SPRS and CMMC status, fully explained.

The Cybersecurity Maturity Model Certification (CMMC) program was a thing that DoD primes had been preparing for since the mid-2010s. The 48 CFR DFARS rule that turns the program into a contract obligation took effect November 10, 2025. From that date forward, contracting officers can include the new DFARS clause family in solicitations, with the requirement to flow down to subcontractors that handle Controlled Unclassified Information (CUI).

The center of this universe is SPRS, the Supplier Performance Risk Systemat sprs.csd.disa.mil. SPRS is where contractors post their NIST SP 800-171 Basic Assessment self-scores under DFARS 252.204-7020, where DCMA posts Medium and High Assessment results, and where DoD contracting officers read the data on the buying side. Primes don't get to read SPRS for their subs.

SPRS

Supplier Performance Risk System. DoD application at sprs.csd.disa.mil. System of record for DFARS Basic / Medium / High Assessments, supplier performance metrics, and risk assessments DoD uses on the buying side.

Basic Assessment

Contractor self-assessment against NIST SP 800-171, posted by the contractor to SPRS under DFARS 252.204-7019 / 7020. Maximum score 110; deductions per unimplemented control.

Medium / High Assessment

DCMA-conducted assessments. Medium is documentation-based and remote; High is on-site with evidence verification. Posted by the DCMA assessor.

C3PAO

CMMC Third-Party Assessor Organization. Authorized by the Cyber AB (CMMC Accreditation Body) to conduct Level 2 third-party assessments. Issues CMMC Level 2 certificates that subcontractors share with primes.

SPRS is older than CMMC. It started as DoD's supplier-performance database (on-time delivery, quality, price reasonableness) and the cyber-assessment overlay was added when DFARS 252.204-7019 was published. As of the 48 CFR rule, SPRS hosts four data classes that matter to procurement diligence.

Supplier risk score

A composite supplier risk score DoD calculates from delivery, quality, price, and other performance signals. Color-coded; not publicly readable. CO-side tool.

NIST SP 800-171 Basic Assessment

Contractor self-score, 0 to 110. Posted to SPRS by the contractor under DFARS 252.204-7020 within 30 days of contract award (and refreshed every three years). The contractor is on the hook to keep this current.

DCMA Medium / High Assessment

DCMA-conducted scores. The contractor cannot self-post these; DCMA does. Available to government users only.

CMMC certificate references

When a contractor holds a Level 2 third-party certificate from a C3PAO, the certificate reference may be reflected in SPRS but the canonical record lives with the C3PAO.

DFARS 252.204-7019 says the contractor must have a current NIST SP 800-171 self-assessment in SPRS. DFARS 252.204-7020 says the contractor agrees to provide DoD access to SPRS data and to refresh the assessment every three years. The two clauses together set the assessment cadence for everyone except the highest-sensitivity work.

Basic Assessment

Self-assessment. The contractor scores its own NIST SP 800-171 implementation, deducts points for each unimplemented or partially-implemented control, and posts the result. Maximum 110. The score is not a pass / fail; the data is what DoD evaluates. A Plan of Action and Milestones (POA&M) accompanies any score below 110.

Medium Assessment

DCMA-conducted, documentation-based, remote. The contractor submits its System Security Plan and supporting documentation; DCMA assessors review and score. Used for higher-sensitivity contracts.

High Assessment

DCMA-conducted, on-site, with evidence verification. The most rigorous level. Reserved for the highest-sensitivity CUI work.

CMMC Level mapping

CMMC Level 1 maps to FAR 52.204-21 (basic safeguarding of FCI) and is contractor self-assessment. CMMC Level 2 covers CUI; can be self or C3PAO depending on the data. CMMC Level 3 is DCMA-conducted and rare.

The Basic Assessment self-score is the workhorse number primes will be looking at because it is the most common (almost every defense supplier has one) and it is the one a sub can actually export and share. Medium and High Assessment results live in SPRS but the DCMA-posted score format and the access tier mean a sub typically gives the prime a contractual representation rather than raw SPRS evidence.

The CMMC program took two regulatory steps. The 32 CFR Part 170 program rule (the program structure: levels, assessment types, C3PAO accreditation) was finalized by DoD on October 15, 2024 and took effect December 16, 2024. The 48 CFR DFARS rule(the contract clause that flows the requirement to contractors) was finalized September 10, 2025 and took effect November 10, 2025. Without the 48 CFR rule, the program existed but contracting officers couldn't put it in solicitations. With it, the program is in flight.

The 48 CFR rule introduces a new clause family in DFARS 252.204-7021 that flows the CMMC level requirement to subcontractors. The rule preamble acknowledges that primes have no DoD-provided way to verify a subcontractor's SPRS score directly, and explicitly leaves the verification mechanism to contract drafting and supplier-supplied evidence.

