Elevate

SPRS Scoring & POA&M: CMMC Level 2 Assessment Guide for DIB Contractors

A shocking statistic reveals that only 4% of defense contractors are ready for CMMC certification. The CMMC Level 2 assessment guide helps organizations in the Defense Industrial Base (DIB) boost their cybersecurity standards.

Defense contractors need a perfect SPRS score of 110 to meet CMMC standards. Yet the average Supplier Performance Risk System score sits at -12. This gap shows why contractors must really understand the CMMC assessment process. Your SPRS score measures how well you comply with NIST 800-171. The Department of Defense uses this score to check if contractors can protect sensitive information properly. A poor score could block your organization from contracts or make prime contractors see you as high-risk.

This piece gives you a complete breakdown of SPRS scoring, POA&Ms, and CMMC compliance requirements. You might be starting your CMMC readiness experience or working to enhance your current setup. Either way, you’ll find everything you need here to direct your path through CMMC Level 2 requirements.

Understanding SPRS Scoring in the Context of CMMC 2.0

Comparison chart outlining key differences between SPRS self-assessment scores and CMMC assessment scores in defense contracts.

Image Source: Kelser Corporation

The Supplier Performance Risk System (SPRS) lies at the heart of the Department of Defense’s cybersecurity compliance framework. Let’s take a closer look at how this system works within the CMMC 2.0 program to help you learn about its role in securing the Defense Industrial Base.

SPRS as a DoD Risk Evaluation Tool

SPRS operates as a web-enabled enterprise application that helps the Department of Defense collect, process, and display its suppliers’ performance data. The system started as a procurement risk analysis tool for price, item, and supplier risks, but has now become a crucial cybersecurity assessment platform.

The system serves as “the authoritative source to retrieve supplier and product performance information for the DoD acquisition community”. Contracting officers employ SPRS to:

  • Assess item risk for products
  • Analyze price risk for both products and services
  • Review overall supplier risk based on documented performance
  • Check cybersecurity compliance status

SPRS alerts users about possible risks related to diminishing manufacturing sources, material shortages, and counterfeiting history. The system also helps contracting officers determine fair and reasonable prices, making it a key tool in the DoD’s risk management strategy.

Connection Between SPRS and NIST SP 800-171

SPRS scoring methodology links directly to NIST SP 800-171 compliance requirements. The Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 required contractors to implement NIST 800-171 fully by December 31, 2017. These requirements are the foundations of the SPRS scoring system.

Your SPRS score ranges from 110 (perfect compliance) to -203 (worst possible score). This range shows how well your organization has implemented the 110 security controls in the NIST SP 800-171 framework. These controls cover 14 different cybersecurity domains including access control, configuration management, and incident response.

The scoring system weighs each requirement based on its importance:

  • 5 points for requirements that could lead to major network exploitation or CUI theft if missing
  • 3 points for requirements with specific but limited security effects
  • 1 point for requirements with minimal security impact

Your assessment starts at -203. Your score increases by the corresponding points (1, 3, or 5) as you meet each requirement, potentially reaching the perfect score of 110.

Why SPRS Scores Matter for CMMC Level 2

SPRS scores play a vital role for organizations seeking CMMC Level 2 certification. Level 1 uses a simple pass/fail approach without numbers, but Level 2 needs a thorough assessment against all 110 NIST SP 800-171 controls.

Organizations want to achieve an SPRS score of at least 88 after internal preparation and self-assessments for CMMC Level 2 certification. This score represents the minimum needed for “Conditional” certification status, assuming they meet other criteria.

The DoD added this verification requirement because Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) research found many self-reported perfect scores of 110 were inaccurate. This led to the shift toward third-party assessments in CMMC 2.0.

Organizations must keep their CMMC status current in SPRS to qualify for contracts with CMMC requirements. Your SPRS score directly affects your eligibility for DoD contracts, making it crucial for business success.

Note that organizations must fully implement all 1-point controls without using a Plan of Actions & Milestones (POA&M). This highlights the need to prioritize certain controls while working toward compliance.

