How to Submit Your SPRS Score: The PIEE Walkthrough Nobody Gives You
You’ve calculated your score. Now it has to get into the Supplier Performance Risk System (SPRS): because a score that exists only in a spreadsheet doesn’t exist at all as far as DoD contracting officers are concerned.
Here’s the whole path, including the two places where most people get stuck.
What you need before you start
- An active SAM registration and your company’s CAGE code(s). Your SPRS record hangs off the CAGE hierarchy, so if your SAM data is stale, fix that first.
- A completed Basic self-assessment using the DoD Assessment Methodology: date, score, and the name of the System Security Plan it covers. No SSP means you have nothing valid to submit; see writing your first SSP.
- A PIEE account with the right role: this is stuck-place number one.
Step 1: Get the SPRS “Cyber Vendor User” role in PIEE
- Go to the PIEE landing page (wawf.eb.mil) and register (or log in).
- Request the role: SPRS to Cyber Vendor User for your CAGE code(s). Plain “SPRS user” roles let you view your record; only Cyber Vendor User lets you enter assessment results.
- Your company’s PIEE Contracting Administrator (CAM) approves the role. If you don’t know who your CAM is, that’s stuck-place number two: small companies often discover their CAM left years ago. PIEE support can help you re-establish one, but budget days, not minutes, for this.
Step 2: Enter the assessment
Once inside SPRS, choose NIST SP 800-171 Assessments and add a new one. The fields, decoded:
| Field | What it actually means |
|---|---|
| Assessment date | The date you completed the self-assessment: not today’s date by default. Your affirmation clock and the 3-year currency window run from this. |
| Score | The number from the methodology, -203 to 110. Enter it honestly: misstated scores are False Claims Act territory, and DOJ has already settled cases over this. |
| Scope | “Enterprise” if the SSP covers the whole company network; “Enclave” if you’ve segmented CUI into a smaller boundary (often the smart move for small shops). |
| System Security Plan name | The document name/version of the SSP the score describes. One score per SSP. |
| Plan of Action completion date | The date you project reaching 110: pulled from your POA&M. Leave yourself realistic room. |
| Included CAGE codes | Every CAGE covered by this SSP. Miss one and that entity has no score on record. |
Step 3: Verify it shows
After saving, pull up your Summary Report in SPRS and confirm the score is visible against the right CAGE(s). Primes will check this: increasingly as a gate before they’ll even send you a subcontract package. A screenshot for your records doesn’t hurt.
Step 4: Calendar two dates
- Affirmation. Under the CMMC rule, self-assessments come with an annual affirmation of continuing compliance by your Affirming Official in SPRS.
- Re-assessment. Basic self-assessment scores are only current for three years, but your actual posture changes constantly. Re-run the assessment after any significant IT change, and update SPRS if the score moves.
The mistakes that actually hurt people
- Submitting a score with no SSP behind it. The methodology is explicit: no SSP, no completable assessment. In a dispute, a score with no SSP is indefensible: it’s evidence against you.
- One score, multiple disconnected networks. If your machine shop LAN and your cloud tenant have different postures, they’re arguably different systems. Either unify the boundary in one SSP or submit per-SSP scores.
- Scoring aspirationally. “We’re about to roll out MFA” is a 3.5.3 deduction today. Score what is, put the rest on the POA&M: that’s exactly what the POA&M date field is for.
- Letting the score go stale before an option year. Contracting officers can check currency at award and at option exercise.
After submission
The score is the beginning, not the end. Your gap list is the actual work: knock out 5-point items first (our calculator exports the list pre-sorted), keep evidence as you go, and track everything in one place so next year’s affirmation is an afternoon, not an archaeology dig.
Not legal advice. PIEE screens change; the roles and fields above are current as of mid-2026.
Get the next guide before you need it
One practical email when rules or deadlines change for small defense contractors. Written by a practitioner, not a marketing team.
Email signup launches soon. Check back shortly.
No spam, unsubscribe anytime. We never see your assessment answers.