Now that CMMC 2.0 rulemaking is officially complete, the CMMC phased rollout will begin on November 10, 2025. In this first phase, most new defense contracts will start requiring at least CMMC Level 1 and Level 2 self certification.

That means defense contractors must be able to demonstrate that they’re certified at the CMMC level required in their contracts—or risk becoming ineligible for awards. To do so, they must submit their self-assessment results, score, and executive affirmations of compliance to a system referred to as “SPRS” as soon as possible.

This guide explains exactly what the SPRS is and how it fits into the CMMC 2.0 program, what score you need for different certification levels, and how to submit your assessment information before the deadline to avoid delays in your CMMC certification. Let’s get started.

What is the Supplier Performance Risk System (SPRS)?

The Supplier Performance Risk System (SPRS) is a web-based app used by the Department of Defense (DoD) to submit for and evaluate supplier performance and risk. It serves as a centralized database for critical information, including:

• Supplier risk assessments and scores 
• Supplier performance data, including on-time delivery scores
• Cyber reports, including CMMC and NIST SP 800-171 self-assessment results 

SPRS was an existing DoD database before CMMC 2.0 was introduced, but the 32 CFR CMMC Program rule expanded the use of SPRS to include CMMC status, certification assessment scores, and affirmations. 

Let’s take a look at why SPRS is integral to CMMC 2.0 and the DoD’s expansive DIB cybersecurity improvement effort.

Why SPRS is key to CMMC 2.0

The purpose of CMMC 2.0 is to provide the DoD with increased assurance that contractors and subcontractors are meeting the cybersecurity requirements for adequately protecting sensitive unclassified information, including Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). 

The SPRS provides that assurance by offering a centralized view of contractor cybersecurity and performance data. 

This visibility benefits:

• The DoD by enabling better decision-making and risk management in acquiring or maintaining relationships with vendors and suppliers that are capable of protecting sensitive unclassified information on their behalf. 
• Contractors, subcontractors, and other members of the defense supply chain by ensuring their CMMC compliance is documented and visible. This helps them achieve and maintain eligibility for DoD contracts and foster trust with federal agencies, primes, and other stakeholders. 

To actually reap these benefits for the DoD and DIB, CMMC 2.0 introduced requirements for contractors and subcontractors to submit their CMMC self-assessments, scores, and/or affirmations of compliance to the SPRS. 

Let’s take a closer look at why and how these requirements were introduced under CMMC 2.0. 

If you’re new to CMMC 2.0, check out our on-demand webinar that explains what this framework requires, who it applies to, and how to get certified.

Are SPRS scores mandatory for CMMC 2.0 certification?

Short answer: yes. 

The longer answer is that organizations must have a current CMMC status—which is based on its assessment score and affirmation of compliance—in the SPRS to achieve CMMC 2.0 certification and be eligible for contract awards that contain CMMC requirements.

To understand why the SPRS is a mandated part of the CMMC 2.0 certification process, we must take a step back and understand the purpose of this program overhaul. 

CMMC 2.0 is not the first program to introduce cybersecurity requirements to the DIB. Since DFARS 252.204-7012 went into effect in 2017, contractors have been required to provide adequate security for covered defense information and to include this clause in subcontracts for which performance will involve this type of information or operationally critical support. However, because DFARS 7012 lacked a verification requirement, many defense contractors and subcontractors fell short in putting the required safeguards in place, which left the DoD exposed to cybersecurity risks and gaps that adversaries could exploit to siphon off sensitive military data.

CMMC 2.0 was designed to strengthen DFARS 7012 to address this widespread noncompliance across the DIB and improve national security. Specifically, the 48 CFR CMMC Acquisition rule introduced two new DFARS clauses to shift how the DoD would enforce CMMC 2.0 compliance:

• DFARS 252.204-7019 requires contractors to perform a NIST SP 800-171 Basic self-assessment and submit their score to SPRS before award. It also requires SPRS scores to be updated at least every three years.
• DFARS 252.204-7020 builds on 7019 by giving the DoD the right to validate a contractor’s self-assessment score through a Medium or High DoD-led assessment and requiring contractors to flow these requirements down to their subcontractors, which includes ensuring subcontractors have a current CMMC status in SPRS.

