Submitting Your SPRS Score: Step-by-Step

What SPRS Is

The Supplier Performance Risk System (SPRS) is a DoD database — maintained by DISA and accessible at sprs.csd.disa.mil — that records contractor performance data across multiple dimensions. For CMMC purposes, the relevant component is the cybersecurity assessment score: the numerical result of a contractor's self-assessment against the 110 requirements of NIST SP 800-171 Revision 2.

The scoring range runs from −203 to +110 per the DoD Assessment Methodology v1.2.1. You start with 110 points and subtract a weighted amount for each requirement you have not yet fully implemented; point weights are 1, 3, or 5 per requirement, with several controls offering partial-implementation deductions. A score of 110 means all requirements are fully implemented. A score of 0 or below means the majority of high-weight requirements are not met.

SPRS is not only for self-assessments. When a C3PAO completes a formal CMMC assessment, the results are also recorded in SPRS — and the DoD treats a C3PAO-verified score as far more reliable than a self-reported one. But for contractors eligible to submit a self-assessment score, SPRS is the mechanism.

Why It Matters for Contract Award

As of Phase 1 of the CMMC rollout — active since November 10, 2025 — contracting officers are checking SPRS scores as part of the source selection process for contracts containing DFARS clause 252.204-7019. The clause requires contractors to have a current NIST SP 800-171 self-assessment score on file in SPRS prior to contract award.

If your organization has no score in SPRS — or if your score was submitted more than three years ago and has not been refreshed — you may be ineligible for award on contracts containing this clause. There is no grace period for missing submissions. A contracting officer who cannot find your current SPRS entry will typically not wait for you to submit one before awarding to another contractor.

Prerequisites Before You Submit

You cannot access or submit to SPRS without completing several registrations first. These are not optional, and some take weeks to process — do not wait until you have a pending contract to start.

Active SAM.gov Registration

Your organization must have an active registration in the System for Award Management (SAM.gov). SAM.gov registration must be renewed annually. If your registration is expired, you cannot receive federal contracts or access SPRS. Verify your registration status and renewal date before proceeding.

CAGE Code

A Commercial and Government Entity (CAGE) code is a five-character identifier assigned to your organization by DISA and linked to your SAM.gov registration. Your CAGE code is how SPRS identifies your organization's submission. If you don't have one, the SAM.gov registration process will generate one. If you have multiple locations or divisions with separate contracts, each may need its own CAGE code and separate SPRS submission.

PIEE Account (Procurement Integrated Enterprise Environment)

SPRS is accessed through PIEE (piee.eb.mil). You'll need a registered PIEE account with the Supplier module enabled. To register:

• Go to piee.eb.mil and click "Register"
• Select "Vendor/Supplier" as your role
• Complete identity proofing — typically through ID.me or Login.gov
• Request the SPRS Supplier module specifically — it is not enabled by default
• Wait for account approval, which can take 3–5 business days

Completed Assessment

Before submission, you need a completed self-assessment: a documented evaluation of your implementation status for all 110 NIST SP 800-171 Rev 2 requirements, with a calculated score. Your assessment must be documented — in your SSP, a spreadsheet, or a formal assessment report — because the senior official who attests to the score must be able to substantiate it. You cannot submit a score you haven't actually calculated.

The Senior Official Attestation

When you submit your score to SPRS, you are not just entering a number. You are making a legal attestation. The SPRS submission process requires a senior company official — an executive with authority to bind the organization — to affirm that the submitted score is accurate and that the organization has, or is actively working to achieve, the implementation level reflected in the score.

The attestation language in SPRS reads, in relevant part:

"I am authorized to attest to the accuracy of the information contained herein... I understand that providing false or misleading information in this assessment may subject the organization and me personally to legal and regulatory sanctions."

The "senior official" requirement is intentional. The DoD wants an executive — a CEO, President, COO, or equivalent — to personally affirm the score. Not the IT manager. Not a consultant. An officer of the company with legal accountability. This person must understand what they are attesting to and must have reviewed the underlying assessment before signing.

The attestation is annually renewable for self-assessments — meaning each year, the senior official must re-attest that the score remains current and accurate, or submit an updated score reflecting changes in implementation status.

False Claims Act Exposure

The FCA implications for SPRS are not theoretical. The Department of Justice has already pursued cybersecurity-related FCA cases against contractors who misrepresented their security posture in order to win federal contracts. In United States ex rel. Markus v. Aerojet Rocketdyne Holdings, Inc., the DOJ pursued claims against a defense contractor for misrepresenting cybersecurity compliance. The case settled mid-trial in 2022 — meaning it did not produce a binding court judgment — but its policy significance is substantial as the first major FCA cybersecurity-misrepresentation case to reach trial. The settlement, combined with the trend of subsequent DOJ enforcement actions and the establishment of the DOJ Civil Cyber-Fraud Initiative, signals that the government treats cybersecurity attestations as material representations subject to FCA liability.

Penalties under the FCA include:

• Civil penalties of approximately $14,308 to $28,619 per false claim (2025 inflation-adjusted amounts; the DOJ adjusts these annually — verify current amounts at the DOJ Civil Division False Claims Act page)
• Treble damages — three times the value of any government funds obtained through the false claim
• Potential debarment from future government contracts
• Criminal referral in cases of willful fraud

The practical implication: do not submit a score you cannot substantiate. If your honest assessment produces a score of −30, submit −30. A negative score does not automatically disqualify you from all contracts — contracting officers have discretion, and a low score with a credible POA&M is far better than a false high score. What you cannot do is round up your implementation status to produce a better-looking score. "We plan to implement MFA next quarter" does not make an IA requirement "met" for scoring purposes.

