What is SPRS?
SPRS stands for Supplier Performance Risk System. SPRS is the DoD system where contractors post their NIST 800-171 self-assessment score and, under CMMC, their certification status and affirmations.
The Supplier Performance Risk System (SPRS) is the government database contracting officers check to confirm a contractor's cybersecurity posture. A NIST 800-171 self-assessment score has been required in SPRS since DFARS 252.204-7019/7020 took effect in November 2020.
Under CMMC, SPRS also holds your certification status and the annual senior-official affirmation. On November 10, 2026, a current Level 2 certification and affirmation in SPRS becomes a condition of award for new CUI solicitations.
A SPRS score is a signed federal representation. The 2026 LOGZONE False Claims Act settlement — a self-reported 110 against a DIBCAC-assessed −170 — established that an inflated SPRS score can be treated as fraud, even without a breach.
- NIST SP 800-171NIST SP 800-171 is the federal standard of 110 security controls for protecting CUI in non-federal systems — the technical basis of CMMC Level 2.
- POA&MA POA&M is a tracked plan for remediating security controls that are not yet fully implemented, with owners and target dates.
- DFARS 252.204-7012DFARS 7012 is the long-standing clause requiring contractors to safeguard covered defense information per NIST 800-171 and report cyber incidents within 72 hours.
See where you actually stand on the 110 controls.
PolicyCortex maps your live cloud against every NIST 800-171 control and generates C3PAO-ready evidence. Start with the free assessment.
