Skip to content

CMMC and SPRS Scores

 

Learn about SPRS Scores, the range, what is a good SPRS score, how to submit, update and affirm an SPRS score, and more through the Frequently Asked Questions (FAQs) below. If you are looking for certified CMMC Professionals and a customised solution for your organization, please schedule a free consultation.

Table of Contents

What is the Supplier Performance Risk System (SPRS)? 

 

The Supplier Performance Risk System (SPRS), accessible at sprs.csd.disa.mil, is the DoD’s authoritative web-enabled enterprise application used to collect, process, and display supplier performance and cybersecurity compliance data, and serves as the official system in which defense contractors submit CMMC self-assessment results, compliance scores, and senior official affirmations. 

For CMMC purposes, SPRS is where contractors submit their CMMC Level 1 self-assessment results annually, CMMC Level 2 self-assessment results annually or triennially for C3PAO-assessed contractors, SPRS scores calculated under the NIST SP 800-171 DoD Assessment Methodology, and senior official affirmations of compliance. C3PAO-issued CMMC Level 2 certification results are submitted to SPRS by the DoD through the eMASS system following the C3PAO’s submission of findings. 

SPRS data is visible to contracting officers and prime contractors evaluating DoD contract awards. Prime contractors with DFARS clause 252.204-7021 in their contracts are required to verify that subcontractors have current SPRS entries at the required CMMC level before awarding subcontracts involving CUI. SPRS became a key contracting tool in November 2025 when CMMC enforcement began. 

 

How is an SPRS score calculated for NIST SP 800-171 and CMMC? 

 

Summary: An SPRS score is calculated using the DoD’s NIST SP 800-171 Assessment Methodology, which starts from a perfect score of 110 points, representing full implementation of all 110 controls, and subtracts points for each control that is NOT implemented, weighted by the control’s assigned point value of 1, 3, or 5 points. 

Each of the 110 NIST SP 800-171 Rev 2 controls is assigned a weight based on its security significance: 1-point controls address requirements with minimal individual security impact; 3-point controls address requirements with specific but contained security effects; 5-point controls address requirements whose absence could directly enable major network exploitation or CUI exfiltration. 

A contractor who has not implemented any controls starts at a score of -203. A contractor who has fully implemented all 110 controls achieves a score of +110. Partial implementation does not receive partial credit, a control is either fully implemented (no deduction) or not (full deduction applied). The SPRS score must reflect reality, intentional inflation triggers False Claims Act liability. 

 

What is the SPRS scoring range and what constitutes a good score? 

 

The SPRS scoring range runs from -203 (minimum possible score, representing zero controls implemented) to +110 (maximum score, representing full implementation of all 110 NIST SP 800-171 Rev 2 controls), with an SPRS score of 88 or above constituting the minimum threshold for Conditional CMMC Level 2 certification eligibility. 

A score of 110 represents perfect compliance and is required for Final CMMC Level 2 certification without any POA&Ms. A score of 88 to 109 represents substantial but incomplete compliance, sufficient for Conditional certification with POA&M closure required within 180 days. Any score below 88 disqualifies the organization from any CMMC Level 2 certification status. 

Industry surveys and DIBCAC assessment data consistently show that SPRS scores submitted by contractors through the previous self-attestation process were significantly inflated compared to actual compliance posture. A score consistently below 88 indicates the presence of high-weight control gaps that must be remediated before a C3PAO assessment is scheduled.

 

How do I submit my CMMC compliance results to SPRS? 

 

Summary: Submitting CMMC compliance results to SPRS requires the contractor to have an active CAGE code registered in SAM.gov, access to the SPRS portal (sprs.csd.disa.mil) authenticated with a DoD-compatible PKI certificate, and a completed assessment ready to record. 

For CMMC Level 1, the contractor logs into SPRS, navigates to the CMMC section, selects “Add New Level 1 CMMC Self-Assessment,” enters the required information including CAGE code(s), assessment date, scope (Enclave or Enterprise), number of employees in scope, and compliance result, and submits for Affirming Official approval. For CMMC Level 2 self-assessment, the process is similar but requires entry of the SPRS score calculated under the DoD assessment methodology, POA&M usage and status if applicable, and additional scope details. 

The Affirming Official, a senior company executive, must review and approve the submission before it becomes official. C3PAO-assessed Level 2 results are submitted to SPRS by the DoD through eMASS based on the C3PAO’s findings; contractors do not self-submit C3PAO certification results. All submissions must be accurate, submitting results that do not reflect actual compliance creates False Claims Act exposure. 