How the SPRS Scoring Methodology Works

Infographic detailing NIST SP 800-171 and CMMC Level 2 assessment scoping across various asset categories and requirements.

Image Source: Peak InfoSec

The SPRS scoring system works differently from what you might expect, yet it’s simple to grasp. Organizations don’t earn points – they lose them. This calculation method is essential to know if your organization aims for CMMC Level 2 certification.

Starting Score of 110 and Deduction Tiers

The SPRS calculation takes a different approach from regular scoring systems. You start with a perfect score of 110 points. This score shows you’ve implemented all 110 security controls required by NIST Special Publication (SP) 800-171. Your score drops for each security control you haven’t fully implemented.

Note that you can’t get partial credit – you either implement a control fully or face deductions. Many organizations going through their first CMMC assessment process see lower scores at first, but these improve as they implement more controls.

The system weighs each control based on its security importance. The point deductions fall into three categories:

Deduction Risk Level Description
5 points High Critical controls that address major security risks
3 points Medium Controls with specific but limited security effects
1 point Low Controls with minimal or indirect security impact

Your baseline score of 110 drops by these points for each missing security requirement. Your score can drop quickly if you haven’t implemented several controls.

Weighted Controls: 1, 3, and 5 Point Deductions

The DoD prioritizes some security controls over others in CMMC scoring. Controls worth 5 points protect against critical vulnerabilities that could lead to major security breaches. These include basic security measures like:

  • Multi-factor authentication implementation
  • Proper access control measures
  • Audit logging capabilities

Controls worth 3 points deal with specific security needs that have moderate effects. The 1-point controls still matter but don’t affect your security as much.

This weighting helps organizations plan their security improvements. You’ll see the biggest score improvements by implementing the 5-point controls first.

Negative Scores and Their Implications

Many organizations are surprised to learn that CMMC assessment scores can drop below zero. Scores range from 110 down to -203. A negative score usually means you’re missing basic controls in several areas.

A negative score doesn’t mean you’ve failed completely, but it shows you have big gaps to fix right away. Many contractors score below zero in their first assessments.

Here’s what different CMMC compliance requirements scores mean:

  • 110: You meet all NIST SP 800-171 controls
  • 88-109: You’re getting there but need POA&Ms
  • Below 88: You have big gaps that might stop you from working with CUI
  • Below 0: You’re missing critical security controls and need to fix them now

DoD procurement officials and prime contractors use these scores to check cybersecurity risk. A low score might label your organization as high-risk. This could limit your contract opportunities, no matter how good you are at everything else.

Role of POA&M in CMMC Readiness

The Plan of Action and Milestones (POA&M) plays a vital role in the CMMC certification process. Organizations can achieve conditional certification while they work toward full compliance. POA&Ms provide structure to address security gaps within specific timeframes during the CMMC assessment process.

What is a POA&M and When is it Used?

A POA&M acts as a corrective action plan that documents security deficiencies and outlines steps to fix them. The document lists tasks, resources, milestones, and completion dates.

We used POA&Ms in these cases:

  • Security gaps show up during CMMC assessments
  • Organizations need to show a clear path to full compliance
  • They seek conditional certification during remediation

POA&Ms show your steadfast dedication to fixing cybersecurity weaknesses step by step. A POA&M goes beyond a simple checklist for CMMC readiness. It serves as a formal accountability tool that proves to assessors you grasp your security gaps and know how to fix them.

POA&M Eligibility Criteria for Conditional Certification

The Department of Defense has set clear rules about POA&M usage. Not every security requirement qualifies, and POA&Ms aren’t allowed at all CMMC levels:

  • CMMC Level 1: POA&Ms aren’t allowed at all
  • CMMC Level 2: POA&Ms work only under specific conditions
  • CMMC Level 3: Extra restrictions apply for advanced requirements

Organizations can use POA&Ms for CMMC Level 2 requirements if they meet these conditions:

  1. The assessment score divided by total security requirements equals or exceeds 0.8 (minimum score of 88)
  2. Security requirements in the POA&M have a point value of 1 or less (one exception exists: SC.L2-3.13.11 for CUI encryption can be included if encryption is used but not FIPS-validated)
  3. Critical controls must be fully implemented and can’t go into POA&Ms

These restrictions make sure only organizations with solid security foundations can get conditional certification. POA&Ms can’t become a shortcut around basic protections.