Phase 1 (Nov 10, 2025 to Nov 9, 2026)

Self-assessment phase. Contracting officers may include CMMC Level 1 self-assessment requirements in solicitations. Most existing DFARS 252.204-7019 / 7020 obligations continue.

Phase 2 (Nov 10, 2026 onward)

Third-party assessment phase. Contracting officers may include CMMC Level 2 C3PAO assessment requirements in solicitations. This is the cliff most defense supply-chain compliance work is racing toward.

Phase 3 (Nov 10, 2027)

Higher-tier assessment phase. CMMC Level 3 DCMA assessment requirements may be added. Affects the highest-sensitivity CUI contracts.

Phase 4 (Nov 10, 2028)

Full implementation. CMMC requirements fully embedded across the entire DoD acquisition system.

SPRS is gated to two user classes: the contractor (for its own records) and government users. A prime contractor is not in either class for its subcontractors. A prime can read its own SPRS data; it cannot read its subs. DoD acknowledged this in the 48 CFR rule preamble and did not provide a verification API.

The result is a verification mechanism every defense prime now has to build into its supply-chain process: contractual attestation in the subcontract that the sub holds the required CMMC level; a contract right to demand SPRS evidence on request; and direct C3PAO certificate verification when the sub claims a Level 2 third-party assessment. The contract is the only enforcement layer; primes are responsible for ensuring their subcontracts contain the right clause flows.

The verification workflow is a four-piece composite. None of the pieces alone is sufficient; together they give the prime a defensible record if DoD or a higher-tier prime ever asks for proof of due diligence.

1. Subcontract clause flow-down

Flow DFARS 252.204-7021 (the new CMMC clause) and the 7019 / 7020 self-assessment clauses to every sub that handles FCI or CUI. Require the sub to represent the CMMC level it holds, the date of certification or self-assessment, the C3PAO if Level 2 third-party, and the SPRS score for self-assessed levels. Make false attestation a material breach with cure rights and termination.

2. SPRS export evidence

Require the sub to export and share its own SPRS supplier-performance score for the relevant CAGE. The sub generates this from its own SPRS access; the prime files the export in the award folder. Verify the score is not aged out under DFARS 252.204-7020 (three-year freshness).

3. C3PAO certificate verification

For any sub claiming Level 2 third-party or Level 3, request the C3PAO assessment certificate and confirm the certificate ID against the issuing C3PAO directly. The Cyber AB authorized-C3PAO list publishes contact information for each assessor; a direct email is the verification mechanism.

4. Document everything in the prime’s award file

Save the SPRS export, the C3PAO certificate, and the sub’s contractual attestation in the award file. If DCMA later asks the prime to demonstrate due diligence on flow-down, the documentation is the only defense. Re-verify before each significant subcontract modification.

For the broader prime-verifies-sub workflow including the levels mapping and the contractual language, see CMMC verification for primes. That page is the operational sibling of this one.

• Treating the sub's contractual attestation as the only proof. The attestation is a starting point, not the finding. Primes that take the attestation and skip the SPRS export are exposed if the attestation later turns out to be wrong.
• Accepting an aged-out SPRS Basic Assessment.DFARS 252.204-7020 says the assessment is valid for three years from the score-post date. A four-year-old score is not a valid response to a flow-down requirement, even if it's still in SPRS.
• Conflating CMMC Level 2 self-assessment with C3PAO third-party.Level 2 has two paths: self-assessment (allowed for some CUI) and C3PAO third-party (required for higher-sensitivity CUI). The contracting officer's solicitation specifies which is acceptable. A prime that treats them as interchangeable mis-flows the requirement.
• Skipping the C3PAO certificate verification step. A sub can produce a fake-looking C3PAO certificate. The only defense is contacting the issuing C3PAO directly. The Cyber AB publishes contact information; use it.
• Forgetting to re-verify on contract modification. A subcontract mod that changes the CUI handled, the duration, or the scope can change the required CMMC level. Re-verify on every significant mod; document.
• Treating CMMC as separate from FAR 9.104 responsibility. The CMMC level is part of standard (f) (otherwise qualified and eligible). A sub without the required CMMC level is not eligible for that subcontract under federal law. The eligibility cut feeds the prime's own responsibility finding to its CO. See FAR 9.104 responsibility determination.

Where DiligenceDesk fits: the orchestrator handles the SAM, FAPIIS, exclusion, and Section 889 checks that sit alongside CMMC verification in pre-award diligence. CMMC itself requires contractor-supplied SPRS evidence and C3PAO certificate verification, which lives outside the public-data orchestration pattern. The two workflows complement each other; neither replaces the other.