 Conditional (score = 88 to 109) or Final Self-Assessment (score = 110), click the “Continue to Affirmation” button.
  • If your score is below 88 or a requirement you checked off as “Not Met” is not able to be subject to a POA&M, then you won’t be able to continue to the next screen.

Step 5: Confirm or transfer to Affirming Official (AO)

  • If you are the AO, select “Continue to Affirmation” to proceed.
  • If you’re not the AO, enter the AO’s email address and select “Transfer to AO.”

Step 6: Affirm the Assessment

  • Review the assessment details, confirm that you have reviewed the affirmation statement, and select “Affirm.” This will generate a report with a CMMC Status Type. If the AO selected “Yes” for compliance with the requirements specified in Step 4, then they will see a CMMC Status Type of "Final Level 1 Self-Assessment" or "CMMC L2 Final Self-Assessment."
  • Edit or delete the assessment (or previous ones) as needed.

Below are all the potential CMMC Status Types you may see for Level 1:

  • Final Level 1 Self-Assessment: Indicates compliance.
  • Pending Affirmation: Awaiting AO approval.
  • Incomplete: Assessment information only partially completed.
  • No CMMC Status: Your “Final Level 1 Self-Assessment” is expired.

Below are all the potential CMMC Status Types you may see for Level 2:

  • CMMC L2 Final Self-Assessment: Your score was 110, meaning you met all CMMC Level 2 self-assessment requirements. This status, with annual affirmations verifying compliance, is valid for 3 years.
  • CMMC L2 Conditional Self-Assessment: Your score fell between 88 to 109, meaning you met most but not all CMMC Level 2 self-assessment requirements. This status is valid for 180 days.
  • Pending Affirmation: Awaiting AO approval.
  • Incomplete: Assessment information only partially completed.
  • No CMMC Status: Your “CMMC L2 Final Self-Assessment” is expired or there is a requirement marked “Not Met” that is not able to be subject to a POA&M.

Who can see your SPRS score and CMMC status?

Only you and the DoD can see your CMMC certificate or CMMC self-assessment information (including your assessment score) in SPRS.

In that case, how are prime contractors expected to monitor and verify CMMC adherence among their subcontractors? This was the focus of several comments raised in the 48 CFR rulemaking process. In the final rule published in the Federal Register on September 10, 2025, the DoD responded that:

“Contractors will only be able to access their own CMMC certificate or CMMC self-assessment information. DoD does not have a tool that would allow sharing of subcontractor information with prime contractors electronically. Prime contractors are expected to work with their suppliers to conduct verifications as they would for any other clause requirement that flows down to subcontractors.”

The response did note that SPRS will allow subcontractors to print or take a screenshot of their own CMMC status and affirmation information in SPRS and share with their primes if they choose. Subcontractors will also be able to voluntarily provide copies of their CMMC certification for Level 2 (C3PAO) and CMMC Level 3 (DIBCAC). 

Whether they do so is up to the subcontractor and prime—the DoD is not dictating that they must share screenshots or certificates or any specific method for sharing this subcontractor information. 

How Secureframe can help you get a valid CMMC Level 1 and 2 status in the SPRS

An October 2024 study conducted by Merrill Research and commissioned by CyberSheath revealed that defense contractors still had a long way to go in their compliance readiness process. The average Supplier Performance Risk System (SPRS) score among respondents stood at a concerning -12, far below the required score of 110 to meet CMMC standards. Even more alarming, just 4% of defense contractors said they were fully prepared for certification.

While CMMC readiness has improved in the 12 months since, with 270 organizations already having received final Level 2 certification in August 2025, readiness gaps persist in 2025. 

