Welcome to the CMMC Knowledgebase. Search for CMMC, resources, tools, sources, sites, and platforms using the search box below.
We add more to the database weekly, check back often.
If you cannot find an answer then contact us or click the chat button on the lower right..
-
Artificial Intelligence (AI)
-
CMMC Fundamentals
-
CMMC Levels & Requirements
-
The 14 Control Families
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Configuration Management (CM)
- Identification and Authentication (IA)
- CMMC Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
-
Implementation Roadmaps
-
Industry-Specific Guides
-
CMMC Documentation & Evidence
-
SPRS & Self-Assessment
-
CMMC Costs & Budgeting
-
Technology & Tools
-
CMMC Training & Awareness
-
Policies & Procedures
- How to Submit Your SPRS Score: PIEE Step-by-Step Guide [2026 Update]
- CMMC Policies and Procedures: What Documentation You Need
- How to Write a System Security Plan: The Owner's Guide to the One Document That Gates Everything
- Creating a Plan of Action and Milestones for CMMC
- Documenting Evidence for CMMC Assessment
-
Supply Chain & Third-Party Risk
-
Incident Response & Breach Reporting
-
Common Mistakes & Failures
-
Advanced Topics & Level 2
-
Updates & Regulatory Changes
How to Submit Your SPRS Score: PIEE Step-by-Step Guide [2026 Update]
Updated July 14, 2026: On July 13, 2026, the Department of War suspended CMMC Phase 2 third-party assessments. Your SPRS submission didn’t get optional — it became the government’s primary view into your compliance, and the affirmation attached to it now carries the enforcement weight the audit used to. The submission process below is unchanged; the stakes are not. Full context: CMMC Phase 2 Is Suspended. Your Compliance Obligations Are Not.
After completing your NIST SP 800-171 self-assessment, you must submit your score to SPRS (Supplier Performance Risk System). This guide walks you through the submission process step by step, from account setup to final entry — including the annual affirmation that, post-suspension, is where your legal exposure lives.
SPRS stands for Supplier Performance Risk System — the government database where contractors submit cybersecurity assessment results under DFARS 252.204-7019 and 252.204-7020.
Your SPRS submission makes your compliance status visible to contracting officers. Without a current SPRS entry, you cannot receive contract awards that include the DFARS 7019/7020 clauses or CMMC Level 1 (Self) / Level 2 (Self) requirements — which, during the suspension, are the only CMMC designations contracts may include.
Before You Begin: Prerequisites
Complete these prerequisites before attempting the SPRS submission:
1. Complete Your Assessment
You must have completed your self-assessment with:
- All requirements evaluated against the NIST SP 800-171A assessment objectives
- Score calculated per the DoD Assessment Methodology (our full scoring guide)
- Evidence documented, control by control
- System Security Plan current — the methodology treats a missing SSP as “assessment could not be completed,” so no SSP means no valid score
- POA&M created (if you have gaps)
POA&M stands for Plan of Action and Milestones — documenting any security gaps and your remediation plan.
2. Obtain a CAGE Code
Your company needs a Commercial and Government Entity (CAGE) code. If you do business with the government, you likely already have one.
A CAGE code is a five-character identifier assigned to companies doing business with the federal government.
To verify or obtain your CAGE code:
- Check SAM.gov for existing registration
- CAGE codes are assigned during SAM registration
- Allow time for processing if you need a new code
3. Identify Your Affirming Official
A senior company official must affirm your submission. This person should be:
- A company owner, executive, or authorized senior official
- Someone with authority to represent the company
- Fully aware of what they’re signing
That last point deserves emphasis in the post-suspension era. The affirmation is a personal attestation to the federal government, made in connection with contract awards — which places it inside the False Claims Act. With third-party audits suspended, there is no assessor between that signature and government reliance on it. The DOJ’s Civil Cyber-Fraud Initiative has already settled multimillion-dollar cases over SPRS scores that didn’t match reality. Brief your Affirming Official accordingly; “willing to sign” is not the same as “able to defend.”
4. Gather Submission Information
Collect the data you will enter:
- CAGE code(s) for your organization
- Assessment date
- Assessment score (110 down to -203 for Level 2; Level 1 attests that all 15 basic safeguarding requirements are met)
- POA&M completion date (if applicable)
- Affirming official name and title
- Assessment type and level
Setting Up PIEE Access
SPRS is accessed through the Procurement Integrated Enterprise Environment (PIEE) portal.
