What’s The Difference Between An SPRS Score & A CMMC Score?

If you’re a contractor or subcontractor working with the Department of Defense, then you’re already familiar with the reporting requirements for the government’s Supplier Performance Risk System (SPRS).

But if you’re one of the organizations within the Defense Industrial Base (DIB) that depends on maintaining your relationship with the Department of Defense (DoD) to keep or secure new contracts, it’s important to understand the critical role SPRS now plays in achieving CMMC 2.0 compliance.

The regulation, which went into effect on December 14, 2024, requires businesses to develop robust security defenses to protect the sensitive federal information they handle and undergo a CMMC assessment in order to get certified.

In this article, we’ll explore the differences between ongoing SPRS score reporting and CMMC score reporting in SPRS, and why both are necessary to continue doing business with the DoD.

With this information, you’ll be armed with the information you need to ensure compliance and remain competitive within the DIB.

What Are Supplier Performance Risk System (SPRS) Scores?

A supplier performance risk system (SPRS) score is something DIB businesses should already know about since it is a long-standing requirement to obtain federal contracts.

The Defense Federal Acquisition Regulation Supplement (DFARS) 7019 clause requires contractors to maintain a record of their NIST 800-171 compliance within the SPRS database (which is why it’s sometimes informally referred to as the DFARS score).  

Specifically, it requires them to report their SPRS self-assessment scores before bidding on a new contract, when modifying an existing one, or when the prime is onboarding a new subcontractor.

An SPRS score is essentially a DoD contractor or subcontractor’s report card.

It gives the government a snapshot of its cybersecurity risk in doing business with you by evaluating how well you’ve met the 110 security controls outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171. 

The score itself is based on a self-assessment performed by the DIB contractor or subcontractor itself, using the DoD’s NIST SP 800-171 Assessment methodology.

Related Article: Step 1 For CMMC Certification: Understanding Your CUI & CMMC Level

While there isn’t a straight pass/fail, the score reveals your company’s reliability, quality of service, delivery performance, costs, and other variables.

Keep in mind that your SPRS score also factors in your performance across past DoD contracts.

These metrics allow the government to quickly and easily compare contractors when looking to renew a contract or award new ones and flag those deemed high risk.

Under the DFARS mandate, contractors can have up to a three-year window in between self-assessments. Language for how often SPRS scores must be reported, however, is found within each contract.

What Should You Know About SPRS Score Reporting?

After performing your self-assessment, you must then enter your SPRS score through an online portal, called the procurement integrated enterprise environment (PIEE).

PIEE is a cloud-based platform that acts as the DoD’s one-stop-shop where it manages all of its procurement contracts and payments.

So, existing DoD suppliers and those interested in securing new contracts, can head to the site for the latest updates on new solicitations and other contracting events.

Besides entering bids, suppliers can use the platform to manage their contracts, track payments, submit invoices, update company information, and streamline automated tasks.

It’s also important to know that you can also submit your SPRS self-assessment scores at the beginning of your CMMC compliance process. You can then use this score as a baseline for your current compliance, helping you identify security gaps and develop an effective plan to fix them.

Related Article: CMMC Step 3: How Defect Implementation Support Can Fix Security Gaps

Key SPRS assessment and score reporting factors:

• When a company submits their SPRS score before CMMC certification, they do it once every 3 years. However, once a company gets their CMMC certification, they must then submit it every year (except for the year a C3PAO performs their assessment)

• Contractors and subcontractors perform their own assessments and submit the SPRS scores themselves; uses the NIST SP 800-171 DoD Assessment methodology.

• Allows for defects (not meeting all 110 NIST security controls)

• Defects can be included in a plan of action & milestones (POAM), with no set deadline to fix them

• No specific pass/fail designation, but scores can range from -203 to a maximum score of 110 (indicating you’ve satisfied all 110 NIST controls)

It should be noted that SPRS reports, including SPRS scores, are not made public. They are treated by the government as CUI, so only the DoD, your own company, and a select pool of individuals who are part of the DoD’s procurement acquisition team can see the data.

Also, there is no cost to submit an SPRS score.

That said, the cost of becoming NIST compliant can vary widely depending on factors like your current security posture and the size and complexity of your infrastructure.

