CustodiaCustodia.
Custodia · Free walkthrough · 2026 edition

How to post your SPRS score — step by step.

The eight steps to take a finished CMMC Level 1 self-assessment and post the affirmation into SPRS, the DoD's Supplier Performance Risk System. Plain English, no jargon, no gates.

8
Steps
~30 min
If PIEE is set up
Annually

What posting to SPRS actually means

SPRS is where DoD contracting officers look up your cybersecurity posture before awarding contracts. Posting your CMMC Level 1 affirmation here is the official act that tells the government “we've done the self-assessment, and we meet the 15 safeguarding requirements.”

Until your posting appears in SPRS, you cannot bid on FAR-52.204-21 contracts as a prime, and primes who require an SPRS lookup will skip your bid as a sub.

Before you start

You should already have:

  • A completed Level 1 self-assessment (use our free checklist)
  • A defined scope (use our scoping worksheet)
  • Your company's CAGE code and UEI
  • The name, title, email, and phone of an “affirming official” with authority to attest
  • A PIEE account (or time to register one)
01

Confirm you have a PIEE account

  1. SPRS is accessed through PIEE (Procurement Integrated Enterprise Environment) at piee.eb.mil.
  2. You need a PIEE account with the SPRS module added. If you already invoice DoD through WAWF, you have PIEE — you just need to add SPRS.
  3. If you do not have PIEE, register your company first (this takes ~3 business days for the CAM, Contractor Administrator, to be approved).
Gotcha: If you've never logged into PIEE, plan for a 3–5 business day delay. Start here before doing anything else.
02

Add the SPRS role in PIEE

  1. Log into PIEE at piee.eb.mil.
  2. Go to 'My Account' → 'Add Roles.'
  3. Select 'SPRS' as the application and 'Cyber Vendor User' as the role.
  4. Your company's CAM (Contractor Administrator) approves the request. If you are the CAM, you self-approve.
Gotcha: Pick 'Cyber Vendor User,' not 'Contractor / Vendor (Read Only).' The read-only role cannot post scores.
03

Open the Cyber Reports module in SPRS

  1. From PIEE, click the SPRS tile.
  2. Inside SPRS, select 'Cyber Reports' from the left menu.
  3. Choose your company from the CAGE / DUNS / UEI selector.
04

Click 'NIST SP 800-171 Assessments'

  1. For CMMC Level 1, you'll use the same NIST SP 800-171 assessment table — but you'll select 'Basic' as the assessment type and tick the box indicating Level 1 / FCI scope.
  2. (As of mid-2025, DoD added a dedicated 'CMMC Level 1 Self-Assessment Affirmation' workflow inside SPRS. If your view shows it, use that instead — the fields are nearly identical.)
05

Enter the required fields

  1. Assessment date: the date you ran the self-assessment.
  2. Assessment scope: a short description of the boundary you defined. ('Corporate IT, 3 laptops, M365 tenant, Cisco firewall.')
  3. Score: for Level 1, this is binary — your system meets all 15 controls (MET) or it does not (NOT MET).
  4. Plan of action completion date: leave blank for Level 1 (no POAMs allowed at L1).
  5. Affirming official: name, title, email, phone. This must be a senior official with authority to attest on behalf of the company.
Gotcha: There is no partial credit at Level 1. If you cannot truthfully mark MET on all 15, fix the gap before submitting.
06

Submit the affirmation

  1. Review the screen for typos. The affirming official's name, title, and email are public to DoD contracting officers — accuracy matters.
  2. Click 'Submit.'
  3. SPRS records the submission with a date-stamped record. Take a screenshot of the confirmation screen and save it with your evidence.
07

Verify your score appears

  1. Return to the assessment table within 5 minutes. Your most recent submission should appear at the top, with the affirmation date and the affirming official.
  2. If it doesn't appear, refresh; if still missing, contact SPRS support (the link is in the SPRS footer).
08

Calendar the renewal

  1. Level 1 requires an annual affirmation. Set a calendar reminder for 11 months from today.
  2. If anything in your environment changes materially (new office, new cloud app holding FCI, change in IT contact), update the SPRS posting at that point rather than waiting for the annual.
Gotcha: Missing the annual renewal is the #1 way Level 1 contractors lose 'bid-ready' status. Calendar it twice.
Special case

What if you can't mark MET on all 15?

CMMC Level 1 is binary. You can't submit a partial posting and you can't list POAMs (plan of action items you'll do later). The right move:

  1. Identify exactly which control(s) you're short on. Our checklist makes this easy.
  2. Fix them. Most L1 gaps (MFA on email, antivirus turned on, visitor log started) can be closed in days.
  3. Re-run the self-assessment. Sign the new attestation.
  4. Then submit to SPRS.

Submitting MET when you don't actually meet the controls is a False Claims Act exposure. Don't.

Custodia · bidfedcmmc.com · SPRS portal: piee.eb.mil· Not legal advice
Next
Annual affirmation guide →
The part everyone forgets and then loses bid-ready status.
The whole DIY handbook →
All seven steps in one place.
Built by Custodia

We give this away because we sell the easy version for $249/mo.

This sprs walkthroughis genuinely complete and yours to keep. If you'd rather have the platform fill it in, collect the evidence, send the renewal reminders, and post your SPRS score for you — that's what we built.

Start the 7-day free trial →Keep going DIY →