For organizations pursuing CMMC Level 1 and non-critical Level 2 compliance, understanding Supplier Performance Risk System (SPRS) reporting requirements is crucial to meeting Department of Defense (DoD) requirements.

Whether you're new to CMMC or an expert seeking a simple tutorial to enter your assessment into the SPRS, this guide has you covered.

Below, we’ll walk you through what SPRS is, how it relates to CMMC, and provide a step-by-step guide for entering your assessments.

What is the Supplier Performance Risk System (SPRS)?

The Supplier Performance Risk System (SPRS) is a web-based app used by the DoD to submit for and evaluate supplier performance and risk. It serves as a centralized database for critical information, including:

• Supplier risk assessments and scores
• Supplier performance data, including on-time delivery scores
• Cyber reports, including CMMC and NIST SP 800-171 self-assessment results

SPRS is integral to the DoD’s efforts to ensure that contractors and subcontractors meet stringent cybersecurity requirements protecting sensitive unclassified information.

It not only benefits the Department of Defense by providing a centralized view of contractor cybersecurity and performance data, enabling better decision-making and risk management in acquiring or maintaining relationships with vendors and suppliers, but SPRS also benefits contractors and subcontractors by ensuring their compliance is documented and visible. This helps them achieve and maintain eligibility for DoD contracts and foster trust with federal agencies. 

CMMC requirements related to the SPRS

The purpose of CMMC 2.0 is to provide the DoD with increased assurance that contractors and subcontractors are meeting the cybersecurity requirements for adequately protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

To provide DoD with that assurance, CMMC stipulates certain requirements for reporting:

• Level 1 and some Level 2 contractors that manage CUI that is not critical to national security must submit their self-assessments and affirmations of compliance by a senior official (also known as the Affirming Official) in the SPSR themselves.
• Level 2 contractors that manage CUI that is critical to national security are required to undergo an assessment conducted by a certified Third-Party Assessment Organization (C3PAO) triennially. The C3PAO will enter the assessment information electronically into the CMMC Enterprise Mission Assurance Support Service (eMASS), which will electronically transmit the assessment results into the SPRS. The Affirming Official (AO) must affirm continuing compliance with the specified security requirements after every assessment and annually thereafter. These affirmations must be entered electronically in SPRS. 
• The same process above applies to Level 3 contractors, except they must undergo government-led assessments so the DoD assessor will enter their assessment information into eMASS.

Additionally, according to DFARS clause 252.204-7020, contractors are required to confirm their subcontractors have SPRS scores on file prior to awarding them contracts.

Are CMMC SPRS requirements in effect?

While the 48 CFR CMMC Acquisition Rule is still under final review following its submission to the Office of Management and Budget (OMB) on July 22, 2025, CMMC certification will likely be required for most new contracts starting at the end of 2025.

In preparation, members of the Defense Industrial Base (DIB) can already enter CMMC Level 1 and Level 2 self-assessment results into the SPRS.

Submitting this information now ensures that Level 1 and non-critical Level 2 contractors are ready when CMMC enforcement begins. Once the 48 CFR rule is finalized, DoD contracting officers will not award, extend, or renew a contract unless the contractor has both:

• the passing results of a current certification assessment or self-assessment for the required CMMC level
• an affirmation of continuous compliance with the security requirements in the SPRS

To avoid disruption to existing contracts and remain eligible for new business, contractors should take proactive steps now to complete their required assessments and enter results in SPRS before enforcement begins.

How to enter a CMMC self-assessment into the SPRS

If you’re ready to enter CMMC Level 1 or 2 Self-Assessment reports in the SPRS, follow the steps below to understand exactly how to do it.

To access the SPRS, you first need access to the Procurement Integrated Enterprise Environment (PIEE) portal. If you don’t, follow step 1A. If you do, skip to step 1B. 