Step 1: Create a PIEE Account
- Go to https://piee.eb.mil
- Click “Register” or “New User Registration”
- Complete the registration form with your information
- You will need a government-issued ID for identity proofing
Step 2: Request the SPRS Cyber Vendor Role
After creating your PIEE account, request the necessary SPRS role:
- Log in to PIEE
- Navigate to “My Roles” or “Role Requests”
- Search for SPRS roles
- Request the “SPRS Cyber Vendor” role — per the DoD Assessment Methodology, this is the role required to enter Basic (self-assessment) results into SPRS
- Your request will be routed for approval
Step 3: Wait for Approval
Role requests require approval:
- Internal company approval (if your company has a PIEE administrator)
- Allow several business days for processing
Step 4: Access the SPRS Module
Once approved:
- Log in to PIEE
- Navigate to the SPRS application
- Verify you can access the NIST SP 800-171 assessment entry functions
Submitting Your Assessment Score
Step 1: Log in to PIEE and Access SPRS
- Go to https://piee.eb.mil
- Log in with your credentials
- Navigate to SPRS from your available applications
- Select the NIST SP 800-171 assessment function
Step 2: Locate Your Company Record
- Search for your company using your CAGE code
- Verify you are updating the correct entity
- If you have multiple CAGE codes, submit for each applicable code
Step 3: Enter Assessment Information
Enter the required data fields:
Assessment Date
The date your assessment was completed — the day you finished evaluating all requirements, not the submission date. Your assessment must be within the last three years to be considered current.
Assessment Score
Your calculated score:
- For Level 2: Enter your score from -203 to 110
- For Level 1: Attest that all 15 basic safeguarding requirements are met
Assessment Type
Contractors enter a Basic Assessment — the self-assessment. Medium and High assessments are conducted and entered by the government (DIBCAC), not by you. Note that “select government-led assessments” are explicitly continuing during the CMMC suspension, so a Medium or High entry can still appear on your record if the government assesses you.
CMMC Level
Select Level 1 or Level 2 as appropriate. During the suspension, these self-assessed designations are the only CMMC statuses contracts may require.
POA&M Information (if applicable)
If you have a Plan of Action and Milestones:
- Indicate a POA&M exists
- Enter the date by which you will complete all POA&M items
- For conditional Level 2 self-assessment status, POA&M items must close within 180 days — and your score must be at least 88 with the POA&M deductions counted
System Security Plan
Indicate you have a current SSP on file. You do not upload the SSP to SPRS, but you must have one — and a government-led assessment would start by asking for it.
SSP stands for System Security Plan — the document describing how you implement each security requirement.
Step 4: Enter Affirming Official Information
Provide details for the senior official affirming the assessment:
- Full name
- Title
- Affirmation date
- Contact information
Step 5: Review and Submit
Before final submission:
- Review all entered information for accuracy
- Verify dates are correct
- Confirm the score calculation — including the partial-credit rules for 3.5.3 (MFA) and 3.13.11 (FIPS cryptography), the only two controls where partial implementation scores differently
- Ensure affirming official information is complete
- Submit the assessment
Step 6: Save Confirmation
After submission:
- Save or print your confirmation
- Note any confirmation numbers
- Document the submission date for your records
Updating Your SPRS Record
You may need to update SPRS for several reasons:
Score Improvements
When you remediate gaps and improve your score:
- Conduct an updated assessment
- Calculate the new score
- Submit the updated assessment in SPRS
- Previous records remain for historical reference
Score Corrections
This one matters more than ever: if you discover your current score overstates your implementation — a control marked implemented that isn’t, a partial-credit rule misapplied, systems missing from the boundary — correct it promptly. An accurate lower score with a POA&M is a defensible position; a known-inflated score left standing is exactly the fact pattern False Claims Act cases are built on, and whistleblower-initiated cases typically come from people who know which boxes were checked on paper only.
POA&M Closure
When you complete POA&M items:
- Document completion with evidence
- Update your assessment
- Submit a new score reflecting closed items
- If all POA&M items are closed, you achieve full (non-conditional) status
Annual Affirmation
Each year your Affirming Official must affirm continued compliance:
- Review your security posture against what was previously reported
- Confirm no degradation — honestly
- Submit the annual affirmation in SPRS
- Complete within 12 months of the previous assessment/affirmation
During the suspension, this affirmation is the government’s primary enforcement surface. Treat the annual review that precedes it with the rigor an auditor would have brought — because functionally, your Affirming Official just inherited the auditor’s job with none of the auditor’s liability protection.
Significant Changes
If your environment changes significantly:
- Conduct a new assessment
- Calculate the new score
- Submit updated information
- Document what changed
Common SPRS Submission Mistakes
Mistake 1: Wrong CAGE Code
Submitting under the wrong CAGE code creates confusion. Verify you are updating the correct entity, especially if your company has multiple CAGE codes.
