How to post your SPRS score , step by step.
The eight steps to take a finished CMMC Level 1 self-assessment and post the affirmation into SPRS, the DoD's Supplier Performance Risk System. Plain English, no jargon, no gates.
- 8
- Steps
- ~30 min
- If PIEE is set up
- 1×
- Annually
What posting to SPRS actually means
SPRS is where DoD contracting officers look up your cybersecurity posture before awarding contracts. Posting your CMMC Level 1 affirmation here is the official act that tells the government “we've done the self-assessment, and we meet the 15 safeguarding requirements.”
Until your posting appears in SPRS, you cannot bid on FAR-52.204-21 contracts as a prime, and primes who require an SPRS lookup will skip your bid as a sub.
You should already have:
- A completed Level 1 self-assessment (use our free checklist)
- A defined scope (use our scoping worksheet)
- Your company's CAGE code and UEI
- The name, title, email, and phone of an “affirming official” with authority to attest
- A PIEE account (or time to register one)
Confirm you have a PIEE account
- SPRS is accessed through PIEE (Procurement Integrated Enterprise Environment) at piee.eb.mil.
- You need a PIEE account with the SPRS module added. If you already invoice DoD through WAWF, you have PIEE, you just need to add SPRS.
- If you do not have PIEE, register your company first (this takes ~3 business days for the CAM, Contractor Administrator, to be approved).
Add the SPRS role in PIEE
- Log into PIEE at piee.eb.mil.
- Go to 'My Account' → 'Add Roles.'
- Select 'SPRS' as the application and 'Cyber Vendor User' as the role.
- Your company's CAM (Contractor Administrator) approves the request. If you are the CAM, you self-approve.
Open the Cyber Reports module in SPRS
- From PIEE, click the SPRS tile.
- Inside SPRS, select 'Cyber Reports' from the left menu.
- Choose your company from the CAGE / DUNS / UEI selector.
Open the 'CMMC Assessments' tab
- Inside Cyber Reports, click the CMMC Assessments tab and choose 'Add New Level 1 CMMC Self-Assessment.' This is where CMMC statuses live (32 CFR 170.15).
- Do NOT file this in the legacy 'NIST SP 800-171 Assessments' table. That table is the separate DFARS 252.204-7019 Basic Assessment posting for the 110-requirement NIST scoring; an entry there does not create a CMMC Level 1 (Self) status, and a contracting officer checking your CMMC status would find nothing.
Enter the required fields
- Assessment date: the date you completed the self-assessment.
- Assessment scope: a short description of the boundary you defined. ('Corporate IT, 3 laptops, M365 tenant, Cisco firewall.')
- CAGE code(s): every CAGE covered by this assessment scope.
- Compliance result: for Level 1 this is binary, your system meets all 15 requirements (MET) or you cannot file. There is no POA&M and no partial credit at Level 1 (32 CFR 170.24).
- Affirming official: name, title, email, phone. Per 32 CFR 170.4 this is the senior official responsible for ensuring your CMMC compliance, with authority to affirm on behalf of the company.
Submit the affirmation
- Review the screen for typos. The affirming official's name, title, and email are visible to DoD contracting officers, accuracy matters.
- If you are the Affirming Official, click 'Affirm.' Otherwise transfer the record to the AO, SPRS emails them to come in and affirm.
- Once affirmed, the record posts as 'Final Level 1 Self-Assessment' with a CMMC Status Date and a 10-character CMMC UID. Screenshot the posted record and save it with your evidence.
Verify the status and copy your CMMC UID
- Return to the CMMC Assessments tab within 5 minutes. Your record should show status 'Final Level 1 Self-Assessment' with the CMMC Status Date and the CMMC UID.
- Copy the CMMC UID somewhere safe. Proposals for CMMC-gated work must include it (DFARS 252.204-7025(d)), and new UIDs during performance are reported to your contracting officer (DFARS 252.204-7021).
- If the record doesn't appear, refresh; if still missing, contact SPRS support (the link is in the SPRS footer).
Calendar the renewal
- A Final Level 1 (Self) status and its affirmation are each current for one year from the CMMC Status Date (DFARS 204.7501). Set a calendar reminder for 11 months from your status date.
- If anything in your environment changes materially (new office, new cloud app holding FCI, change in IT contact), re-assess and update the SPRS posting at that point rather than waiting for the annual.
What if you can't mark MET on all 15?
CMMC Level 1 is binary. You can't submit a partial posting and you can't list POAMs (plan of action items you'll do later). The right move:
- Identify exactly which control(s) you're short on. Our checklist makes this easy.
- Fix them. Most L1 gaps (MFA on email, antivirus turned on, visitor log started) can be closed in days.
- Re-run the self-assessment. Sign the new attestation.
- Then submit to SPRS.
Submitting MET when you don't actually meet the controls is a False Claims Act exposure. Don't.
