Every organization subject to CMMC must have an active, accurate score in the Supplier Performance Risk System (SPRS) before a contracting officer can award an applicable Department of Defense (redesignated the Department of War by executive order, September 2025) (DoD) contract. That statement has been true since November 2020 under DFARS 252.204-7012, and it remains true under CMMC.
If you have never submitted to SPRS, or if your submission is stale, you are not compliant regardless of your actual security posture. Contracting officers and prime contractors check SPRS. A missing or outdated submission is visible and has real consequences.
This article explains what SPRS is, how the scoring methodology works, and exactly how to submit an accurate self-assessment.
The SPRS is a DoD web application that stores contractor performance data, including CMMC self-assessment scores and affirmations. It is accessible at sprs.army.mil.
In the context of CMMC, SPRS serves three functions:
SPRS is not an assessment tool. It does not tell you what your score should be. It records what you have assessed and affirmed.
The CMMC scoring methodology is defined in 32 CFR § 170.24. Understanding it is essential to submitting an accurate score and to knowing which gaps hurt you most.
Level 1 scoring is binary. Each of the 15 practices is either Met (1 point) or Not Met (0 points). Maximum score: 15 points. There are no partial credit rules at Level 1.
Level 2 scoring is weighted. Each of the 110 NIST SP 800-171 Rev 2 requirements carries one of three point values:
5-point requirements (high impact): These represent critical security controls where a gap poses the greatest risk. If a 5-point requirement is Not Met, your score drops by 5 points. Examples of 5-point requirements include:
3-point requirements (medium impact): These are significant controls that carry 3-point penalties for gaps.
1-point requirements (standard): These are standard controls with a 1-point impact for each gap.
The maximum possible score is 110 points. The minimum score to qualify for Conditional certification status (and remain eligible for most contracts) is 88 points (80% of the maximum).
SC.L2-3.13.11 (FIPS-validated cryptography) is the one requirement with partial credit rules:
This means if you are using TLS but it is not FIPS-validated, you still receive a penalty, but the penalty for non-FIPS encryption is actually worse than no encryption on this specific control. Verify your specific scoring before finalizing your submission.
Before finalizing any SPRS submission for Level 2, there is one requirement you must verify is Met: CA.L2-3.12.4, the System Security Plan (SSP) requirement.
If the SSP requirement is marked Not Met, SPRS returns "No Score." The assessment cannot be completed, and you cannot receive a CMMC status of any kind. The SSP must exist and must be assessed as Met before any Level 2 SPRS submission is meaningful.
Two conditions cause SPRS to return "No Status" rather than a CMMC status:
These two conditions are why honest scoring matters. An inflated SPRS score that shows compliance you have not achieved creates False Claims Act exposure. A score that accurately reflects a "No Status" condition is a problem that needs to be fixed, not hidden.
Two terms frequently appear in CMMC compliance discussions and they are often confused:
Understanding this distinction matters when reviewing your gap assessment results and deciding what goes into your SPRS submission.
Access SPRS at sprs.army.mil. You will need a DoD-approved identity credential (CAC or DS Login) to access the system. If your organization's representative does not have an active DS Login or CAC, establishing access can take several business days. Do not wait until you are ready to submit to start the access process.
Your organization must have a registered CAGE code that is active in SAM.gov. The CAGE code links your SPRS submission to your organization's identity in the DoD contracting system. If you have multiple CAGE codes (for different locations or business units), all CAGE codes within your CMMC Assessment Boundary must be listed in the submission, plus your Highest-Level Owner (HLO) CAGE code.
Work through each applicable requirement (15 for Level 1, 110 for Level 2) and make an honest implementation determination for each one:
Record your findings in a working document. For Level 2, calculate your weighted score as you go. Flag any requirements that are Not Met and determine which ones belong on your POA&M versus which ones you will remediate before submission.
For each Not Met requirement that qualifies for the POA&M (above the 88-point threshold, none of the prohibited controls), document:
Your POA&M must be realistic. Assessment teams evaluate POA&M items for feasibility during C3PAO assessments. A POA&M with unrealistic timelines or missing cost estimates will generate findings.
Log into SPRS, navigate to the self-assessment entry for your organization, and enter:
For Level 2, SPRS will calculate your CMMC status (Conditional, Final, or No Status) based on the score and POA&M content you enter.
After entering the score, a senior official of your organization (typically the CEO, President, or equivalent authorized official) must affirm the accuracy of the submission. This affirmation is a legal attestation. The official is personally affirming that the self-assessment was conducted in accordance with the CMMC assessment methodology and that the score reflects the organization's actual compliance posture.
The affirmation must be renewed:
For the complete CMMC framework overview, see the CMMC 101: The Complete Guide to CMMC Compliance for Defense Contractors.
Related articles in this series:
Need help calculating your accurate SPRS score and building a defensible submission? NR Labs provides SPRS self-assessment support, including guided scoring, POA&M development, and senior official affirmation preparation. Contact us to get started.
