Day 32: SPRS Scores—Your First Gate to CMMC

With just 32 days left until the CMMC deadline, it’s time to talk about the Supplier Performance Risk System (SPRS)—the first gate you must pass before certification.

SPRS is the DoD’s centralized system for tracking contractor performance, including cybersecurity readiness. Before you can even schedule a CMMC assessment, you must submit your NIST SP 800-171 self-assessment score to SPRS.

Why SPRS Submission Matters

• Required for all DoD contractors handling Controlled Unclassified Information (CUI)
• Validates your SSP and POA&M
• Determines contract eligibility

If your SPRS score is missing, outdated, or unsupported by documentation, you risk losing contracts—even if your technical environment is secure.

What Goes Into Your SPRS Score?

Your score is based on how many of the 110 NIST SP 800-171 controls you’ve implemented. Each missing control deducts points. You must also document:

• A current System Security Plan (SSP)
• A detailed Plan of Action and Milestones (POA&M) for any gaps

Common Mistakes We See

• Submitting scores without a valid SSP
• Failing to update scores annually
• Miscalculating control implementation

How Valeo Networks Helps

We guide you through:

• Accurate score calculation
• SSP and POA&M alignment
• SPRS submission and renewal timelines

Your SPRS score is your ticket to CMMC—don’t let it expire.

📧 Contact: Jim Gast – jim@valeonetworks.com