Together, these clauses shift CMMC 2.0 away from DFARS 7012’s “trust but verify later” approach to a “prove it before and during the contract” enforcement model—and SPRS is a key mechanism for this enforcement.

SPRS requirements for each CMMC 2.0 level

CMMC 2.0 stipulates different requirements for SPRS reporting for different levels and assessment types:

CMMC Level 1 (Self)

All Level 1 contractors and subcontractors that manage FCI are required to complete a self-assessment annually.

They must submit these self-assessment results and affirmations of compliance by a senior official (also known as the Affirming Official) in the SPRS themselves. They must do so annually to maintain their CMMC status in the SPRS.

When submitting the Level 1 self-assessment results in the SPRS, they must include, at minimum:

• CMMC Level.
• CMMC Status Date.
• CMMC Assessment Scope.
• All industry CAGE code(s) associated with the information system(s) addressed by the CMMC Assessment Scope.
• Compliance result.

CMMC Level 2 (Self)

Some Level 2 contractors and subcontractors that manage CUI that is not critical to national security will be required to complete a self-assessment annually, rather than a triennial third-party assessment.

Like Level 1, they must submit their self-assessment results and affirmations of compliance by an Affirming Official (AO) in the SPRS themselves and they must do so annually to maintain their CMMC status in the SPRS.

When submitting the Level 2 self-assessment results in the SPRS, they must include all the same information as Level 1 at a minimum—with two exceptions. Rather than “Compliance Result,” they must include:

• Overall Level 2 self-assessment score (out of 110).
• POA&M usage and compliance status, if applicable (e.g., if score between 88-109).

We’ll discuss scoring in more detail later.

CMMC Level 2 (C3PAO)

Level 2 contractors and subcontractors that manage CUI that is critical to national security are required to undergo an assessment conducted by a certified Third-Party Assessment Organization (C3PAO) triennially. 

The C3PAO will enter the assessment information electronically into the CMMC Enterprise Mission Assurance Support Service (eMASS), which will electronically transmit the assessment results into the SPRS. The minimum inputs into eMass are specified in 32 CFR here, but we won’t go into detail here since contractors don’t have to input this information themselves.

The Affirming Official (AO) must affirm continuing compliance with the specified security requirements after every assessment and annually thereafter. These affirmations must be entered electronically in SPRS. 

CMMC Level 3 (DIBCAC)

The same process for Level 2 (C3PAO) applies to Level 3 contractors, except they must undergo government-led (DIBCAC) assessments so the DoD assessor will enter their assessment information into eMASS, which will then be electronically transmitted into the SPRS. The minimum inputs into eMass are specified in 32 CFR here, but we won’t go into detail here since contractors don’t have to input this information themselves.

An AO must also submit an annual affirmation of compliance in SPRS for Level 3. 

Note that this level is unlikely to apply to subcontractors, although primes do have the discretion to flow down Level 3 requirements if the information they flow down requires that level of protection.

Are CMMC SPRS requirements in effect?

CMMC SPRS requirements will officially go into effect on November 10, 2025, sixty days after the 48 CFR CMMC Acquisition Rule was published in the Federal Register. Starting on this day, DoD contracting officers will be required to check SPRS and not award a contract, task order, or delivery order to an offeror that does not have a current CMMC status posted in SPRS at the CMMC level required by the solicitation, or higher. 

Similarly, prime contractors must confirm subcontractors have a valid CMMC status in SPRS at the required level before awarding them subcontracts. However, primes don’t have to wait until November 10 to do so—they can start enforcing this at any time. Lockheed Martin, for example, started reaching out to suppliers that had not yet implemented CMMC controls back in June. 

