Supplier Performance Risk System (SPRS): How to Affirm CMMC Self-Assessments
For organizations pursuing CMMC Level 1 and non-critical Level 2 compliance, understanding Supplier Performance Risk System (SPRS) reporting requirements is crucial to meeting Department of Defense (DoD) requirements.
Whether you're new to CMMC or an expert seeking a simple tutorial to enter your assessment into the SPRS, this guide has you covered.
Below, we’ll walk you through what SPRS is, how it relates to CMMC, and provide a step-by-step guide for entering your assessments.
What is the Supplier Performance Risk System (SPRS)?
The Supplier Performance Risk System (SPRS) is a web-based app used by the DoD to submit for and evaluate supplier performance and risk. It serves as a centralized database for critical information, including:
- Supplier risk assessments and scores
- Supplier performance data, including on-time delivery scores
- Cyber reports, including CMMC and NIST SP 800-171 self-assessment results
SPRS is integral to the DoD’s efforts to ensure that contractors and subcontractors meet stringent cybersecurity requirements protecting sensitive unclassified information.
It not only benefits the Department of Defense by providing a centralized view of contractor cybersecurity and performance data, enabling better decision-making and risk management in acquiring or maintaining relationships with vendors and suppliers, but SPRS also benefits contractors and subcontractors by ensuring their compliance is documented and visible. This helps them achieve and maintain eligibility for DoD contracts and foster trust with federal agencies.
Recommended reading
What CMMC Documentation Is Required for Compliance?
CMMC requirements related to the SPRS
The purpose of CMMC 2.0 is to provide the DoD with increased assurance that contractors and subcontractors are meeting the cybersecurity requirements for adequately protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
To provide DoD with that assurance, CMMC stipulates certain requirements for reporting:
- Level 1 and some Level 2 contractors that manage CUI that is not critical to national security must submit their self-assessments and affirmations of compliance by a senior official (also known as the Affirming Official) in the SPSR themselves.
- Level 2 contractors that manage CUI that is critical to national security are required to undergo an assessment conducted by a certified Third-Party Assessment Organization (C3PAO) triennially. The C3PAO will enter the assessment information electronically into the CMMC Enterprise Mission Assurance Support Service (eMASS), which will electronically transmit the assessment results into the SPRS. The Affirming Official (AO) must affirm continuing compliance with the specified security requirements after every assessment and annually thereafter. These affirmations must be entered electronically in SPRS.
- The same process above applies to Level 3 contractors, except they must undergo government-led assessments so the DoD assessor will enter their assessment information into eMASS.
Additionally, according to DFARS clause 252.204-7020, contractors are required to confirm their subcontractors have SPRS scores on file prior to awarding them contracts.
Recommended reading
What Type of CMMC Assessment Do you Need?
Are CMMC SPRS requirements in effect?
The Title 48 CFR CMMC acquisition rule is expected to be finalized in Q2 2025, at which point CMMC assessment requirements will be implemented in DoD contracts using a phased approach.
However, members of the Defense Industrial Base (DIB) can now enter CMMC Level 1 and 2 Self-Assessment reports in the SPRS.
By doing so now, Level 1 and non-critical Level 2 contractors will be prepared when the CMMC Acquisition Rule becomes finalized. Once this rule is finalized, DoD contracting officers will not make an award, exercise an option, or extend the period of performance on a contract, if the contractor does not have both:
- the passing results of a current certification assessment or self-assessment for the required CMMC level
- an affirmation of continuous compliance with the security requirements in the SPRS
To avoid losing DoD contracts, the time to start getting ready for CMMC compliance is now.
Recommended reading
The CMMC Proposed Final Rule: What It Is and When It Goes Into Effect
How to enter a CMMC self-assessment into the SPRS
If you’re ready to enter CMMC Level 1 or 2 Self-Assessment reports in the SPRS, follow the steps below to understand exactly how to do it.
To access the SPRS, you first need access to the Procurement Integrated Enterprise Environment (PIEE) portal. If you don’t, follow step 1A. If you do, skip to step 1B.