With CMMC enforcement starting in November, a compliance automation tool like Secureframe can help close those gaps. 
Whether you need to complete a Level 1 or Level 2 self-assessment—or work with a C3PAO for Level 2 certification—Secureframe helps you get there faster and stay compliant with:

  • Live SPRS score tracking: See how your implementation status translates into a live SPRS score—mapped directly to the 110 NIST 800-171 requirements. Quickly spot what’s missing and close gaps before they cost you a contract.
  • Control-by-control implementation tracking: View the status of all 110 Level 2 controls and 320 assessment objectives, with a detailed breakdown of evidence, attachments, comments, and POA&Ms for each objective.
  • SSP and POA&M automation: Automatically generate parts of your System Security Plan with control, policy, and vendor data from your Secureframe instance and link POA&M items to any unmet requirements in your SSP. Assign remediation owners, track due dates, and prove progress across your entire environment—all in one place.
  • Automated evidence collection from federal systems: Connect to AWS GovCloud, Azure Government, Microsoft GCC High, and over 300 tools to automatically collect and validate evidence. Stay audit-ready with real-time monitoring.
  • Expert guidance: Federal compliance experts that have former CMMC audit experience and first-hand experience preparing for and undergoing a CMMC 2.0 Level 2 assessment can help you navigate CMMC 2.0 requirements—before, during, and after assessments.

With Secureframe, you’ll save time, reduce costs, and maintain continuous CMMC compliance. Schedule a demo today to see how we can help your organization succeed.

This post was originally published in January 2025 and has been updated for accuracy and comprehensiveness based on updates across the CMMC ecosystem, like the CyberAB's August Town Hall and publication of final 48 CFR rule.

Use trust to accelerate growth

Request a demoangle-right
cta-bg

FAQs

Why is SPRS relevant for CMMC?

SPRS is the designated system for reporting CMMC assessment results and executive affirmations of compliance, a requirement for CMMC certification.

What is the CMMC score for the SPRS?

The CMMC score in SPRS reflects your compliance with FAR 52.204-21 requirements for Level 1, NIST SP 800-171 requirements for Level 2, and NIST SP 800-172 for Level 3. 

  • The score for Level 1 is not numerical—it’s either MET if all 15 requirements are fully implemented or NOT MET if any aren’t fully implemented.
  • The maximum score for Level 2 is 110, indicating full compliance with the 110 NIST SP 800-171 requirements. A minimum score of 88 (up to 109) is required for conditional Level 2 status.
  • The maximum SPRS score for Level 3 is 24, indicating full compliance with the NIST 800-172 requirements. 0.8 or 80% (ie. meeting at least 20 of 24 requirements) is the minimum SPRS score for conditional Level 3 status. Note that organizations must achieve an SPRS score of 110 and final Level 2 status to be eligible for Level 3.

How do you calculate your SPRS score?

You can calculate your SPRS score for CMMC Level 2 based on your implementation of the 110 NIST SP 800-171 security requirements. Each requirement is assigned a weighted value of 1, 3, or 5 points, depending on the severity of the risk if the control is not implemented. You start with a baseline score of -203, and gain points for each requirement that is marked MET. Your final SPRS score can range from -203 to 110, with 110 indicating full compliance.

What is a good SPRS score?

While 110 is the maximum SPRS score for Level 2 and 24 is maximum for Level 3, a score below this can be acceptable if any issues have an according POAM and remediation plans are in place. POAMs must be remediated within six months from the date of issue.

What CMMC Status Type could you see after submitting your CMMC self-assessment in the SPRS?

Below are all the potential CMMC Status Types your CMMC self-assessment may receive:

  • CMMC L2 Final Self-Assessment: Indicates compliance with all 110 CMMC Level 2 self-assessment requirements.
  • CMMC L2 Conditional Self-Assessment: Indicates compliance with 88 to 109 CMMC Level 2 self-assessment requirements.
  • Final Level 1 Self-Assessment: Indicates compliance with Level 1 self-assessment requirements.
  • Pending Affirmation: Awaiting AO approval.
  • Incomplete: Assessment information only partially completed.
  • No CMMC Status: Your previous self-assessment report is expired.