Remediation Timeline: 180-Day Window

CMMC compliance requirements set a firm timeline for POA&M items. You must fix all “NOT MET” requirements within 180 days of getting Conditional CMMC Status. This six-month deadline stands firm.

A “POA&M closeout assessment” must verify the proper implementation of all requirements. Different levels need different follow-ups:

  • Level 2 self-assessment: The Organization Seeking Assessment (OSA) does this like the original assessment
  • Level 2 certification assessment: The same C3PAO that did the original assessment must handle it
  • Level 3 certification assessment: DCMA DIBCAC takes charge

Organizations achieve “Final” CMMC Status after verifying all POA&M items. The Conditional Status expires if requirements remain unfixed after 180 days, and standard contract penalties kick in.

This strict timeline shows that POA&Ms aren’t get-out-of-jail-free cards or “pass now, fix later” schemes. They represent a time-sensitive promise to fix security gaps quickly, with real penalties for missing deadlines.

SPRS Score Requirements for Each CMMC Level

CIO webpage section providing information about the Cybersecurity Maturity Model Certification (CMMC).

Image Source: DoD CIO – War.gov

Your organization’s preparation for assessment depends on specific SPRS scoring requirements set by each CMMC level. You’ll need to understand these requirements to plan your cybersecurity investments and timeline effectively.

CMMC Level 1: Pass/Fail Without Numerical Score

CMMC Level 1 works on a simple pass/fail basis and doesn’t use the numerical scoring system that higher levels require. This simple level only looks at the 17 basic safeguarding requirements found in FAR 52.204-21.

CMMC Level 1 assessments have these rules:

  • You either get “MET” or “NOT MET” with no partial credit
  • Plans of Action and Milestones (POA&Ms) aren’t allowed
  • You need to do self-assessment yearly with executive confirmation
  • Results must go into SPRS after completion

You must implement all security requirements fully to get a “MET” finding in a Level 1 assessment. The whole assessment fails if you get “NOT MET” on any single requirement. This makes Level 1 compliance straightforward but leaves no room for flexibility.

CMMC Level 2: Minimum Score of 88 for Conditional Status

CMMC Level 2 uses numbers to score the 110 security controls in NIST SP 800-171. Your score can range from -203 (worst case) to 110 (perfect compliance).

You need these scores for Level 2 certification:

  • 110 points to get “Final” certification status
  • At least 88 points for “Conditional” certification status

Scores from 88 to 109 qualify you for Conditional status, but you’ll need a POA&M to fix remaining gaps. You have 180 days to fix these gaps to keep your certification.

When you submit Level 2 self-assessment results to SPRS, include:

  • Your overall Level 2 self-assessment score (out of 110)
  • POA&M status and compliance (if score is 88-109)
  • CMMC Level and Status Date
  • CMMC Assessment Scope
  • Every industry CAGE code linked to your assessed information system

You’ll get “No CMMC Status” if your self-assessment score doesn’t meet the minimum threshold.

CMMC Level 3: 24-Point Scale Based on NIST 800-172

CMMC Level 3 sits at the top of the CMMC framework with extra requirements beyond Levels 1 and 2. The scoring is simpler here – each requirement counts as one point.

A Level 3 assessment looks at:

  • Everything from CMMC Levels 1 and 2
  • 24 improved security controls from NIST SP 800-172

To get CMMC Level 3 certification:

  • You need all 24 improved requirements for “Final Level 3” status
  • You can get “Conditional Level 3” status by implementing at least 20 of the 24 requirements (80% minimum)

With Conditional Level 3 certification, you must document any unmet requirements in a POA&M. Some requirements listed in 32 CFR 170.21(a)(a)(3)(ii) can’t be part of the POA&M.

Only government personnel through the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) can do Level 3 assessments – third-party assessors aren’t allowed.

