Confused about how to access SPRS and post your NIST SP 800-171 assessment score? The multi-step process is essential for CMMC compliance, but can be a challenge for organizations that haven’t set it up before! Follow our step-by-step guide for accessing SPRS.
As part of CMMC and DFARS compliance, all organizations working either directly or indirectly on U.S. Department of Defense contracts with access to CUI must register and provide a Cyber Risk assessment score in the Defense Information Systems Agency (DISA) Supplier Performance Risk System (SPRS, pronounced “spurs”).
Depending on where you are in your CMMC readiness journey, you may have already completed some of these steps. For comprehensiveness, we’ve provided this guide assuming you’re starting from square one, but you can use the links below to jump straight to the step most relevant to your organization. We’ve also provided some callouts for common questions and issues during the process.
Register in SAM and Get a CAGE Code
The first step towards accessing SPRS is registering in the U.S. General Services Administration System for Award Management (SAM) available via https://www.sam.gov/. If you do not already have one, registering in SAM will also generate a Commercial and Government Entity (CAGE) code used to uniquely identify your organization.
There are two options available for organizations registering in SAM:
Unique Entity Identifier - A unique entity identifier (UEI) is required for organizations working as subcontractors (sub-awardees) on federal government contracts who do not accept contracts directly from the government. Requesting a UEI requires basic information about your organization including legal business name, physical address, U.S. state of incorporation, start year, and (optionally) any doing business as (DBA) names. A list of acceptable validation documents can be found on the Federal Service Desk (FSD) Knowledge Base.
Full Registration – This is required if your organization will bid on contracts directly from the federal government. Full registration requires substantially more information than simply requesting a UEI. A full list of required documents is available in the Entity Registration Checklist.
Note: SAM requires a physical address for both organization registrations and UEIs. Virtual office addresses are not allowed unless a private office space is leased at a coworking facility.
Begin the process via the SAM Entity Registration page (which provides options for both full registration and UEI only).
Register in PIEE
Once you’ve registered in SAM (either full registration or UEI-only) and have a CAGE code, you can register your organization in the Defense Logistics Agency’s Procurement Integrated Enterprise Environment (PIEE). This service provides multiple features to support organizations doing business with the DoD, and it functions as a single sign-on (SSO) platform for accessing SPRS.
To register your organization in PIEE, visit https://piee.eb.mil/ and select the “New User” button from the top-right corner of the screen. The New User Setup page includes links to numerous resources, including a New Vendor Organization – Getting Started guide.
Before you can set up an account, you will need to contact the PIEE Help Desk to have your CAGE code added to a new group in the PIEE Vendor Group Structure. The easiest way to do this is through the Vendor Customer Support portal. Select “Activation” as the Topic, then enter your information along with a note indicating you would like to register as a new vendor in PIEE and assign yourself as the Contractor Administrator (CAM).
Note: The contact email for your CAM must match the organization’s Electronic Business (EB) POC in SAM. If it is not, you will need to request a CAM Appointment Letter from the EB POC and have them send it to the PIEE Help Desk after submitting your registration.
Once the PIEE Help Desk has created a group for your organization, you can proceed with account setup via the PIEE registration portal. Select “Vendor” when prompted for user type. Set a user ID and password, select your security questions, then populate your organization’s profile.
On the Roles page, select PIEE from the Application dropdown and Contractor Administrator from the Role selector. Click the “Add Roles” button to add this role to your request (see screenshot below).
On the Justification page, indicate you are registering for your organization in order to access SPRS as a DoD supplier per DFARS and CMMC requirements. An attachment is not required, but you may wish to submit supplemental documentation (e.g., a PDF showing your company information in SAM). Submit your registration request and the account should be activated by the PIEE Help Desk within several business days.
Configure Access to SPRS
If you are the only CAM for your organization in PIEE, you must contact the PIEE Help Desk to request the “SPRS Cyber Vendor User” role in order to register for SPRS.
Contact PIEE via email at disa.global.servicedesk.mbx.eb-ticket-requests@mail.mil or the SPRS program office at usn.pnsy.navsealogcen.mbx.ptsmh@us.navy.mil to request activation.
Note: If you are the only CAM for your organization in PIEE, you cannot add the required SPRS role yourself. You must contact the PIEE Help Desk.
If there is already a CAM for your organization, you can request the “SPRS Cyber Vendor User” role by logging in to your PIEE account, selecting “My Account” from the menu at the top of the PIEE user homepage, and selecting “Add Additional Roles.”
Enter the requested info on the Profile page (you will need to re-enter your CAGE code). Once you reach the Roles page, select “SPRS - Supplier Risk Performance System” from the from the Application dropdown and “SPRS Cyber Vendor User” from the Role selector. Click the “Add Roles” button to add this role to your request and enter the CAGE code for your organization (see screenshot below).
On the next page, add any relevant Justification info (i.e., indicating you require access to SPRS to submit a NIST Cyber Report assessment score per DFARS and CMMC requirements) and then submit your request.
Once the role request has been approved (either by the PIEE Help Desk or another CAM), you will receive a notification email. You will then be able to access the SPRS portal via the corresponding tile on the PIEE user homepage.
Submit Your Assessment Score
Once you have logged into the SPRS web portal, select “Cyber Reports (NIST)” from the left-hand menu and choose the CAGE code corresponding to your organization from the CAGE Hierarchy selector. On the Cyber Reports page, select the “NIST SP 800-171 Assessments” tab and click the “Add New NIST Assessment” button.
Here, you will be able to populate the information corresponding to your self-assessment and your assessment score, which ranges from -203 to 110. Your assessment score will be based on the 320 assessment objectives corresponding to the 110 practices identified in the NIST SP 800-171 DoD Assessment Methodology.
Note: Even if your organization is only required to achieve CMMC Level 1 certification, you must complete a full assessment against all criteria in NIST SP 800-171 and submit your score in SPRS.
Performing the assessment, itself, is outside the scope of this guide. However, numerous resources exist which provide guidance for organizations performing self-assessments:
NIST SP 800-171A (rev. 2): Assessing Security Requirements for Controlled Unclassified Information
We’ve also built a dynamic SPRS assessment score calculator in Smartsheet. Contact us to request a copy!
Note: Intentionally posting an inaccurate score in SPRS could be considered a violation of the False Claims Act. Only submit a verified score based on accurate self-assessment data.
How Triumvirate Cybersecurity Can Help
As a CyberAB Registered Practitioner Organization (RPO) with hands-on experience implementing CMMC requirements—including our founder’s knowledge as the former IT security and compliance lead for one of the first 50 organizations to pass a CMMC JSV assessment—we’re confident in our ability to guide customers on the path to CMMC.
From gap analysis and practice assessment services to comprehensive project management, Triumvirate Cybersecurity is here to provide trusted insights to members of the DIB as they prepare for, achieve, and maintain CMMC compliance. View our services to see how we can help you go from CMMC-curious to CMMC certified!