CMMC & SPRS FAQ

What is SPRS?

The Supplier Performance Risk System (SPRS) is the DoD system that stores supplier risk information, including NIST SP 800-171 assessment scores and CMMC statuses. Contractors enter their summary score and assessment details there; it is the government's system of record for those results.

Source: SPRS / DISA

What is PIEE and how does it relate to SPRS?

The Procurement Integrated Enterprise Environment (PIEE) at piee.eb.mil is the single sign-on gateway. You authenticate in PIEE and access the SPRS Cyber Reports module from there. Roles and access are requested in PIEE and activated by your company's account administrator.

Source: SPRS Access / Cyber Reports guide

Does this tool submit my assessment to SPRS?

No. This is a preparation tool only. It helps you scope, score, track POA&Ms, and produce clean summaries to enter into SPRS yourself. It does not connect to SPRS or PIEE and confers no SPRS access or compliance certification.

Where do my CAGE codes and company hierarchy come from?

SPRS imports the CAGE hierarchy from SAM (sam.gov); changes typically propagate within about 48 hours. Hierarchy corrections are made through your Electronic Business Point of Contact in SAM, not in SPRS.

Source: SPRS / SAM

How is the NIST SP 800-171 score calculated?

You start at a baseline of 110 (all 110 requirements implemented). For each requirement not implemented, you subtract its weighted value (5, 3, or 1 points). The score can go negative — as low as −203 if nothing is implemented.

Source: DoD Assessment Methodology v1.2.1

Why are some requirements worth 5 points and others 1?

The DoD Assessment Methodology weights requirements by impact: high-impact requirements are 5 points, confined-effect requirements are 3 points, and the remaining derived requirements are 1 point. Two requirements (3.5.3 MFA and 3.13.11 FIPS crypto) have built-in partial credit.

Source: DoD Assessment Methodology v1.2.1, Annex A

How does partial credit work for MFA (3.5.3) and encryption (3.13.11)?

3.5.3: −5 if multifactor authentication is not implemented at all, −3 if implemented only for remote and privileged users, 0 if fully implemented. 3.13.11: −5 if no cryptography is used, −3 if encryption is used but not FIPS-validated, 0 if FIPS-validated.

Source: DoD Assessment Methodology v1.2.1

Why can't I score without a System Security Plan?

Requirement 3.12.4 (the SSP) is not point-scored, but its absence means the assessment cannot be completed — it's treated as incomplete information and noncompliance with DFARS 252.204-7012. Treat the SSP as a prerequisite, not a deduction.

Source: DoD Assessment Methodology v1.2.1

Can my score really be negative?

Yes. Because each unimplemented requirement subtracts its weight from 110, the score can fall below zero (minimum −203). A negative score simply reflects many unimplemented high-weight requirements.

Source: DoD Assessment Methodology v1.2.1

What are the CMMC levels?

Level 1 (Foundational) protects FCI with 15 basic safeguarding practices (FAR 52.204-21). Level 2 (Advanced) protects CUI against the 110 NIST SP 800-171 Rev 2 requirements. Level 3 (Expert) adds 24 NIST SP 800-172 enhanced requirements and is government-led (DIBCAC).

Source: 32 CFR 170

Do I need a self-assessment or a third-party (C3PAO) certification?

If your CUI is in the NARA CUI Registry but not in the DoD Organizational Index Grouping (OIG), Level 2 (Self) is the minimum. If it is in the DoD OIG, Level 2 (Certification / C3PAO) is the minimum. CUI meeting multiple criteria aligns to the highest applicable level.

Source: CMMC Level Determination Brief; 32 CFR 170

What score do I need for a Final vs Conditional Level 2 status?

A score of 110 is a Final self-assessment. A score of 88–109 is Conditional (you have a POA&M to close the gap). Below 88 you are not eligible to affirm as Conditional or Final.

Source: CMMC L2 Self Quick-Entry Guide; 32 CFR 170.21

What happens if my SPRS score is below 88?

Below 88 (a ratio under 0.8), you cannot affirm a Conditional or Final Level 2 status. You'd need to implement more requirements to reach at least 88 before a Conditional status with a POA&M is possible.

Source: 32 CFR 170.21

Which gaps can go on a POA&M?

A Conditional status requires score ÷ 110 ≥ 0.8, no POA&M item worth more than 1 point (except SC.L2-3.13.11 in its 3-point encryption-not-FIPS case), and none of six specific requirements (AC.L2-3.1.20, AC.L2-3.1.22, CA.L2-3.12.4, PE.L2-3.10.3, PE.L2-3.10.4, PE.L2-3.10.5) on the POA&M.

Source: 32 CFR 170.21

How long do I have to close a POA&M?

A Conditional Level 2 self-assessment is valid 180 days. You must close the POA&M via a closeout assessment within that window or the status expires.

Source: 32 CFR 170.21; CMMC L2 Self Quick-Entry Guide

How long is each assessment valid?

Final Level 1 self-assessment: 1 year. Conditional Level 2: 180 days. Final Level 2 self-assessment: 3 years with annual affirmations. Level 2 (C3PAO) and Level 3 (DIBCAC): 3 years with annual affirmations (the Affirm button appears 60 days before each annual expiration).

Source: CMMC SPRS guides

Who affirms the assessment?

An Affirming Official — a senior representative responsible for the organization's continuing compliance — affirms each assessment. The AO needs a PIEE account with the SPRS Cyber Vendor User role; AO identity comes from the PIEE profile and can't be edited in SPRS.

Source: 32 CFR 170.4 / 170.22

Is it free?

Yes — you can run a full 110-requirement Level 2 self-assessment and see your score, status, and gaps for free, and all the public tools (Control Mapper, DFARS Reference, Incident Timer, Timeline Calculator, CUI Checklist) require no account. Paid tiers add unlimited assessments, exports, evidence, and collaboration.

Do I need an account to calculate my score?

No. The guest calculator runs the full assessment in your browser and shows your score and gaps without an account. To save your work, track POA&Ms, capture evidence, and generate SPRS-ready documents, you sign in for a free account.

Is this scored against NIST SP 800-171 Rev 2 or Rev 3?

CMMC Level 2 is scored against Rev 2 today — DFARS requires Rev 2, and a class deviation keeps assessments on Rev 2 until Rev 3 is adopted by future rulemaking. We include a separate, non-scoring Rev 3 readiness track for forward-looking preparation.

Source: CMMC Alignment to NIST Standards (Feb 2025)

Does this store CUI?

No. By design this tool never stores CUI. It holds your self-assessment preparation notes — findings, scores, POA&M text, CAGE/scope — which are your own prep data, not the federal CUI you're protecting. Evidence uploads are gated by a permanent no-CUI attestation.