Question 1

What is a SPRS score and why does it matter?

Accepted Answer

The Supplier Performance Risk System (SPRS) score is your self-assessed NIST 800-171 score submitted to the DoD. Scores range from -203 (all requirements failed) to +110 (all requirements met). Each requirement has a point value; unimplemented requirements subtract from your score. Contracting officers can view your score and use it in source selection decisions. A low or negative SPRS score is increasingly a disqualifying factor for DoD contracts.

Question 2

What is Controlled Unclassified Information (CUI)?

Accepted Answer

CUI is government-created or -owned information that requires protection but doesn't meet the threshold for classified designation. The CUI Registry (managed by NARA) defines over 100 CUI categories across 20+ groups - including technical data, export-controlled information (ITAR/EAR), law enforcement sensitive, privacy data, and procurement-sensitive information. If your contract flows CUI, you must identify it, protect it per 800-171, and report breaches.

Question 3

How is NIST 800-171 different from CMMC?

Accepted Answer

NIST 800-171 defines the security requirements. CMMC (Cybersecurity Maturity Model Certification) is the assessment program that verifies compliance with those requirements. CMMC Level 2 maps directly to 800-171's 110 practices. The key difference: 800-171 was self-attested (you submitted your SPRS score), while CMMC Level 2 requires a third-party assessment by a C3PAO. Self-attestation remains for a small subset of less sensitive contracts.

Question 4

Do we need a third-party assessment or can we self-attest?

Accepted Answer

It depends on the contract. CMMC rules classify programs as Level 1 (self-attestation for 15 basic safeguarding requirements), Level 2 self-attestation (some less-critical CUI programs), or Level 2 C3PAO (DoD-certified third-party assessor organization) for programs with CUI critical to national security. Level 3 requires a DCSA-led government assessment. Most defense industrial base (DIB) contractors pursuing prime or subcontracts with CUI require C3PAO assessment.

Question 5

What happens if we have open POA&M items during a CMMC assessment?

Accepted Answer

Open POA&M items are not automatically disqualifying for CMMC Level 2, but assessors evaluate whether the plan is credible and the risk is managed. Requirements with no implementation and no credible remediation plan will result in a 'NOT MET' finding. Requirements with partial implementation and an active, funded remediation plan may be scored as 'MET with Conditions' at assessor discretion. We advise closing as many POA&M items as possible before assessment.

Question 6

How do cloud services affect our 800-171 scope?

Accepted Answer

If CUI is processed, stored, or transmitted through cloud services, those services must also comply with 800-171 (or FedRAMP Moderate/High, which satisfies 800-171 requirements). This means your AWS, Azure, or GCP configuration, plus any SaaS tools handling CUI, must be assessed and included in your SSP. Using FedRAMP-authorized services simplifies this - their inherited controls reduce your implementation burden significantly.

NIST 800-171 Compliance for DoD Contractors

Why NIST 800-171 Is Critical for Government Contractors

Our Approach

CUI Scoping & SPRS Assessment

SSP & POA&M Development

Gap Remediation

CMMC Readiness

What You Get

Get NIST 800-171 Ready

Related Frameworks

Frequently Asked Questions