SPRS, explained.
The system a contracting officer actually reads — and how your record gets there.
Assessments happen in conference rooms and server rooms; eligibility happens in a database. The Supplier Performance Risk System is where every CMMC status, score, and affirmation officially lives. This page covers who posts what through which path, the workflow from account to affirmation, what a contracting officer sees, and the snags that catch people.
01What SPRS is
The Supplier Performance Risk System is DoD’s system of record for supplier risk information — and for CMMC, the operative fact is narrower and more useful: it is the record a contracting officer checks. Statuses, assessment results, and affirmations count when they exist in SPRS, not when they exist in a binder or even in eMASS — eMASS is where C3PAO and DIBCAC results get filed, and it transmits to SPRS automatically (Glossary covers how the two relate). Access runs through DoD’s Procurement Integrated Enterprise Environment (PIEE) at piee.eb.mil — the address the CMMC solicitation provision itself points offerors to. 32 CFR 170.4; DFARS 252.204-7025(b)(2)(i)
02Who posts what, by path
| Path | Who enters it | What lands in SPRS | Rhythm |
|---|---|---|---|
| Level 1 (Self) | The OSA, directly | CMMC Level, Status Date, Assessment Scope, all associated CAGE codes, compliance result — plus the affirmation. | Annual. 32 CFR 170.15(a)(1)(i) |
| Level 2 (Self) | The OSA, directly | Self-assessment results and score, plus affirmations. | Every three years, affirmed annually. 32 CFR 170.16 |
| Level 2 (C3PAO) | The C3PAO files in eMASS; eMASS transmits to SPRS | The certification assessment result and status; the OSC’s Affirming Official still enters affirmations directly. | Every three years, affirmed annually. 32 CFR 170.17 |
| Level 3 (DIBCAC) | DCMA DIBCAC, via eMASS | The Level 3 assessment result and status, on top of the Final Level 2 (C3PAO) record; affirmations again enter directly. | Every three years, affirmed annually. 32 CFR 170.18 |
| Legacy 800-171 DoD Assessment | The contractor (Basic) or the government (Medium/High) | The pre-CMMC assessment score — a separate record from a CMMC Status, and not interchangeable with one. | Being superseded as CMMC phases in; government assessments continue under 252.240-7997. The contract clauses |
03The workflow, in order
Access first. SPRS entry runs through a PIEE account with the appropriate SPRS role — worth setting up well before anything is due, because account provisioning is its own small project and the person entering results is often not the person who signed up.
Then the assessment record. For a self-assessment, the OSA enters its own results (the Level 1 input list above is the model: level, status date, scope, CAGE codes, result). For a certification path, the C3PAO or DIBCAC files through eMASS and the record arrives in SPRS without the OSC entering it.
SPRS issues the CMMC UID. Each assessed information system gets a CMMC unique identifier, generated by SPRS once self-assessment results are entered. Solicitations carrying 252.204-7025 ask offerors to provide the UIDs for every system that will touch FCI or CUI in performance — and to keep the list updated as new UIDs are generated. A UID is scope-shaped: it identifies a system’s record, not a company-wide blessing. DFARS 252.204-7025(d)
The affirmation, every time. The Affirming Official enters an affirmation of continuing compliance in SPRS at each trigger: when the status is first achieved, annually after that, and at POA&M closeout. The desk covers what signing one means — see Evidence, SSP & POA&M. 32 CFR 170.22
04What a contracting officer sees
The rule says
“Prior to award of any contract or subcontract with a requirement for the CMMC Status of Level 1 (Self), OSAs must both achieve a CMMC Status of Level 1 (Self) and have submitted an affirmation of compliance into SPRS for all information systems within the CMMC Assessment Scope.”
32 CFR 170.15(b); the same two-part structure runs through §§170.16–170.18In practice
“Current” is a two-clock test, checked in SPRS at award: an assessment inside its window (annual at Level 1, three-year at Levels 2 and 3) and an affirmation inside its one-year window — for every system in scope. Either clock lapsing ends eligibility, and the week a proposal goes out is a bad time to discover it. The Assessment covers both clocks.
05Common snags
The affirmation lapses while the score stays clean. Nothing about the security posture changed; the calendar did. An affirmation is the shorter of the two clocks and the easier to miss — it deserves a standing owner and a standing date, somewhere that survives staff turnover.
A legacy score gets mistaken for a CMMC Status. The old NIST SP 800-171 DoD Assessment score (the 7019-era record) and a CMMC Status are different records in the same system. A solicitation that requires a CMMC Status is not satisfied by the legacy score sitting next to it.
A self-assessed 110 gets read as “certified.” SPRS faithfully records what was entered, including who entered it. A Level 2 (Self) record does not convert into the Level 2 (C3PAO) status a solicitation may require — the paths differ, and the record shows which one you took (The Levels).
UIDs go stale as scope changes. New system, new enclave, new assessment — new UID. Proposals carry the UID list, so scope changes ripple into proposal hygiene, not just security documentation.
06Sources
| Document | What it’s for |
|---|---|
| 32 CFR 170.15 – 170.18 | What each assessment path files, where it lands, and the eligibility structure at each level. |
| 32 CFR 170.22 | Affirmation triggers, timing, and the Affirming Official. |
| DFARS 252.204-7025 | The award-eligibility check against SPRS, and the CMMC UID mechanics. |
| SPRS · PIEE (piee.eb.mil) | The system itself, and the access environment in front of it. |