To get ahead of the CMMC deadline or requests from primes like Lockheed, members of the DIB can enter CMMC Level 1 and Level 2 self-assessment results into the SPRS now (as some have been doing so since Level 1 became available in December 2024 and Level 2 in February 2025).

Submitting this information now ensures that Level 1 and non-critical Level 2 contractors and subcontractors are ready when CMMC enforcement begins. Starting in November and continuing throughout the phased rollout, DoD contracting officers will not award, extend, or renew a contract unless the contractor has both:

• the passing results of a current self-assessment or certification assessment for the required CMMC level
• an executive affirmation of continuous compliance with the security requirements in the SPRS

What this means for the DIB: To avoid disruption to existing contracts and remain eligible for new business, contractors, subcontractors, and other organizations in the DIB should take proactive steps now to complete their required assessments and enter results in SPRS before enforcement begins.

What SPRS score is needed for CMMC 2.0 certification?

The answer to this question is likely an SPRS score of 110, which is needed for final CMMC Level 2 certification.

But the CMMC scoring methodology is more complicated than that answer makes it seem, and applies to all levels of certification. The more correct answer would be: the SPRS score or assessment result you need depends on the CMMC level and status you’re seeking. 

First, let’s make sure we understand how the CMMC scoring methodology works. As described in 32 CFR § 170.24, each security requirement evaluated during a CMMC assessment (no matter what type or level required) results in one of three possible findings:

• MET: All applicable objectives for the security requirement are satisfied based on evidence.
• NOT MET: One or more applicable objectives for the security requirement is not satisfied.
• NOT APPLICABLE (N/A): A security requirement and/or objective does not apply at the time of the CMMC assessment.

Level 2 and 3 scoring are both based on the number of MET and UNMET requirements, but the assigned values to each requirement and maximum scores differ. Level 1 scoring is different altogether. 

Let’s take a closer look at the CMMC scoring methodology for each level below.

You can also discover the requirements for each CMMC level and how they’re calculated in your SPRS score in the Requirement Explorer tool on CMMC.com. 

CMMC Level 1

CMMC Level 1 contractors and subcontractors must fully implement all 15 security requirements set forth in 48 CFR 52.204-21(b)(1)(i) through (xv). None of these 15 requirements can be unmet and included on a Plan of Action and Milestones (POA&M) to be remediated after the initial assessment. 

Because all 15 requirements must be implemented in full, Level 1 self-assessment results are scored as MET or NOT MET in their entirety—not with a numerical value. That’s why there is not a score column for Level 1 in the Requirement Explorer tool. 

Think of Level 1 as a pass/fail system whereas Levels 2 and 3 are more like scored systems.

CMMC Level 2

Unlike Level 1, CMMC Level 2 contractors and subcontractors receive a numerical score and can have some NOT MET requirements on a POA&M. 

Here’s how the scoring methodology for this level works: CMMC Level 2 scoring ranges from -203 to 110. Why the negative number instead of zero? Because each MET requirement does not equal one point; instead, each of the 110 NIST 800-171 requirements is assigned a value of one (1), three (3), or five (5) points. 

These assigned values reflect the potential adverse effect of NOT meeting the requirement:

• 5 points if it could lead to significant exploitation of the network or exfiltration of CUI
• 3 points if it would have a specific and confined effect on the security of the network and its data,
• 1 point if it would have a limited or indirect effect on the security of the network and its data.

Here’s a look at how some Level 2 requirements in the same control family (AC) are scored differently:

Image source: CMMC.com Requirement Explorer

So, before their Level 2 assessment details are entered into SPRS (by themselves or into eMASS by their C3PAO), organizations start with the lowest score possible, -203. For every requirement that achieves a finding of MET, they earn one, three, or five points for a maximum score of 110. For every requirement that is NOT MET, either one, three, or five points stays subtracted from their total score, which may ultimately result in a negative score.

