Welcome to Supplier Performance Risk System (SPRS) Cyber Reports

Cybersecurity Maturity Model Certification (CMMC)

SPRS is the location for vendors to certify CMMC Level 1 and Level 2 compliance and for the defense acquisition community to review.

“The CMMC Program is designed to enforce the protection of sensitive unclassified information shared by the Department with its contractors and subcontractors. The program provides the DoD with increased assurance that contractors and subcontractors are meeting the cybersecurity requirements for nonfederal systems processing controlled unclassified information.” https://dodcio.defense.gov/cmmc/About/

CMMC Supplemental Guidance:

View our CMMC Level 1 and Level 2 Quick Entry Guides below.

32 CFR Part 170, CMMC rule: https://www.federalregister.gov/documents/2024/10/15/2024-22905/cybersecurity-maturity-model-certification-cmmc-program

Basic Safeguarding of Covered Contractor Information Systems: FAR clause 52.204–21

Supplemental guidance, including the CMMC Level 1 Scoping Guide, CMMC Level 1 Self-Assessment Guide, CMMC Level 2 Scoping Guide, and the CMMC Level 2 Assessment Guide can be found at: https://dodcio.defense.gov/CMMC/Documentation/

Questions related to technical interpretation of these CMMC documents may be directed to osd.pentagon.dod-cio.mbx.cmmc-inquiries@mail.mil . Do not submit questions requesting interpretation or modification of NIST source documents, which are outside the CMMC Program's purview.

NIST SP 800-171 Information

SPRS provides storage and access to the NIST SP 800-171 assessment scoring information. The NIST SP 800-171 Assessments module contains assessment date, score, scope, plan of action completion date, Included Commercial and Government Entity (CAGE) code(s), System Security Plan (SSP) name, SSP version, SSP date, and confidence level.

To access the NIST SP 800-171 Assessments module users must be registered in the Procurement Integrated Enterprise Environment (PIEE) and be approved for access to SPRS. A “SPRS Cyber Vendor User” role is required for companies to enter/edit basic self-assessment information.

Assessments may be added for CAGEs who fall within the company hierarchy.

The NIST SP 800-171 Basic Assessment cannot be performed in SPRS, SPRS only stores the results of NIST SP 800-171 Assessments. For preparation information including the assessment methodology refer to the Defense Pricing and Contracting (DPC) Cyber page at Policy – Safeguarding Covered Defense Information and Cyber Incident Reporting . Questions regarding conducting your NIST SP 800-171 assessment should be directed to your Program Office or Contracts representative or the Defense Contract Management Agency (DCMA) general mailbox listed here: DCMA_7012_Assessment_Inquiry@mail.mil .

Reference Materials

For commonly asked questions view the Cyber Reports FAQ page.