 

How often must SPRS scores be updated and affirmed? 

 

CMMC Level 1 self-assessments and SPRS affirmations must be completed annually, once per calendar year. CMMC Level 2 self-assessments must also be conducted annually with results posted in SPRS and affirmed by a senior official. For CMMC Level 2 C3PAO-certified organizations, the triennial certification cycle requires annual affirmations of continued compliance in SPRS in the two years between formal C3PAO assessments. 

The practical compliance calendar is: Level 1 organizations conduct a self-assessment, submit to SPRS, and have their Affirming Official affirm the results every 12 months. Level 2 self-assessment organizations follow the same annual cycle but submit a numerical SPRS score. Level 2 C3PAO-certified organizations submit an annual affirmation in SPRS in Year 1 and Year 2 following certification, and undergo a new C3PAO assessment in Year 3 before the certification expires. 

A SPRS entry older than three years is considered expired and will cause the contractor to show no valid CMMC status to contracting officers evaluating eligibility. SPRS entries must also be updated if significant changes occur to the assessed environment. 

 

Can prime contractors see a subcontractor’s SPRS score? 

 

Prime contractors can verify that a subcontractor has a valid CMMC status entry in SPRS at the required level, but they cannot see the actual SPRS score or assessment details, only the DoD can access individual contractor SPRS scores and certification details, as confirmed in the final 48 CFR DFARS rule published September 10, 2025. 

This means primes can confirm that a subcontractor has an active, non-expired CMMC entry at the required level, but cannot evaluate the specific score, the details of any POA&M, or the assessment findings. The DoD’s rationale is to protect contractor cybersecurity information from broad disclosure while still enabling prime contractors to fulfill their flow-down verification obligations. 

In practice, prime contractors frequently require subcontractors to self-certify their CMMC compliance status as part of their qualification process, supplementing the SPRS verification. Some primes require subcontractors to provide C3PAO certification certificates or assessment summary letters as additional verification.

 

Explore Blogs, Webinars and other Resources

Trusted by Reputed Companies

pVerify, Inc.
Electronic Data Solutions
Bernard Robinson & Company
Avance Care
iCliniq
Botsplash
Logically
Mr.Internet Systems
Vision Radiology
Tangible Solutions
Tangible Solutions
WorkSmart
Triyam
Med First Primary and Urgent Care
Arizona State Radiology
DataCaliper
Dose Spot Company Logo
DoseSpot
Forsyte I.T. Solutions
Tego Data

Accreditations and Associations

* Disclaimer: This list of accreditations is held by our team of employees and consultants.

What Our Clients Say

We used databrackets (formerly EHR 2.0) in our small medical practice for our risk analysis assessment to be in compliance with meaningful use. Their response was fast, the final report is detailed but simple and easy to follow. They were always available to answer our questions.
E. Compres
Pulmonary and Sleep Center of the Valley
I never miss the opportunity to learn something new …that’s why I am always registering to all free seminars offered on the web. databrackets (formerly EHR 2.0) happened to be the friendliest, comprehensive and up-to- date source of HIPAA Privacy and Security updates.
Alexandra V.
Community Healthcare Network
Today’s presentation was great! Thank you for sending the slides. My only feedback is that it would be fabulous to have the slides ahead of time so I could print them and take notes on the slides.Thanks for your time and knowledge today!
T.B., PM
Community Health Network
Particularly interesting was the flow chart on Administrative Simplification. I utilize all of the Security subcategories you list under the Security tile and appreciate knowing that I am hitting all of the relevant topics during my employee training.
Jessica B.
JD, CHC
I have re-worked our original risk assessment….We are using databrackets' (formerly EHR 2.0) Meaningful Use Security Risk Analysis Toolkit and it meets our needs. It was easy to use and I believe that it very beneficial to our meeting meaningful use.
Bill Curtis
Neurosurgical Associates Of Texarkana, TX
Information (webinars) presented by databrackets (formerly EHR 2.0) highlights some of today’s most demanding healthcare topics. The webinars help to direct those operating in today’s rapidly changing environment in the right direction.
Candace M.
Privacy and Security Officer, Springhill Medical Center

Our Growing List of Credentials

0 +
Assessments
0 +
Clients
0 +
Assessment Libraries
0 +
Years of Experience
0 +
No. of Staff Trained
0 +
HIPAA
0 +
SOC 2 Readiness
0 +
Pen Testing
0 +
ISO 27001 Certifications
0 +
Dollars Saved in Compliance Penalties