Mistake 2: Incorrect Assessment Date
The assessment date is when you completed your assessment, not when you submit to SPRS. Using the wrong date affects your three-year currency window.
Mistake 3: Math Errors in Score
Double-check your score calculation against the DoD Assessment Methodology — including the two partial-credit rules. Errors in your SPRS score aren’t just compliance questions anymore; an overstated score is a legal exposure, and an understated one costs you competitively for no reason.
Mistake 4: Missing POA&M Date
If you have NOT MET requirements, you must include a POA&M completion date. Missing this information may cause submission issues.
Mistake 5: An Unbriefed Affirmer
The affirming official must be a senior company official with authority to represent the organization, and they should understand that their affirmation is a personal attestation with False Claims Act consequences. An affirmation signed without reviewing the evidence behind the score protects no one.
Mistake 6: Waiting Until a Deadline
Do not wait until a contract award to submit. PIEE account setup and role approvals take days, sometimes longer. Submit well before you need the score visible — contracting officers check SPRS before award, and during the suspension, it’s the main thing they can check.
After Submission
Verification
- Verify your record appears correctly in SPRS
- Confirm that contracting officers can see your status
- Check that all information is accurate
Maintain Documentation
Keep records of:
- Your assessment report and control-by-control evidence
- SPRS submission confirmation
- System Security Plan
- POA&M (if applicable)
- Affirmation documentation
This evidence file is what makes your score defensible — to a government-led assessment, to a prime doing supplier due diligence, or to anyone else who asks. Build it as if someone will read it, because the suspension made that more likely, not less.
Calendar Future Dates
Set reminders for:
- Annual affirmation deadline (12 months)
- POA&M completion deadline (180 days if applicable)
- Assessment currency (must be within 3 years)
Frequently Asked Questions
Do I still need to submit a SPRS score after the CMMC Phase 2 suspension?
Yes. The July 13, 2026 suspension paused third-party (C3PAO) assessments — it did not touch DFARS 252.204-7019/7020 SPRS requirements, CMMC Level 1 (Self) and Level 2 (Self) contract requirements, or the annual affirmation. During the suspension, DoW is enforcing NIST SP 800-171 Rev 2 precisely through these self-assessments.
What PIEE role do I need to submit my score?
The SPRS “Cyber Vendor” role, requested through your PIEE account. This is the role the DoD Assessment Methodology specifies for entering Basic (self-assessment) results. Allow several business days for approval.
Who can be the Affirming Official?
A senior company official with authority to represent the organization — typically an owner or executive. Because the affirmation is a personal attestation to the federal government with False Claims Act implications, the Affirming Official should review the assessment evidence before signing, not just the score.
How often do I need to update SPRS?
Your assessment must be current within three years, your Affirming Official affirms annually, and you should submit an updated assessment after significant environmental changes — or immediately if you discover your posted score doesn’t reflect reality.
What happens if my SPRS score is wrong?
Correct it. An honest correction — even downward, with a POA&M for the gaps — is a defensible position. Leaving a known-inflated score in SPRS while affirming it annually is the fact pattern the DOJ’s Civil Cyber-Fraud Initiative pursues, with treble damages on the table.
Key Takeaways
Submitting your SPRS score requires a PIEE account with the SPRS Cyber Vendor role. Complete your assessment first — with an SSP in place and evidence behind every control — then enter your score, assessment details, and affirming official information through the SPRS module.
Keep your record current through annual affirmations, updates when your score changes, and prompt corrections if you find your posted score overstates reality. Post-suspension, your SPRS entry is the government’s primary window into your compliance, and the affirmation is where the legal weight sits.
Start the account setup process early — do not wait until you need the score for an active contract opportunity.
Related Articles:
- CMMC Phase 2 Is Suspended. Your Compliance Obligations Are Not.
- How to Calculate Your SPRS Score
- What is SPRS?
- How to Write a CMMC System Security Plan
- POA&M Best Practices for CMMC
Official Sources:
- SPRS — Supplier Performance Risk System
- PIEE Portal
- NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1
- SAM.gov
- DFARS clauses 252.204-7019, 252.204-7020, and 252.204-7021
The submission takes an afternoon; defending the number is the real work. If you want independent eyes on your score before your Affirming Official signs — control-by-control evidence, corrected scoring, and affirmation support — contact Greypike about SPRS Attestation Assurance, a flat-fee engagement built for the post-suspension enforcement reality.