What is SPRS (and how it differs from DCSA)
SPRS (Supplier Performance Risk System) is focused on cybersecurity compliance — specifically your score against NIST SP 800-171 controls. DCSA assessments cover your broader industrial security program (clearances, safeguarding, insider threat, etc.). Both are required for most defense contractors, but they’re separate obligations.
A valid SPRS submission requires a thorough, control-by-control evaluation of your information systems against all 110 requirements in NIST SP 800-171. For each control, you determine whether it is fully implemented, partially implemented, or not implemented — and partial implementation does not earn partial credit under the DoD Assessment Methodology. The maximum possible score is 110. Every unmet control deducts points based on its severity. Dodsecurity You’ll also need a System Security Plan (SSP) documenting your policies before you assess — the SSP is foundational for any self-assessment and for consideration for any DoD contract.
Step 2 — Submit via PIEE (the primary method)
Submission is done through the Procurement Integrated Enterprise Environment (PIEE) portal. Log in with your CAC or username/password with multifactor authentication, then select SPRS from your list of applications. You’ll need the “SPRS Cyber Vendor User” role active — if you don’t see the “Add New NIST Assessment” button, that role isn’t assigned yet. You’ll enter your CAGE code, assessment score, assessment type (Basic/Medium/High), and date of next assessment.
Step 3 — Or submit by email (backup method)
If you have difficulty accessing SPRS through PIEE, you can also submit your score via email to webptsmh@navy.mil. Per DFARS 252.204-7020, the email must include the version of NIST SP 800-171 assessed against, the organization conducting the assessment, all CAGE codes associated with the system security plan, the summary score, and the date full implementation is expected.
Step 4 — Submit an executive affirmation
Starting with the CMMC phased rollout that began November 10, 2025, DoD contracting officers will not award, extend, or renew a contract unless the contractor has both a passing result of a current self-assessment and an executive affirmation of continuous compliance submitted in SPRS. Industry FSO Two critical accuracy warnings Submitting an inaccurate or inflated score exposes organizations to significant legal and financial risk under the False Claims Act. DIBCAC is authorized under DFARS 252.204-7020 to audit and validate submitted scores.
What score do I need?
An SPRS score of 88 or higher is considered good, as that is the minimum threshold of controls that must be met during an organization’s initial C3PAO-led assessment. CMMC began going into contracts in November 2025, and defense contractors seeking CMMC Level 2 compliance will want to aim to achieve or surpass that score. If the score is below 110, a POA&M is required documenting when gaps will be remediated.