Step 1A (If you are a new PIEE user): Register as PIEE user & add “SPRS Cyber Vendor User” role

• To start, navigate to the PIEE portal and click “New User.” You’ll have to complete all the steps in the PIEE’s Vendors - Getting Started Help guide here, including:
• Register with the System for Award Management (SAM) to get a Unique Entity ID. Here’s a checklist with more info about the process.
• During this process, you will also be assigned a Commercial and Government Entity (CAGE) code if one doesn't already exist. 
• Contact the PIEE Help Desk to supply your CAGE code and company name to have them set up your vendor group with your CAGE code.
• Designate a Contractor Administrator (CAM) to act as the “gate keeper” to control user access for the company. 
• Have the CAM Self-Register in PIEE.
• After reviewing and completing these preliminary steps, click “Register.”
• Read the Privacy Statement and click “Agree.”
• Select user type “Vendor.”
• Select authentication method
• Complete “User Profile” and “Supervisor / Agency” information.
• Select “SPRS – Supplier Performance Risk System” from Application list
• Select “SPRS Cyber Vendor User” role from the User Roles list and click “Add Roles.”

Step 1B (If you are an existing PIEE user): Access the SPRS though the PIEE

• To start, navigate to the PIEE portal and click “Log In.” 
• Select SPRS.
• Click on the Cyber Reports link in the SPRS navigation menu.

Step 2: Select company hierarchy

• Use the drop-down menu to select your company’s hierarchy. The CAGE codes associated with your profile will appear.
• Select the appropriate CAGE and hierarchy combination and click “Run Cyber Reports.”

Step 3: Add a New CMMC Level 1 or 2 Self-Assessment

• Navigate to the CMMC Assessments tab.
• Click the “Add New CMMC Level 1 Self-Assessment” or “Add New CMMC Level 2 Self-Assessment” button. Note: Only users with the privileged role of SPRS Cyber Vendor User will be able to see this button.

Step 4: Enter CMMC Assessment Details

• Enter the Assessment Date in the MM/DD/YYYY format.
• Select the Scope: “Enterprise” or “Enclave.” : Enterprise refers to an organization with a defined mission/goal and a defined boundary, using information systems to execute that mission, and with responsibility for managing its own risks and performance. Enclave refers to a set of system resources that operate in the same security domain and that share the protection of a single, common, continuous security perimeter (NIST).
• Provide the total number of employees applicable to this assessment.
• Confirm compliance with FAR clause 52.204-21 or NIST 800-171 Revision 2 requirements and mandatory CMMC requirements for Level 1 or Level 2, respectively.
• Use the Open CAGE Hierarchy button to add relevant CAGE codes. You can also paste a comma-delimited list of codes.
• Click the “Continue to Affirmation” button.

Step 5: Confirm or transfer to Affirming Official (AO)

• If you are the AO, select “Continue to Affirmation” to proceed.
• If you’re not the AO, enter the AO’s email address and select “Transfer to AO.”

Step 6: Affirm the Assessment

• Review the assessment details, confirm that you have reviewed the affirmation statement, and select “Affirm.” This will generate a report with a CMMC Status Type. If the AO selected “Yes” for compliance with the requirements specified in Step 4, then they will see a CMMC Status Type of "Final Level 1 Self-Assessment" or "CMMC L2 Final Self-Assessment."
• Edit or delete the assessment (or previous ones) as needed.

Below are all the potential CMMC Status Types you may see for Level 1:

• Final Level 1 Self-Assessment: Indicates compliance.
• Pending Affirmation: Awaiting AO approval.
• Incomplete: Assessment information only partially completed.
• No CMMC Status: Your “Final Level 1 Self-Assessment” is expired.

Below are all the potential CMMC Status Types you may see for Level 2:

• CMMC L2 Final Self-Assessment: Your score was 110, meaning you met all CMMC Level 2 self-assessment requirements. This status, with annual affirmations verifying compliance, is valid for 3 years.
• CMMC L2 Conditional Self-Assessment: Your score fell between 88 to 109, meaning you met most but not all CMMC Level 2 self-assessment requirements. This status is valid for 180 days.
• Pending Affirmation: Awaiting AO approval.
• Incomplete: Assessment information only partially completed.
• No CMMC Status: Your “CMMC L2 Final Self-Assessment” is expired.