Four wooden blocks rest on a computer keyboard, forming a shield logo with a check mark for strong cybersecurity.

What Is SPRS, and Does It Apply to My Business?

If you’re applying to the Cybersecurity Maturity Model Certification (CMMC), part of that process will require evaluating and submitting a SPRS score. What is SPRS, and what does it involve? Here’s a quick breakdown.

What Is SPRS?

The Supplier Performance Risk System (SPRS) is a web-enabled repository under the Department of Defense (DoD) that is used for government contractors to submit scores they receive from CMMC self-assessments. These assessments are meant to confirm that contractors have satisfied 110 practices under NIST SP 800-171. Low scores are not necessarily disqualifying, as long as those contractors have established Plans of Action and Milestones (POA&Ms) that explain which areas they may lack, and how they intend to remedy them within 180 days.

SPRS scores are then available to government agencies for their review when considering contractors for bids. They also provide risk data and assessments for price, item, and supplier, as well as any exclusion status like debarments and suspensions that a company may have. Further information is detailed on the SPRS website.

This self-assessment only applies to companies that are protecting information systems that house Federal Contract Information (FCI), as well as a subset of companies that must also secure any Controlled Unclassified Information (CUI). You can learn more about the differences between these two types of information here, and why they’re important to distinguish in regard to CMMC.

What Is Required With SPRS?

Along with your self-assessment score, you’ll need to maintain two pieces of evidence for each of the 110 practices your business claims to meet. The DoD has intensified its enforcement of the rules under CMMC, which puts added pressure on contractors to be as accurate as possible. Those that are found to be incorrect in their scores face the possibility of lost contracts — both future and current.

What If You Aren’t a Government Contractor?

Meeting the practices under NIST SP 800-171 isn’t a requirement for non-government contractors and businesses, but it is highly encouraged. The CMMC framework is ideal for any organization that wants to improve its data protection.

The DoD is currently in the process of finalizing CMMC 2.0, which is the enforcement arm of NIST SP 800-171.

What’s Involved With an Assessment?

You’ll need to complete your self-assessment using the CMMC Assessment Guide. You can access a digital copy here.

CMMC has been simplified in many ways in its transition to version 2.0, but it still has several requirements that may be confusing for contractors and businesses. While it’s certainly worthwhile to have internal team members who are knowledgeable about the CMMC framework and can help you with your self-assessments, you may find it easier to outsource this work to an experienced CMMC consultant.

Let’s Plan for Your Assessment!

Whether you’re a government contractor that’s required to meet CMMC compliance, or you simply recognize that it’s a good idea for your nongovernment business, I want to help you! 

When you’re ready, let’s talk about:

  • Your system security plan.
  • Performing and understanding your NIST SP 800-171 assessment results.
  • Establishing a timeframe for any changes you need to make. 
  • Starting your SPRS application and submitting your score.


Click here to schedule some time to discuss.

Check out our eBooks!

Get my weekly blog and other emails from me delivered straight to your inbox.

Join the Cyber CMMC Women's Group

8601 Robert Fulton Drive, Suite 130 | Columbia, Maryland 21046

Copyright © 2024 Healthcare Resolution Services, Inc.
All rights reserved. | Privacy Policy