Step-by-Step SPRS Submission

Once your prerequisites are in place and your assessment is complete, the submission process follows these steps:

1. Log into PIEE. Navigate to piee.eb.mil and authenticate using your registered credentials (CAC, Login.gov, or ID.me depending on your setup). Select the SPRS Supplier module from your module list.
2. Navigate to the NIST SP 800-171 DoD Assessment section. From the SPRS Supplier dashboard, select "NIST SP 800-171 DoD Assessment" — this is the specific section for submitting self-assessment scores, separate from other SPRS performance data.
3. Create a new assessment entry. Click "Add Assessment" or equivalent. You will be prompted to confirm your CAGE code — verify it matches the entity you are submitting for. If your organization operates under multiple CAGE codes, create a separate entry for each.
4. Enter your assessment details. Complete all required fields:
   • Assessment date — the date your assessment was completed
   • Score — your calculated NIST SP 800-171 Rev 2 score (−203 to +110)
   • Assessment type — "Self-Assessment" (not C3PAO)
   • System name — the name of your assessed system or environment as it appears in your SSP
   • Plan of Action date — the date by which you plan to close all open POA&M items (if applicable)
5. Complete the senior official attestation. This step requires the name, title, and (in some configurations) the digital signature or login credentials of the senior official making the attestation. The individual completing this step must be the actual attesting official — it cannot be delegated to an IT staff member or consultant for the signature step.
6. Submit and retain confirmation. After submission, SPRS will display a confirmation with a submission date and entry identifier. Screenshot or print this confirmation and retain it in your compliance documentation. Also note that contracting officers can now see your submission — allow a business day for the score to propagate across government procurement systems.
7. Verify your entry is visible. After submission, use the SPRS read-only view (or ask a government contracting officer to confirm) that your score is visible and correctly reflects what you entered. Entry errors do occur — verify before relying on the submission for contract purposes.

If Your Score Is Negative or Very Low

A negative SPRS score is not automatically disqualifying. What matters is that your score is honest, that you have a credible POA&M documenting your remediation plan, and that you are actively working to close gaps. Here is how to handle a low score without jeopardizing your contract opportunities.

Submit an Interim Score with a POA&M

DFARS 252.204-7020 permits contractors to submit a score that reflects their current implementation status — even if negative — provided they have a documented POA&M with realistic remediation milestones. When submitting a low score, include your POA&M date in the submission. This signals to contracting officers that you are aware of your gaps and are addressing them.

Your POA&M must include, for each open requirement:

• The specific requirement identifier (e.g., AC.1.001) and a description of the gap
• What compensating controls, if any, are currently in place
• The name and title of the person responsible for remediation
• Target completion date (must be realistic — avoid aspirational dates that slip repeatedly)
• Resources required: budget, personnel, tooling
• Milestone dates tracking progress between now and completion

Prioritize Remediation by SPRS Impact

Not all open requirements have equal impact on your score. Prioritize remediation efforts in this order to recover SPRS points as efficiently as possible:

1. 5-point requirements first. Requirements weighted at 5 points are the highest-value targets. Closing a single 5-point gap recovers more SPRS score than closing five 1-point gaps. Review the DoD Assessment Methodology v1.2.1 for the specific point weights by requirement.
2. Multi-family quick wins. Some technical controls satisfy requirements across multiple families simultaneously. Deploying a centralized SIEM, for example, can partially address AU (audit logging), IR (incident detection), and SI (security monitoring) requirements at once.
3. MFA and access control gaps. IA requirements — particularly multi-factor authentication for privileged access and remote access — carry high weights and are among the most commonly deficient. Closing these is both high-impact and typically achievable within a single quarter using existing cloud platform capabilities (Azure MFA, Duo, Okta).
4. Logging infrastructure. AU (Audit and Accountability) requirements are consistently among the most deficient across DIB assessments and carry significant cumulative weight. Deploying centralized log management — even a basic SIEM or log aggregation solution — can close multiple requirements simultaneously.

Update Your SPRS Score as You Remediate

SPRS is not a one-time submission. As you close POA&M items and improve your implementation, submit updated scores that reflect your improved posture. Each update requires a new senior official attestation. Contracting officers can see your submission history — a trajectory of improving scores demonstrates that your remediation program is real and progressing.

After Submission: Maintaining Compliance

A submitted SPRS score is not a set-and-forget compliance activity. DFARS 252.204-7020 requires that self-assessment scores be current — meaning you have an ongoing obligation to refresh your score as your implementation posture changes and as NIST updates the underlying requirements.

Specifically, you must:

• Submit an updated SPRS score within 30 days of any significant change to your security environment that affects your assessed score
• Conduct a new assessment and submit a refreshed score at least every three years (the assessment validity period mirrors the C3PAO certification cycle)
• Maintain your underlying assessment documentation — SSP, POA&M, and evidence artifacts — in a state that could be produced for government review on request
• Ensure your SAM.gov registration remains active — an expired SAM.gov registration can make your SPRS submission inaccessible to contracting officers

Contracting officers can, and sometimes do, request your assessment documentation during source selection or contract performance. Treat your SSP and assessment records as documents you may need to produce within 24–48 hours on request.

References