All Resources
Free Primer · 5 Min Read · For DoD Subcontractors

Your SPRS Score,
Explained.

What SPRS actually is, why your prime contractor is legally required to check yours before awarding you work, and what happens if you submit a score without the practices in place. The basics every Pacific defense sub should understand — before deciding what to do next.

Section 1

What is SPRS?

SPRS stands for Supplier Performance Risk System. It's an online database run by the U.S. Department of Defense, and it holds the cybersecurity compliance scores of every company doing business in the defense supply chain.

Every DoD subcontractor — from a 200-person engineering firm to a three-person electrical sub on a NAVFAC base — must submit a CMMC self-assessment score into SPRS. That score has to reflect reality. It's not a guess, an estimate, or an aspiration. And once submitted, a senior official in your company has formally affirmed it.

Your prime contractor is legally required to check your SPRS score before awarding you a subcontract. If you don't have a valid score on file, your prime cannot award you the work.

This is the part most subs don't realize until they lose a bid. Primes aren't being cautious — they're complying with federal contract regulations that require them to verify your score. A prime that awards a sub work without a valid SPRS score on file is taking on substantial legal exposure of their own. Increasingly, they're not willing to do that.

Section 2

The CMMC Level 1 Score, in Plain English

Most Pacific defense subs — electricians, plumbers, HVAC, welders, fencing, roofing, general trades — fall under CMMC Level 1. That's the level for companies that handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI). If your work touches DoD contracts but doesn't involve sensitive technical specs, controlled drawings, or weapons-related data, you're almost certainly Level 1.

15
Practices
Specific cybersecurity controls your company must have in place across 6 domains
110
Required Score
The score you need to be CMMC Level 1 compliant
12mo
Score Lifespan
Self-assessment must be repeated every year — old scores expire

Unlike higher CMMC levels, Level 1 doesn't allow partial credit. It's not "do most of it and you'll be fine." Either every practice is met, or you are not compliant.

All 15 Practices Met
Score: 110. Status: Compliant. Your prime can award you the subcontract. You meet the legal requirement.
Any Practice Not Met
Score: below 110. Status: Not compliant. One failure affects the entire score. There are no partial passes at Level 1.

The 15 practices cover the basics: who can log in to your systems, what each person is allowed to do, who controls your network connection, how you handle visitors, what runs on your devices, how you destroy old equipment. If your shop already runs on commodity tools — Microsoft 365 or Google Workspace, a consumer router, no shared accounts — you may be closer than you think. Or you may have gaps you don't realize exist.

Section 3

What Happens When You Don't Have a Score

The cost of not being in SPRS isn't theoretical. It shows up in three specific ways:

🚫 You cannot be awarded the subcontract
Primes are required to verify your SPRS score before awarding you a sub. No valid score means no award — regardless of your qualifications, your relationship with the prime, your bid price, or how long you've worked together. Local relationships and a good reputation are not a substitute for a score on file.
⚠️ Your prime takes on legal exposure if they award you work anyway
If a prime awards you a subcontract without verifying your score — or after seeing that you don't have one — they face False Claims Act exposure. Penalties run into tens of thousands of dollars per violation, plus triple damages. Increasingly, primes are simply refusing to take that risk. The era of "we'll figure out the paperwork later" is over.
📅 Your score expires every 12 months
A CMMC Level 1 self-assessment must be repeated every year. Your SPRS score is only valid for 12 months from the date of submission. If it lapses, you are in the same position as having no score at all — and your prime is notified that your score has expired.
Section 4

The Legal Warning Most Subs Don't Hear About

⚠️ A Score is a Formal Legal Affirmation
When a senior official at your company submits your SPRS score, they are making a formal legal affirmation that the score is accurate. It carries the same weight as any other federal certification. Submitting a score of 110 when your company has not actually met all 15 practices is a potential False Claims Act violation — even if the inaccuracy was unintentional. Don't guess. Don't estimate. Don't submit a score because someone told you "everyone just submits 110." Complete the self-assessment honestly, fix every gap, and only submit when all 15 practices are genuinely met.

This is the single most important thing to understand about SPRS, and the single most under-discussed: a wrong score is worse than no score. No score gets you out of bidding. A wrong score, audited later, can get you debarred from federal work entirely and create personal legal exposure for whoever submitted it.

The right path is the one that ends with a score that matches reality — not the one that gets you to "submitted" the fastest.

Section 5

So What Do You Actually Do?

The path to a valid SPRS score has four parts, in order:

One. Honestly assess where you stand against the 15 Level 1 practices. Most subs who do this for the first time discover three or four gaps they didn't know existed — usually in account management, device disposal, or the handling of shared logins.

Two. Fix the gaps. This is where most subs get stuck. The practices themselves are often straightforward, but figuring out how to translate them to your specific shop — the tools you actually use, the way your team actually works — takes someone who has done it before.

Three. Document what you've done. SPRS submission is not just a number — it's an attestation backed by a System Security Plan that shows how each practice is implemented at your company. If you ever face a verification audit, this documentation is your defense.

Four. Submit through the proper federal systems. This requires active SAM.gov registration, the right login credentials, and someone with senior authority to make the affirmation.

Each part has details that aren't worth covering in a free primer — partly because the details change, partly because doing this correctly is what separates a defensible compliance posture from a hopeful one.

Ready to actually get your score?

PCC handles every step — so your score reflects reality and your prime can award you work.

We assess your shop against all 15 practices, identify the gaps, fix them with your team, generate the documentation, and walk you through SPRS submission. Built for Pacific defense subs — Hawaii, Guam, CNMI — by people who actually live here and understand how trade businesses actually run. Flat-fee pricing. No mainland enterprise consulting bills.

Learn About Our Services Take the free risk check first