The maximum score, 110, indicates full compliance with NIST SP 800-171 requirements, meaning each requirement was assessed as MET or NOT APPLICABLE. It is the only score that will result in a Final Level 2 (Self) or or Final Level 2 (C3PAO) CMMC status.

If an organization falls short of the maximum score, it can still achieve a conditional CMMC status if it:

• achieves a score no lower than 88 (or 0.8)
• documents any unmet requirements in a POA&M
• does not include any of the requirements listed in 32 CFR 170.21(a)(2)(iii) in the POA&M

Any deviations identified in the POA&M must be remediated promptly no later than six months after their Conditional Level 2 (Self) or Conditional Level 2 (C3PAO) status was issued to achieve final Level 2 certification.

Bottom line: An organization with an SPRS score lower than 110 can still demonstrate a strong security posture through its System Security Plan (SSP), POA&M, and compliance documentation and be eligible for contract award. However, this score is designed to aid the DoD in gauging risk and awarding contracts. So the closer an organization is to 110, the better positioned they will be to win DoD contracts.

CMMC Level 3

Like Level 2, CMMC Level 3 contractors and subcontractors receive a numerical score and can have some NOT MET requirements on a POA&M.

But, unlike Level 2, CMMC Level 3 does not use varied scoring. Each MET requirement equals one point and each requirement assessed as NOT MET is one point subtracted from the total score. 

Image source: CMMC.com Requirement Explorer

Level 3 requirements are based on a subset of 24 NIST SP 800-172 requirements. Organizations must implement all 24 to achieve a maximum score and CMMC status of Final Level 3 (DIBCAC). 

If an organization falls short of the maximum score, it can still achieve a Conditional Level 3 (DIBCAC) status if it:

• Implements at least 20 of the 24 requirements from NIST 800-172, achieving a score no lower than 80% (or 0.8)
• documents any unmet requirements in a POA&M
• does not include any of the requirements listed in 32 CFR 170.21(a)(a)(3)(ii) in the POA&M

As with Level 2, any items in the POA&M must be remediated no later than six months after their conditional status was issued to achieve final Level 3 (DIBCAC) certification.

It’s also important to note that an organization is only eligible to initiate a Level 3 certification assessment once they have achieved a maximum score on the Level 2 certification assessment. 

How to enter a CMMC self-assessment into the SPRS

If you’re ready to enter CMMC Level 1 or 2 Self-Assessment reports in the SPRS, follow the steps below to understand exactly how to do it.

To access the SPRS, you first need access to the Procurement Integrated Enterprise Environment (PIEE) portal. If you don’t, follow step 1A. If you do, skip to step 1B. 

Step 1A (If you are a new PIEE user): Register as PIEE user & add “SPRS Cyber Vendor User” role

• To start, navigate to the PIEE portal and click “New User.” You’ll have to complete all the steps in the PIEE’s Vendors - Getting Started Help guide here, including:
• Register with the System for Award Management (SAM) to get a Unique Entity ID. Here’s a checklist with more info about the process.
• During this process, you will also be assigned a Commercial and Government Entity (CAGE) code if one doesn't already exist. 
• Contact the PIEE Help Desk to supply your CAGE code and company name to have them set up your vendor group with your CAGE code.
• Designate a Contractor Administrator (CAM) to act as the “gate keeper” to control user access for the company. 
• Have the CAM Self-Register in PIEE.
• After reviewing and completing these preliminary steps, click “Register.”
• Read the Privacy Statement and click “Agree.”
• Select user type “Vendor.”
• Select authentication method
• Complete “User Profile” and “Supervisor / Agency” information.
• Select “SPRS – Supplier Performance Risk System” from Application list
• Select “SPRS Cyber Vendor User” role from the User Roles list and click “Add Roles.”