How to Calculate and Submit Your SPRS Score

Chart showing DoD assessment methodology for NIST 800-171 compliance with color-coded requirement categories and priority levels.

Image Source: Totem Technologies

Calculating and submitting your SPRS score is a vital step to achieve CMMC Level 2 certification. Your organization’s future contract eligibility depends on this score, and it helps meet compliance requirements.

Performing a NIST 800-171 Gap Assessment

You need to start with a really detailed gap analysis. This analysis compares your current security controls with NIST 800-171 requirements. The process involves:

  1. Review all 110 NIST 800-171 security controls
  2. Document implementation status of each control
  3. Apply the DoD Assessment Methodology scoring system

The scoring methodology doesn’t allow partial credit. You must fully implement each control to avoid point deductions. Your score drops by 1, 3, or 5 points for each unimplemented control, based on its security impact. Your baseline starts at 110 points, which represents perfect compliance, and decreases with each gap.

Need expert guidance with your gap assessment? Book a Readiness Call to help your organization get the best possible SPRS score.

Completing the System Security Plan (SSP)

The System Security Plan is a complete document that outlines your cybersecurity approach to protect Controlled Unclassified Information. DoD guidance states that your SSP must:

  • Address each NIST SP 800-171 security requirement
  • Explain implementation methods (policy, technology, or both)
  • Include version number and date

Make sure your SSP documents your security controls well before starting the SPRS submission. You can’t conduct any assessment without a complete SSP. The NIST SSP template from the CSRC website offers a great starting point for contractors.

Submitting via PIEE and SPRS Portal

The submission process needs specific access credentials and follows these steps:

  1. Register in the Procurement Integrated Enterprise Environment (PIEE)
  2. Request the “SPRS Cyber Vendor User” role for your account
  3. Log into SPRS through the PIEE portal
  4. Select your company hierarchy and CAGE code
  5. Enter assessment details including score, SSP information, and POA&M completion date

DoD allows encrypted email submission to [email protected] if you can’t access the portal. This works best for first-time submissions.

DoD procurement officials can see your assessment information after submission. You can update your self-assessment information when your score improves.

Avoiding Common SPRS and POA&M Mistakes

Your SPRS submissions and POA&M management mistakes can get pricey. These could lead to False Claims Act penalties and debarment from DoD contracts. A clear understanding of these common pitfalls helps protect your organization’s cmmc assessment process.

Overstating Compliance in Self-Assessments

Legal and financial consequences follow when you falsely inflate your SPRS score. The Department of Justice actively pursues contractors who misrepresent their cybersecurity posture. Companies have paid millions in settlements. Self-assessment needs an all-or-nothing approach. Controls must have all assessment objectives fully implemented to receive credit. MORSE Corporation learned this the hard way. They claimed a near-perfect score of 104, but a third-party assessment later showed their actual score was -142.

Misaligned SSP and Actual Implementation

Reality must reflect in your System Security Plan, not just aspirational goals. Defense Contract Management Agency (DCMA) runs random spot-checks to verify SSP accuracy against actual implementations. Your SSP should hit these key points:

  • Clear description of system boundaries and data flows
  • Evaluated status for all 110 controls
  • Implementation details for all 320 assessment objectives

Red flags appear during assessments when organizations create documentation that doesn’t match their operational environment.

Failure to Track POA&M Remediation Progress

Current regulations need closure within 180 days for POA&Ms, unlike their previous treatment as indefinite exemptions. Without doubt, POA&Ms work when you:

  1. Break remediation into 30-45 day checkpoints instead of single deadlines
  2. Define clear budget estimates rather than “TBD” placeholders
  3. Assign single ownership for each task to avoid shared responsibility
  4. Collect ongoing evidence to show steady progress

POA&M management becomes complex without specialized expertise. Book a Readiness Call with cybersecurity specialists who can guide you past these common pitfalls and boost your CMMC readiness.

Conclusion

Your CMMC certification experience presents major challenges for Defense Industrial Base organizations. This piece explores how SPRS scoring builds the foundation to show your cybersecurity posture to the Department of Defense. Without doubt, a score of 110 represents the gold standard. Many contractors start with negative scores that improve steadily through dedicated implementation work.

