Compliance

Supplier Performance Risk System (SPRS): How to Affirm CMMC Self-Assessments

Shahid Shah
August 19, 2025
8 min read

For organizations pursuing CMMC Level 1 and non-critical Level 2 compliance, understanding Supplier Performance Risk System (SPRS) reporting requirements is essential for meeting Department of Defense (DoD) expectations.

At Opsfolio, we recommend starting with a CMMC Level 1 Self-Assessment. This gives you an immediate picture of your starting SPRS score and highlights gaps that need attention. From there, you can join the Opsfolio CaaS (Compliance-as-a-Service) network, where our humans, AI, and software work with you to move from a baseline score all the way to full compliance.

This guide explains SPRS, how it connects to CMMC, and how Opsfolio makes the entire journey—from first assessment to contract-winning compliance—simpler and faster.

What is the Supplier Performance Risk System (SPRS)?

The Supplier Performance Risk System (SPRS) is a DoD web application for collecting and evaluating supplier performance and cybersecurity risk. It serves as the single repository for:

  • Supplier risk assessments and scores
  • Supplier performance metrics (e.g., delivery timeliness)
  • Cybersecurity reports, including CMMC and NIST SP 800-171 self-assessment results

SPRS ensures that the DoD can make informed contracting decisions. For contractors, it provides proof of compliance and keeps them eligible for new business.

Under CMMC 2.0, contractors must demonstrate that they protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). SPRS reporting is how the DoD gains assurance of this compliance.

  • Level 1 and some Level 2 contractors submit self-assessments plus an Affirmation of Compliance signed by a senior official directly in SPRS.
  • Level 2 contractors with critical CUI require third-party certification (C3PAO). Results flow from eMASS into SPRS, but the AO still affirms annually.
  • Level 3 contractors undergo DoD-led assessments, with results also recorded in SPRS.
  • Subcontractors must also have SPRS scores available before primes can award contracts.

Why act now?

Even though the 48 CFR CMMC Acquisition Rule is still under review, enforcement will begin with new contracts starting October 1, 2025.

Contractors can already submit self-assessment results in SPRS. Doing so now ensures:

  • No delays in future contract eligibility.
  • A clear understanding of your baseline SPRS score.
  • Time to remediate gaps before the deadline.

How Opsfolio simplifies SPRS self-assessments

With the Opsfolio CMMC Self-Assessment tool, contractors can:

  1. Run a CMMC Level 1 self-assessment to calculate their starting SPRS score.
  2. Identify gaps through automated evidence mapping to NIST 800-171 and CMMC requirements.
  3. Export results in the format required for SPRS entry.

From there, Opsfolio CaaS takes over—helping you manage remediation, documentation, and affirmations with:

  • Human expertise from compliance professionals experienced with DoD contracting.
  • AI-driven workflows to guide remediation, evidence collection, and affirmation prep.
  • Opsfolio software automation that ensures your SSPs, POA&Ms, and affirmations are always audit-ready.

In short: you run your assessment, see your score, and then let Opsfolio CaaS carry you through every step until you’re fully compliant and contract-ready.

Entering your self-assessment into SPRS

The process in SPRS follows these steps:

  1. Access SPRS via PIEE – new users must register and request the “SPRS Cyber Vendor User” role.
  2. Select your company hierarchy – choose the correct CAGE codes.
  3. Add your new self-assessment – Level 1 or Level 2.
  4. Enter details – date, scope, employee count, compliance claims, and CAGE codes.
  5. Affirmation – the Affirming Official (AO) signs off in SPRS.
  6. Finalize – SPRS assigns an official status type (e.g., Final Self-Assessment, Conditional, Pending Affirmation).

Opsfolio’s guided workflows ensure you never miss a step and generate all supporting evidence automatically.

Understanding SPRS scores

  • Maximum score: 110 (full compliance).
  • Range: -203 to 110, depending on requirements met.
  • POA&M required if below 110. Must remediate within 6 months.

Even if your first score isn’t perfect, Opsfolio CaaS helps you close gaps, document plans, and keep progress visible in SPRS.

Opsfolio CaaS: Compliance without the overwhelm

Defense contractors often underestimate the complexity of SPRS submissions. Industry studies show the average SPRS score is around -12, with only a small fraction of contractors fully prepared.

With Opsfolio CaaS, you don’t have to go it alone. We combine:

  • Human experts who know DoD contracting.
  • AI guidance to streamline evidence, remediation, and policy creation.
  • Automation software to keep your compliance continuous.

Whether you’re starting at Level 1 or preparing for a higher-level CMMC assessment, Opsfolio ensures your SPRS submissions are complete, accurate, and audit-ready.

Use trust to accelerate growth

Compliance is no longer optional for DoD contractors—it’s the price of admission. By starting your journey with a CMMC Level 1 Self-Assessment in Opsfolio, then joining Opsfolio CaaS for expert-driven remediation, you’ll be prepared for October 2025 and beyond.

[Request a demo of Opsfolio’s CMMC Self-Assessment + CaaS offering]

FAQs

  • Why is SPRS relevant for CMMC? Because it is the official system for reporting CMMC assessments and affirmations.
  • What’s the maximum SPRS score? 110, indicating full compliance.
  • Do I need a perfect score? No, but gaps must be tracked in a POA&M and remediated within 6 months.
  • What happens after I self-assess? You’ll enter your results in SPRS, and your AO will affirm. Opsfolio CaaS can help with everything from POA&Ms to documentation and affirmation workflows.