Think Your SPRS Score Is Solid? Why Self-Attestation Often Falls Apart Under Review

A reported SPRS score can feel like confirmation that your organization is ready for CMMC. But in many cases, self-reported results reflect intent and interpretation rather than the documented, operationally evidenced compliance that assessors, prime contractors, and contracting officers expect to see.

Recent changes driven by the Revolutionary FAR Overhaul (RFO) have significantly altered how SPRS is used and what a reported score represents. The legacy DFARS-based “Basic” NIST self-assessment requirements have been eliminated, and SPRS no longer functions as a standalone repository for informal self-attestations. Instead, SPRS now serves as the system of record for CMMC assessments, affirmations, scores, and status determinations.

With the CMMC Program Final Rule (32 CFR Part 170) finalized and CMMC requirements being phased into DoD contracts, organizations are increasingly required to demonstrate compliance at the appropriate CMMC level – not just report a number. Whether through a Level 1 or Level 2 self-assessment or a third-party assessment by a C3PAO, the expectation has shifted toward evidence-based validation.

This blog examines why self-attestation gaps are so common, what reviewers actually scrutinize during CMMC assessments and prime contractor evaluations, and how to identify where a reported SPRS result may not hold up before someone else tests it for you.

Why a Strong SPRS Score Doesn’t Always Mean You’re Ready

Under the current CMMC framework, results reported in the Supplier Performance Risk System (SPRS) are based on assessments against the 110 security requirements in NIST SP 800-171 Rev. 2 using the DoD-approved assessment methodology. For CMMC Level 2 self-assessments, organizations calculate a score starting from 110, with weighted point deductions for each requirement that is not fully implemented.

Recent changes driven by the Revolutionary FAR Overhaul (RFO) have reshaped how these results are used and interpreted. The legacy DFARS “Basic” self-assessment construct has been eliminated, and SPRS no longer serves as a standalone destination for informal NIST self-attestations. Instead, SPRS now functions as the system of record for CMMC assessments, affirmations, scores, and status outcomes.

Organizations may be permitted to use Plans of Action and Milestones (POA&Ms) for a limited subset of controls when performing a CMMC Level 2 self-assessment. When POA&Ms are used, the organization receives a Conditional Level 2 status and must remediate outstanding gaps within the required timeframe. Unresolved deficiencies continue to reduce the overall score and can affect eligibility as CMMC requirements are phased into contracts.

In theory, a higher reported score suggests stronger alignment with NIST SP 800-171. In practice, the result is only as reliable as the assessment behind it. Self-assessments rely on organizational interpretation and executive affirmation, which can mask gaps between stated compliance and what assessors or prime contractors expect to see as objective evidence.

Not all CMMC compliance requires third-party assessment. Depending on the contract, organizations may satisfy requirements through annual self-assessment (Level 1 or select Level 2 contracts) or may be required to undergo an independent review by a Certified Third-Party Assessment Organization (C3PAO). In both cases, what is reported in SPRS must reflect controls that are fully implemented, documented, and operating as intended — not just planned or partially in place.

Where SPRS results tend to break down is in areas such as:

• Controls marked “met” based on partial or inconsistent implementation
• Policies that exist on paper but are not enforced operationally
• Security tools deployed without being configured to meet the specific intent of the control
• POA&Ms that lack realistic timelines, ownership, or supporting remediation plans

None of this implies bad faith. It reflects a structural reality: self-assessment without independent validation frequently overestimates readiness in a CMMC-driven environment.