What Should You Know About CMMC Assessment Score Reporting?

The Cybersecurity Maturity Model Certification Final Rule (CMMC 2.0) went into effect last December. CMMC 2.0. This means language for the revamped regulatory requirements has already started showing up in contracts.

CMMC 2.0 is not an entirely new set of security standards.

Rather, it relies heavily on existing security frameworks and guidelines like NIST and DFARS, requiring businesses to implement rigorous security measures to safeguard the sensitive federal data that they store, process, or share.

The main new provision in the regulation is that it now requires DoD primes and their subcontractors to prove that they’ve met the security requirements through an assessment.

As with your SPRS score, your CMMC assessment score also provides the government with a window into your organization’s security posture.

CMMC 2.0, however, introduces a three-tiered compliance and assessment system.

Level 1 businesses that only handle federal contract information (FCI) must perform an annual self-assessment and attest to ongoing compliance each year.

Level 2 businesses, which handle both FCI and controlled unclassified information (CUI), are required to get audited by a certified third-party assessor organization (C3PAO) triennially, and re-attest annually.

Businesses at Level 3 handling highly sensitive CUI must get assessed by federal auditors through the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to ensure robust protections against advanced persistent threats (APTs). They must also affirm continuing compliance annually.

CMMC assessment and score reporting factors:

• SPRS scores must be submitted annually to be considered valid under CMMC 2.0

• Assessments are conducted by an independent C3PAO once every 3 years (Level 2) (costs vary)

Related Article: How To Find An Approved C3PAO For Your CMMC Level 2 Assessment

• Certain limited security defects are allowable

• Not all cybersecurity defects can go on a POAM for remediation; automatic assessment failure can result if certain mandatory requirements are not met

• If you score at least 88 out of 110 controls on your CMMC assessment, or 80 percent, you’ll be granted conditional certification allowing you to develop a POAM to close the remaining security gaps within 180 days of score submission

• C3PAO auditors will submit CMMC assessment results and scores into the Enterprise Mission Assurance Support Service (eMASS), which then automatically sends it to SPRS

Other Considerations To Know About CMMC Assessments And Scoring

It’s important to note that while the C3PAO assessment report and score is sent to SPRS through eMASS, the CMMC Accreditation Body, The Cyber-AB, will review the results and make the final certification decision.

Businesses can check their certification status and final results in SPRS.

You should also be aware that with a limited number of approved C3PAOs throughout the country, DIB companies are booking ahead to schedule their future audits.

Related Article: How to Cut CMMC Compliance & C3PAO Audit Costs: Grants, MSPs & More

This means if you’re under a time-crunch to become compliant and get certified to meet contract requirements, you should start researching potential assessors now to schedule your assessment or risk missing your deadline.

The Bottom Line: SPRS, CMMC Scores Keep You Compliant

Now that you’ve read this article, you understand the importance of reporting both your SPRS and CMMC scores into the DoD’s supplier portal to continue doing business with the government and be eligible for new contracts.

While the assessment and reporting requirements differ, the overall goal is the same: ensuring the integrity and security of sensitive federal information within the DIB supplier network.

The required security controls and assessments are designed to lessen the chances of a phishing attack or social engineering scheme that can lead to a ransomware attack, data breach, or other cyber incident.

Do you know where you stand with meeting CMMC compliance? Do you have a team in place with the specialized skills and knowledge to guide your compliance process?

Keep in mind that using an underqualified person to perform your self-assessment can lead to missed security vulnerabilities, resulting in lower scores and increased costs to fix the issues that weren’t identified or properly remediated.

What’s more, if you do suffer a data breach or other cyberattack because of noncompliance, you could suffer crippling financial harm, including substantial federal fines and penalties, reputational harm, legal fall out, and the possible loss of your DoD contracts.

With CMMC 2.0 security requirements already making their way into contracts, there’s no time to waste.

Remember, having a well-thought-out plan to establish your compliance strategy and budget is critical to a successful outcome.

If you don’t already have the staff in place to lead your compliance process, a CMMC compliance readiness partner might be the best solution for your business. With a capable readiness partner, you’ll get strategic guidance and support customized to your business.

If you’d like to learn more about what a readiness partner can provide, read this article.

Or, click the button to schedule a no-obligation readiness consultation.