Let’s face it—CMMC compliance (Cybersecurity Maturity Model Certification) has been a journey. With regulations evolving and new guidance constantly surfacing, staying on top of it all can feel like a full-time job. But as we move through 2025, there’s some good news: we’re seeing clearer direction, centralized reporting, and more opportunities to demonstrate compliance progress.
Here’s a breakdown of the latest updates—and what they mean for your organization.
SPRS Just Got Smarter
The Supplier Performance Risk System (SPRS) now allows for reporting on NIST 800-171 assessments, CMMC Level 1 self-assessments, and CMMC Level 2 self-assessments. This enables the Department of Defense (DoD) to assess and manage the cybersecurity risks associated with its suppliers.
Here’s a breakdown:
- NIST 800-171 Assessments: SPRS allows contractors to submit their NIST SP 800-171 self-assessment scores, which are crucial for demonstrating compliance with cybersecurity requirements for protecting Controlled Unclassified Information (CUI).
- CMMC Level 1 Self-Assessments: SPRS is also the platform for contractors to certify their compliance with CMMC Level 1, which focuses on basic cybersecurity hygiene.
- CMMC Level 2 Self-Assessments: The system also supports CMMC Level 2 self-assessments, which are more rigorous than Level 1 and involve a more in-depth evaluation of cybersecurity practices.
These functionalities within SPRS are designed to streamline the process of assessing and managing cybersecurity risks within the Defense Industrial Base (DIB).
This is a huge step forward. We now have one centralized place to report progress for both NIST and CMMC—making it easier to track your status and stay compliant. More transparency. More accountability. More clarity.
What You Need to Know
Let’s break down the key elements:
NIST 800-171
- Business as usual here.
- Keep submitting and updating your scores regularly in SPRS.
CMMC Level 1 Self-Assessment
- Once marked as met, this will reflect on your CAGE Code.
- If you’re there, great—make sure it’s updated. Mark this as an easy win.
CMMC Level 2 Self-Assessment
Here’s where things get a little more complex. Before you can attest to Level 2 compliance, three criteria must be met:
- System Security Plan (SSP) must be fully implemented.
- Your NIST score must be 88 or higher (80% minimum).
- Your POA&M can only include eligible items—typically one-point controls. Very few exceptions apply.
Our Recommendation
Whether you’re ready to attest or not:
- Enter your CMMC Level 2 progress in SPRS.
- Keep your NIST 800-171 scores current.
- Show intent. Show progress. It matters.
Even if you’re still working toward full compliance, documenting your efforts demonstrates maturity and accountability—two things that can go a long way in audits and assessments.
Looking Ahead
As you prepare for your annual self-assessments, keep these changes in mind. Proactive work now means fewer headaches later.
Remember: CMMC is a marathon, not a sprint. Pace yourself, stay informed, and lean on experienced partners when you need support.
If you’re feeling stuck or unsure about your next steps, we’re here to help you navigate the path to compliance.
Need help preparing or updating your CMMC strategy?
Reach out today for expert guidance on assessments, SSP development, score improvement plans, and everything in between.
