Prime Demanded an SPRS Score. What Do I Do?

First, don’t panic. This is becoming more common now that the CMMC assessment program has been approved, with assessments available in about a month (December 2024). While assessments are voluntary right now, they will start being required in most new DoD contracts in mid-2025. New contracts will mandate that companies with DoD contracts requiring assessments must also ensure that all of their subcontractors have assessments too.

The SPRS score is an organization’s self-assessment of how well it meets the requirements of the CMMC program. Your prime contractor sent this request to determine if your company is actively working toward meeting the requirements—and how far along you are. They need this information to decide if they can depend on their subcontractors to remain eligible for future subcontracts when the prime itself must undergo an assessment. Since it takes 12–18 months for organizations to meet the requirements to pass an audit, they need to know your status now—otherwise, they may need to find alternative subcontractors.

Here’s how suppliers can navigate this:

1. SPRS Score Reporting: You are being asked to evaluate your compliance with each of the 110 information security controls enumerated in NIST SP 800-171. This evaluation allows you to calculate a Supplier Performance Risk System (SPRS) score, which must then be uploaded to a government database. Your score may be good. But if you haven’t been working toward CMMC compliance, it may not be so good—or even really bad. Regardless, you must upload a truthful score. Providing false information can result in severe penalties and even criminal prosecution under the False Claims Act. And transparency with your suppliers is essential to maintaining their trust and confidence.

2. Minimum Scores and Clear Improvement Plans (POA&M): A common question is, “What is the minimum score?” The answer is that there isn’t a set minimum score… But… if a subcontractor has a score that the prime deems too low, the prime may start looking for another company to do the job. So, when informing the prime of your SPRS score, it is advisable to also detail what your company is doing to improve. Remember that you will need to implement all 110 controls to pass a CMMC assessment. Creating a Plan of Action and Milestones (POA&M) document is crucial to assuring the prime that your implementation effort is underway and well-organized.

3. Leverage Third-Party Resources: Engaging trusted third-party vendors for compliance support can be a game-changer. By tapping into outside expertise, you can accelerate your path to compliance, benefitting both your business and the broader defense ecosystem.

Finally, don’t forget your own vendors. If your organization passes Controlled Unclassified Information (CUI) to its vendors, 32 CFR requires them to also be CMMC compliant. That includes your cloud provider, software providers, and any vendor who receives technical data, like engineering drawings, from you. It’s your responsibility to make sure they are—and that their vendors are too. Supply chain readiness is a critical aspect of a CMMC compliance program. So, it’s time to send a similar letter to them asking for their SPRS score too.