Skip to the main content.

1 min read

Day 32: SPRS Scores—Your First Gate to CMMC

With just 32 days left until the CMMC deadline, it’s time to talk about the Supplier Performance Risk System (SPRS)—the first gate you must pass before certification.

SPRS is the DoD’s centralized system for tracking contractor performance, including cybersecurity readiness. Before you can even schedule a CMMC assessment, you must submit your NIST SP 800-171 self-assessment score to SPRS.

Why SPRS Submission Matters

  • Required for all DoD contractors handling Controlled Unclassified Information (CUI)
  • Validates your SSP and POA&M
  • Determines contract eligibility

If your SPRS score is missing, outdated, or unsupported by documentation, you risk losing contracts—even if your technical environment is secure.

What Goes Into Your SPRS Score?

Your score is based on how many of the 110 NIST SP 800-171 controls you’ve implemented. Each missing control deducts points. You must also document:

  • A current System Security Plan (SSP)
  • A detailed Plan of Action and Milestones (POA&M) for any gaps

Common Mistakes We See

  • Submitting scores without a valid SSP
  • Failing to update scores annually
  • Miscalculating control implementation

How Valeo Networks Helps

We guide you through:

  • Accurate score calculation
  • SSP and POA&M alignment
  • SPRS submission and renewal timelines

Your SPRS score is your ticket to CMMC—don’t let it expire.

📧 Contact: Jim Gast – jim@valeonetworks.com 

How to Determine Your Data Loss Risk Score & Protect Your Company From a Total Loss

How to Determine Your Data Loss Risk Score & Protect Your Company From a Total Loss

If you’ve read any of our recent blogs, you know how vulnerable your data is to hackers and that by not having a protection plan in place, you are at...

Read More
Day 51: What Is a POA&M—and Why It’s Not a Free Pass

Day 51: What Is a POA&M—and Why It’s Not a Free Pass

POA&Ms are useful—but they’re not a loophole.With 51 days left, many contractors are relying on Plans of Action and Milestones (POA&Ms) to address...

Read More
Day 59: CMMC Isn’t Optional—It’s Operational

Day 59: CMMC Isn’t Optional—It’s Operational

The DFARS final rule is now in effect, and CMMC compliance is no longer a future requirement—it’s operational today. With just 59 days left until the...

Read More