Step 1A (If you are a new PIEE user): Register as PIEE user & add “SPRS Cyber Vendor User” role
- To start, navigate to the PIEE portal and click “New User.” You’ll have to complete all the steps in the PIEE’s Vendors - Getting Started Help guide here, including:
- Register with the System for Award Management (SAM) to get a Unique Entity ID. Here’s a checklist with more info about the process.
- During this process, you will also be assigned a Commercial and Government Entity (CAGE) code if one doesn't already exist.
- Contact the PIEE Help Desk to supply your CAGE code and company name to have them set up your vendor group with your CAGE code.
- Designate a Contractor Administrator (CAM) to act as the “gate keeper” to control user access for the company.
- Have the CAM Self-Register in PIEE.
- After reviewing and completing these preliminary steps, click “Register.”
- Read the Privacy Statement and click “Agree.”
- Select user type “Vendor.”
- Select authentication method
- Complete “User Profile” and “Supervisor / Agency” information.
- Select “SPRS – Supplier Performance Risk System” from Application list
- Select “SPRS Cyber Vendor User” role from the User Roles list and click “Add Roles.”
Step 1B (If you are an existing PIEE user): Access the SPRS though the PIEE
- To start, navigate to the PIEE portal and click “Log In.”
- Select SPRS.
- Click on the Cyber Reports link in the SPRS navigation menu.
Step 2: Select company hierarchy
- Use the drop-down menu to select your company’s hierarchy. The CAGE codes associated with your profile will appear.
- Select the appropriate CAGE and hierarchy combination and click “Run Cyber Reports.”
Step 3: Add a New CMMC Level 1 or 2 Self-Assessment
- Navigate to the CMMC Assessments tab.
- Click the “Add New CMMC Level 1 Self-Assessment” or “Add New CMMC Level 2 Self-Assessment” button. Note: Only users with the privileged role of SPRS Cyber Vendor User will be able to see this button.
Step 4: Enter CMMC Assessment Details
- Enter the Assessment Date in the MM/DD/YYYY format.
- Select the Scope: “Enterprise” or “Enclave.” : Enterprise refers to an organization with a defined mission/goal and a defined boundary, using information systems to execute that mission, and with responsibility for managing its own risks and performance. Enclave refers to a set of system resources that operate in the same security domain and that share the protection of a single, common, continuous security perimeter (NIST).
- Provide the total number of employees applicable to this assessment.
- Confirm compliance with FAR clause 52.204-21 or NIST 800-171 Revision 2 requirements and mandatory CMMC requirements for Level 1 or Level 2, respectively.
- Use the Open CAGE Hierarchy button to add relevant CAGE codes. You can also paste a comma-delimited list of codes.
- Click the “Continue to Affirmation” button.
Step 5: Confirm or transfer to Affirming Official (AO)
- If you are the AO, select “Continue to Affirmation” to proceed.
- If you’re not the AO, enter the AO’s email address and select “Transfer to AO.”
Step 6: Affirm the Assessment
- Review the assessment details, confirm that you have reviewed the affirmation statement, and select “Affirm.” This will generate a report with a CMMC Status Type. If the AO selected “Yes” for compliance with the requirements specified in Step 4, then they will see a CMMC Status Type of "Final Level 1 Self-Assessment" or "CMMC L2 Final Self-Assessment."
- Edit or delete the assessment (or previous ones) as needed.
Below are all the potential CMMC Status Types you may see for Level 1:
- Final Level 1 Self-Assessment: Indicates compliance.
- Pending Affirmation: Awaiting AO approval.
- Incomplete: Assessment information only partially completed.
- No CMMC Status: Your “Final Level 1 Self-Assessment” is expired.
Below are all the potential CMMC Status Types you may see for Level 2:
- CMMC L2 Final Self-Assessment: Your score was 110, meaning you met all CMMC Level 2 self-assessment requirements. This status, with annual affirmations verifying compliance, is valid for 3 years.
- CMMC L2 Conditional Self-Assessment: Your score fell between 88 to 109, meaning you met most but not all CMMC Level 2 self-assessment requirements. This status is valid for 180 days.
- Pending Affirmation: Awaiting AO approval.
- Incomplete: Assessment information only partially completed.
- No CMMC Status: Your “CMMC L2 Final Self-Assessment” is expired.