Your SPRS score affects contract eligibility directly. Prime contractors look at these scores to evaluate subcontractor risk. A tiered scoring system assigns 1, 3, or 5-point values to each control. This creates a clear roadmap to prioritize your security implementations. You should start with critical 5-point controls that give the biggest score improvements.

POA&Ms help achieve conditional certification but come with strict rules and deadlines. Note that you must fix all POA&M items within 180 days. Not all controls qualify for inclusion. Different CMMC levels need different approaches. Level 1 uses a straightforward pass/fail system while Level 3 has boosted requirements from NIST 800-172.

Misrepresenting your cybersecurity compliance status can lead to severe penalties. These include False Claims Act violations and possible debarment from future DoD contracts. Honest self-assessment and accurate documentation are vital throughout the certification process.

Expert guidance can help navigate these complexities. Book a Readiness Call with cybersecurity specialists who know CMMC requirements’ nuances and can develop a compliance roadmap for your environment.

CMMC requirements keep changing. Keeping up with compliance trends becomes more significant to maintain your competitive edge in defense contracting. Cybersecurity compliance goes beyond meeting regulatory requirements. It’s a fundamental business necessity that protects your organization and national security information in your care.

Key Takeaways

Understanding SPRS scoring and POA&M requirements is essential for Defense Industrial Base contractors pursuing CMMC certification and maintaining contract eligibility.

SPRS scoring starts at 110 points and deducts 1, 3, or 5 points for each unimplemented NIST 800-171 control based on security impactCMMC Level 2 requires minimum score of 88 for conditional certification, with POA&Ms allowed only for 1-point controlsPOA&M remediation must be completed within 180 days or conditional certification expires with contractual consequencesMisrepresenting compliance status can result in False Claims Act penalties and debarment from DoD contractsLevel 1 uses pass/fail without numerical scoring, while Level 3 adds 24 enhanced requirements from NIST 800-172

The average contractor SPRS score of -12 highlights the significant gap between current cybersecurity implementations and DoD requirements. Organizations must prioritize high-value controls first and maintain accurate documentation that reflects actual implementation rather than aspirational goals. Success requires honest self-assessment, systematic remediation planning, and understanding that cybersecurity compliance directly impacts contract eligibility and business competitiveness in the defense sector.

FAQs

Q1. What is the SPRS scoring system and why is it important for CMMC certification? The Supplier Performance Risk System (SPRS) scoring system measures a contractor’s compliance with NIST SP 800-171 cybersecurity controls. It’s crucial for CMMC certification as it directly impacts eligibility for DoD contracts and determines readiness for CMMC Level 2 assessment. A minimum score of 88 out of 110 is required for conditional certification.

Q2. How does the SPRS scoring methodology work? The SPRS scoring starts at 110 points (perfect compliance) and deducts points for each unimplemented NIST 800-171 control. Deductions are 1, 3, or 5 points per control based on their security impact. There’s no partial credit – controls must be fully implemented to avoid deductions. Scores can range from 110 to -203.

Q3. What role do Plans of Action and Milestones (POA&Ms) play in CMMC readiness? POA&Ms allow organizations to achieve conditional certification while working towards full compliance. For CMMC Level 2, POA&Ms can only be used for 1-point controls if the overall score is at least 88. All POA&M items must be remediated within 180 days to maintain certification status.

Q4. How do I calculate and submit my SPRS score? To calculate your SPRS score, perform a gap assessment against NIST 800-171 requirements, document implementation status, and apply the DoD Assessment Methodology. Submit your score through the SPRS portal via the Procurement Integrated Enterprise Environment (PIEE) after completing a comprehensive System Security Plan (SSP).

Q5. What are common mistakes to avoid when dealing with SPRS scores and POA&Ms? Common mistakes include overstating compliance in self-assessments, misaligning the SSP with actual implementations, and failing to track POA&M remediation progress effectively. It’s crucial to provide honest assessments, ensure documentation matches reality, and actively manage POA&Ms with clear timelines and ownership.