SPRS and Meeting CMMC Requirements with Self-Assessment

Michael Peters

3 hours ago

With the activation of CMMC Phase 1 on November 10, 2025, contractors meeting Level 1 Maturity (and, in some cases, Level 2) can provide self-assessment documentation in lieu of undergoing an audit with a C3PAO. This means that every cybersecurity claim a defense contractor makes now carries the same legal weight as a cost or performance claim.

But what does this mean for contractors in the DIB? In many cases, while it opens up plenty of opportunities to streamline compliance through self-reporting, it also opens up legal liability if that reporting isn’t accurate.

Understanding SPRS

The Supplier Performance Risk System (SPRS) is the DoD database where contractors submit their NIST SP 800-171 self-assessment scores.

Every assessment starts with a perfect score of 110, with 1 point for each of the 110 controls in NIST 800-171. From that ceiling, contractors subtract points for any control that’s not fully implemented. On top of that, some controls are weighted at 1 point, others at 3 points, and the most critical at 5 points. With that math, it’s possible for an organization to score a perfect 110 or a negative 203.

Before any of that scoring matters, however, an organization must have a working SSP. The SSP is the foundational blueprint that describes how each control is implemented across the contractor’s environment. Without an operational SSP that maps controls to systems, users, and processes, no valid SPRS score can be calculated.

Contracting officers now actively review SPRS entries before award, and a missing or expired score effectively removes a contractor from consideration before the technical evaluation even begins.

The Integrity Gap: Why Internal Scores Are Frequently Wrong

Unfortunately, internal scores submitted to SPRS are often dramatically higher than those produced by an independent assessment. Several factors drive this consistent over-scoring:

Lack of Familiarity with NIST SP 800-171: Most internal teams conducting these assessments are IT administrators or business owners, not assessors. The 110 controls map to 320 assessment objectives in NIST 800-171, and each objective has its own evidence expectations.
The Pressure to Win Contracts: When a high SPRS score directly affects contract eligibility, there is enormous internal pressure to interpret ambiguous controls in the most favorable light possible.
Confusion Between Policy and Implementation: The DoD assessment methodology requires evidence that the policy is being followed, with supporting artifacts.
Leaving Controls for Post-Audit Correction: POA&Ms can document gaps and remediation timelines, but they do not earn points under the scoring methodology. Many contractors mentally credit themselves for controls they intend to implement, rather than for those already in place.

What Is Wrong with this Approach?

Beyond bias and inexperience, several specific methodology failures are showing up in assessment after assessment.

Improper Scoping. The compliance boundary defines which systems, networks, and users handle FCI or CUI, and therefore which assets are subject to NIST 800-171. When that boundary is poorly defined, organizations either pull too much into scope, creating unnecessary remediation costs, or leave critical systems out, creating coverage gaps that an assessor will immediately flag.
Partial Credit. Internal scorers frequently assume that a control implemented for some users, or in some environments, deserves at least some of the available points. The DoD methodology does not work this way. With a small number of explicit exceptions for items such as multi-factor authentication and FIPS-validated encryption, controls are scored as either fully implemented or not implemented.
Policy vs. Implementation. A meaningful number of NIST 800-171 controls require both written documentation and operational evidence. You need to have both in place to prove that the control is active and functioning correctly.

The False Claims Act and Penalties

The False Claims Act allows the federal government to recover up to three times the amount of any fraudulently obtained payment, plus per-claim penalties.

In October 2021, the Department of Justice launched the Civil Cyber-Fraud Initiative, explicitly stating that the FCA would be used to pursue contractors who knowingly misrepresent their cybersecurity practices, fail to comply with cybersecurity requirements, or fail to report incidents. Two liability theories drive most cybersecurity FCA cases:

Promissory Fraud applies when a contractor wins an award by misrepresenting its cybersecurity posture during the bidding process. If a contractor had not received the contract, had the truth been known, the entire contract value could have been subject to FCA recovery.
False certification is when a security contractor invoices you for services that do not meet the requirements as agreed upon in your contract.

The “second dataset” risk now hanging over every contractor is that the government will increasingly compare self-reported SPRS scores against independent C3PAO assessment results as third-party assessments become standard in Phase 2. Significant discrepancies between what a contractor told SPRS and what an assessor finds will become measurable triggers for a DOJ investigation.

Building Provable Self-Attestation for CMMC

Across all of these shifting rules and expectations, the ultimate goal is to produce evidence that would convince an independent assessor and, if necessary, a federal investigator.

A defensible compliance posture now rests on four practices:

Build an Evidence Trail: Organizations need dated evidence that demonstrates controls are operating in “the real world,” rather than just a mention in documentation. Artifacts such as scan reports with timestamps, training completion records, log samples from ongoing monitoring, configuration baselines, change records, and access reviews all meet this criterion.
Get an Unbiased Review: Third-party gap analyses provide an external perspective that internal teams simply cannot. The point is not to obtain a higher score but to obtain an honest one. Engaging a Registered Practitioner Organization or qualified independent consultant before submitting to SPRS surfaces problems while there is still time to address them, rather than after the score is on file and the contracts have been signed.
Reduce the Assessment Boundary with Enclaves: Enclaves simplify scope and reduce the surface area subject to assessment, which makes it much easier and safer to conduct self-attestations. Approaches such as end-to-end encrypted file sharing, segmented CUI environments, and cloud services with FedRAMP Moderate equivalency allow organizations to constrain CUI handling within a smaller, more controllable perimeter.
Apply the Examine, Interview, Test method: This is the methodology assessors actually use, and internal teams should adopt it. Examine means reviewing documents, policies, and configurations to confirm their existence and alignment with the control. An interview means talking to the people responsible for executing the control to confirm they understand it and follow it consistently. Test means observing the control in action, whether by running a configuration check, reviewing a log, or watching a process executed end-to-end.

Ensure Accurate Assessments with Lazarus Alliance

Accurate scoring is the most reliable defense an organization has, both against adversaries who exploit the gaps that inflated scores leave behind and against legal consequences that follow when those gaps are finally exposed.

To learn more about how Lazarus Alliance can help, contact us.

[wpforms id=”137574″]