Step 1B (If you are an existing PIEE user): Access the SPRS though the PIEE

• To start, navigate to the PIEE portal and click “Log In.” 
• Select SPRS.
• Click on the Cyber Reports link in the SPRS navigation menu.

Step 2: Select company hierarchy

• Use the drop-down menu to select your company’s hierarchy. The CAGE codes associated with your profile will appear.
• Select the appropriate CAGE and hierarchy combination and click “Run Cyber Reports.”

Step 3: Add a New CMMC Level 1 or 2 Self-Assessment

• Navigate to the CMMC Assessments tab.
• Click the “Add New CMMC Level 1 Self-Assessment” or “Add New CMMC Level 2 Self-Assessment” button. Note: Only users with the privileged role of SPRS Cyber Vendor User will be able to see this button.

Step 4: Enter CMMC Assessment Details

For Level 1 self-assessments:

• Enter the Assessment Date in the MM/DD/YYYY format.
• Select the Assessing Scope: “Enterprise” or “Enclave.” : Enterprise refers to an organization with a defined mission/goal and a defined boundary, using information systems to execute that mission, and with responsibility for managing its own risks and performance. Enclave refers to a set of system resources that operate in the same security domain and that share the protection of a single, common, continuous security perimeter (NIST).
• Provide the total number of employees applicable to this assessment.
• Select “Yes” to confirm compliance with security requirements for FAR clause 52.204-21.
• Use the Open CAGE Hierarchy button to add relevant CAGE codes. You can also paste a comma-delimited list of codes.
• Click the “Continue to Affirmation” button.

For Level 2 self-assessments:

• Check off Met, Not Met, or N/A for all NIST 800-171 Revision 2 requirements. These are organized by control family, so you’ll start with Access Control (AC). Once you’ve select the applicable compliance status for all requirements in the AC family, then you select Save and Continue and repeat for all families.
• All requirements must be answered before continuing to next section, where you’ll add the Assessing Scope, Employe Count, and CAGE codes like you would for Level 1 self.
• Click the “Save and Continue” button.
• Your final score and CMMC status will appear. If you see a CMMC L2 Conditional (score = 88 to 109) or Final Self-Assessment (score = 110), click the “Continue to Affirmation” button.
• If your score is below 88 or a requirement you checked off as “Not Met” is not able to be subject to a POA&M, then you won’t be able to continue to the next screen.

Step 5: Confirm or transfer to Affirming Official (AO)

• If you are the AO, select “Continue to Affirmation” to proceed.
• If you’re not the AO, enter the AO’s email address and select “Transfer to AO.”

Step 6: Affirm the Assessment

• Review the assessment details, confirm that you have reviewed the affirmation statement, and select “Affirm.” This will generate a report with a CMMC Status Type. If the AO selected “Yes” for compliance with the requirements specified in Step 4, then they will see a CMMC Status Type of "Final Level 1 Self-Assessment" or "CMMC L2 Final Self-Assessment."
• Edit or delete the assessment (or previous ones) as needed.

Below are all the potential CMMC Status Types you may see for Level 1:

• Final Level 1 Self-Assessment: Indicates compliance.
• Pending Affirmation: Awaiting AO approval.
• Incomplete: Assessment information only partially completed.
• No CMMC Status: Your “Final Level 1 Self-Assessment” is expired.

Below are all the potential CMMC Status Types you may see for Level 2:

• CMMC L2 Final Self-Assessment: Your score was 110, meaning you met all CMMC Level 2 self-assessment requirements. This status, with annual affirmations verifying compliance, is valid for 3 years.
• CMMC L2 Conditional Self-Assessment: Your score fell between 88 to 109, meaning you met most but not all CMMC Level 2 self-assessment requirements. This status is valid for 180 days.
• Pending Affirmation: Awaiting AO approval.
• Incomplete: Assessment information only partially completed.
• No CMMC Status: Your “CMMC L2 Final Self-Assessment” is expired or there is a requirement marked “Not Met” that is not able to be subject to a POA&M.