What SPRS score is needed for CMMC compliance?
Submitting a CMMC Level 1 self-assessment and executive affirmation in the SPRS will generate a score ranging from -203 to 110 based on assessment results. This score aids the DoD in gauging risk and awarding contracts.
Organizations pursuing CMMC Level 1 compliance start with a minimum score of -203 and can receive a maximum score of 110, which indicates full compliance with NIST SP 800-171 requirements. Each of the 110 NIST SP 800-171 requirements must be met or not applicable in order to demonstrate Level 1 compliance.
If an organization falls short of the maximum score, it should identify the specific gaps, document a detailed Plan of Action and Milestones (POA&M), and prioritize remediation efforts to align with the requirements. Any deviations must be documented and remediated promptly and no later than six months of issue.
The closer an organization is to 110, the better positioned they will be to win DoD contracts. However, an organization without a perfect score can still demonstrate a strong security posture through its System Security Plan (SSP), POA&M, and compliance documentation in addition to its score.
Plan of Action & Milestones (POA&M) Template
The POA&M is a strategic document used to identify and track the actions required to address gaps in your organization’s controls that were identified during an internal or third-party assessment. Use this template to demonstrate ongoing efforts to achieve and maintain CMMC compliance to third-party assessors.
How Secureframe can help you get CMMC Level 1 and 2 compliant
A recent study conducted by Merrill Research and commissioned by CyberSheath reveals that defense contractors still have a long way to go in their compliance readiness process. The average Supplier Performance Risk System (SPRS) score among respondents stands at a concerning -12, far below the required score of 110 to meet CMMC standards. Even more alarming, just 4% of defense contractors say they are fully prepared for certification.
A compliance automation tool like Secureframe can help simplify all these steps required to prepare for a CMMC Level 1 and/or Level 2 assessment. Let’s look at how below.
Secureframe streamlines the path to CMMC Level 1 and 2 compliance by offering:
- Expert guidance: Federal compliance experts, including former CMMC, FISMA, and FedRAMP auditors, provide support before, during, and after assessments.
- Automated evidence collection: Integrations with tools like AWS GovCloud automate evidence collection and continuous monitoring of your CMMC Level 1 and 2 controls.
- AI-powered remediation: Comply AI generates fixes as infrastructure-as-code, simplifying remediation and enhancing your overall security posture.
- Effortless policy management: Customizable templates and AI tools make managing documents and policies, including SSP templates, impact assessments, and readiness reports, seamless.
- Comprehensive training: Role-based and insider threat training meets CMMC requirements.
- Multi-framework compliance: Cross-mapping accelerates compliance with additional standards like NIST 800-53 and FedRAMP.
With Secureframe, you’ll save time, reduce costs, and maintain continuous CMMC compliance. Schedule a demo today to see how we can help your organization succeed.
Use trust to accelerate growth
FAQs
Why is SPRS relevant for CMMC?
SPRS is the designated system for reporting CMMC assessment results and executive affirmations of compliance, a requirement for CMMC certification.
What is the CMMC score for the SPRS?
The SPRS score reflects your compliance with NIST SP 800-171 requirements. A perfect score is 110, indicating full compliance.
How do you calculate your SPRS score?
SPRS scores are calculated based on the 110 NIST SP 800-171 requirements. Any unmet requirements deduct points from the maximum score of 110.
What is a good SPRS score?
While 110 is the maximum SPRS score, a score below this can be acceptable if any issues have an according POAM and remediation plans are in place. POAMs must be remediated within six months from the date of issue.
What CMMC Status Type could you see after submitting your CMMC self-assessment in the SPRS?
Below are all the potential CMMC Status Types your CMMC self-assessment may receive:
- CMMC L2 Final Self-Assessment: Indicates compliance with all 110 CMMC Level 2 self-assessment requirements.
- CMMC L2 Conditional Self-Assessment: Indicates compliance with 88 to 109 CMMC Level 2 self-assessment requirements.
- Final Level 1 Self-Assessment: Indicates compliance with Level 1 self-assessment requirements.
- Pending Affirmation: Awaiting AO approval.
- Incomplete: Assessment information only partially completed.
- No CMMC Status: Your previous self-assessment report is expired.