Common Self-Attestation Gaps That Fail Third-Party Scrutiny

Certain areas come up repeatedly when self-assessed environments face external review. These aren’t edge cases. They’re patterns that affect organizations across the defense supply chain:

1. Documentation doesn’t match implementation. Controls may be in place technically, but the supporting documentation is either outdated or doesn’t describe what’s actually happening. Assessors check whether something works and whether you can prove it works consistently with written evidence.
2. CUI scoping is too broad. Many organizations struggle to clearly define where Controlled Unclassified Information lives, how it flows, and who has access. Without a well-defined CUI boundary, it’s difficult to apply controls accurately.
3. Access controls lack granularity. Self-assessments often confirm that access controls exist without verifying whether they meet the principle of least privilege. Shared accounts and inconsistent offboarding processes are among the most frequently flagged findings.
4. Incident response plans haven’t been tested. Assessors also look for evidence that the plan has been tested and updated and that staff understand their roles within it. A plan that sits in a folder untouched doesn’t satisfy the control.
5. POA&Ms aren’t credible. Plans of Action and Milestones are meant to show a realistic path to closing gaps. Under CMMC Level 2 certification, limited POA&Ms may be permitted for select non-priority requirements, provided they are remediated within 180 days. Certain security requirements must be fully implemented at the time of assessment and cannot be deferred through a POA&M.

What Assessors and Prime Contractors Actually Expect to See

With the CMMC Program Final Rule (32 CFR Part 170) finalized and DFARS rulemaking phasing requirements into DoD contracts, organizations are increasingly being required to demonstrate the appropriate CMMC level as a condition of award. This reinforces that self-attestation alone is not a reliable predictor of assessment outcomes.

Third-party assessors evaluate whether your controls function as intended, whether your documentation supports your claims, and whether your organization can demonstrate compliance on demand, consistent with NIST SP 800-171A assessment procedures.

What assessors and primes typically expect includes:

• Clearly defined CUI boundaries and data flow documentation
• Policies and procedures that are current, specific, and actively enforced
• Evidence that controls are operational – not just planned or partially deployed
• Credible POA&Ms with defined ownership, timelines, and resource allocation
• Proof that security awareness training and incident response exercises are conducted regularly

Why This Matters Now

As CMMC requirements are phased into DoD contracts through DFARS rulemaking, organizations that cannot demonstrate compliance risk losing eligibility for federal work. For many companies in the defense industrial base, that represents significant revenue exposure.

The organizations in the strongest position right now are the ones identifying and addressing gaps before external scrutiny forces the issue.

How Infinity Technologies Helps Validate Your SPRS Position

At Infinity Technologies, our approach is designed to give leadership and compliance stakeholders an objective, assessment-informed understanding of where things stand before a prime contractor, assessor, or contracting activity makes that determination.

Our support includes:

• CMMC-aligned security gap analysis that benchmarks your current environment against applicable requirements and highlights where self-assessed results may not withstand external review
• SPRS readiness and score alignment reviews to confirm that reported results are supported by documented, objective evidence under the CMMC framework
• CUI scoping support to accurately define system boundaries, data flows, and control applicability
• Risk-based remediation planning that prioritizes gaps by business impact and assessment exposure
• Ongoing IT and compliance guidance to help maintain readiness as requirements and environments evolve

Our team works alongside internal IT and compliance teams to reduce risk and build a compliance posture that holds up under scrutiny—before contract eligibility or assessment outcomes are on the line.

FAQs

1. Why do self-assessed SPRS scores often fail under third-party review?
   Self-assessments rely on internal interpretation of the 110 security requirements in NIST SP 800-171 Rev. 2, which can lead to overestimation. Common issues include partial implementation being treated as complete, documentation that doesn’t fully support implementation, and controls that exist in policy but are not consistently enforced operationally.
2. What is the difference between SPRS self-attestation and a CMMC assessment?
   CMMC self-assessment is conducted internally by the organization and reported in the Supplier Performance Risk System (SPRS) as required for Level 1 and select Level 2 contracts. A CMMC certification assessment is performed by an accredited and authorized Certified Third-Party Assessment Organization (C3PAO), overseen by the Cyber AB, which independently verifies that controls are implemented, documented, and operating as required using NIST SP 800-171A assessment procedures.
3. How can a security gap analysis help with CMMC readiness?
   A security gap analysis provides an objective evaluation of your current environment against CMMC requirements. It identifies where controls are missing, where documentation doesn’t align with implementation, and where remediation should be prioritized before formal assessment.

Get Your Security Gap Analysis Today

Get a Security Gap Analysis to validate your CMMC readiness before external review. Contact us to understand where your compliance stands – and what to prioritize next.