The obligation that already exists, before CMMC arrives
Most conversations about defense-contractor security jump straight to CMMC, and we have written about what that acronym actually requires. But there is an obligation sitting underneath CMMC that many small subcontractors already carry today and simply do not realize — the requirement, flowed down through the DFARS clauses in their contracts, to safeguard Controlled Unclassified Information according to NIST Special Publication 800-171 and to post a current self-assessment score to a government system called SPRS. CMMC is, in large part, the government's move to verify the same 800-171 controls through assessment rather than trust them through self-attestation. The controls are not new; what is changing is who checks your work.
This article is general education on the self-assessment path — what it is, what it asks, and how the score is computed — so a small sub can understand an obligation that is easy to miss. It is emphatically not legal advice, and it is not a claim that any tool makes you compliant or computes an official score you can rely on. Whether and how these clauses apply to your specific contracts is a question for your contracting officer and qualified counsel; the score you submit is your representation to the government and must be honest. What a platform like ours can do is help you organize the 110 requirements as tracked controls, surface the unmet ones as findings feeding a plan, and keep your evidence current — the assessment, the scoring judgment, and the SPRS submission remain yours.
The three DFARS clauses, in plain language
The obligation lives in a small family of clauses that flow down from primes to subs. You do not need to memorize the numbers, but recognizing them in a contract is what keeps you from being blindsided:
- DFARS 252.204-7012 is the long-standing one: if you handle CUI on your systems, you must provide "adequate security" — defined as implementing NIST 800-171 — and you must report a cyber incident to the DoD within 72 hours of discovery. That 72-hour clock is why a rehearsed incident-response plan and clear breach-notification discipline are not optional niceties here — they are contractual.
- DFARS 252.204-7019 requires that you have a current 800-171 self-assessment on file, with the resulting score posted in the Supplier Performance Risk System (SPRS). "Current" generally means conducted within the last three years. No score in SPRS can mean you are not eligible for award — the missing submission itself becomes the problem.
- DFARS 252.204-7020 obligates you to keep that assessment current and to give the government access to conduct its own higher-level assessments if it chooses, and to flow the requirement down to your own subcontractors who will handle CUI.
The through-line is that self-assessment and honest self-reporting are already the rule for CUI handlers. CMMC formalizes and, for many contracts, externally verifies it — but the day-one duty to implement 800-171 and post a score predates it.
The 110 requirements are control families you already recognize
NIST 800-171 organizes its security requirements into fourteen families, and the striking thing for anyone who has been maturing a security program is how familiar they are. Access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity — these are not exotic government inventions, they are the same disciplines a serious posture already exercises.
Concretely, the requirements ask you to do things this site has covered at length: enforce least privilege and access reviews, require multi-factor authentication for network and privileged access, encrypt CUI at rest and in transit (with FIPS-validated cryptography, a detail that matters for scoring), maintain audit logs and monitor them, run configuration management against a hardened baseline, manage vulnerabilities, and keep an asset inventory and data classification that let you know where CUI actually lives. If you have built even a modest program, you are further along than the 110-item list first suggests — the work is largely mapping and proving what you already do, then closing the genuine gaps.
How the SPRS score is actually calculated
The part that surprises people is that the SPRS score is not a simple percentage. Under the DoD Assessment Methodology, you start at a perfect 110 — one point for each requirement — and subtract points for every requirement you do not fully meet, weighted by how much risk the gap creates:
- Most unmet requirements cost 1 point.
- Higher-impact gaps cost 3 points.
- The most consequential gaps — notably the absence of multi-factor authentication or of FIPS-validated encryption for CUI — cost 5 points each.
Because the deductions are weighted and unbounded on the downside, a company that has neglected the heavy-hitting controls can post a score well below zero. That sounds alarming, but the methodology is doing something reasonable: it is telling the government (and you) that not all gaps are equal, and that skipping MFA is far more dangerous than missing a minor documentation requirement. The practical lesson mirrors ordinary worst-first posture scoring — fix the 5-point gaps before the 1-point ones, because that is where both your risk and your score move the most.
A crucial point of honesty: the score is a self-representation to the government, and inflating it is exactly the kind of "aspirational attestation" that motivated CMMC in the first place. A truthful score of, say, 88 with a credible plan to reach 110 is a defensible position; a fabricated 110 is a serious problem. Which brings us to the two documents that make an honest score legitimate.
The SSP and POA&M make a partial score defensible
You do not have to be at 110 to be in a workable position — but you do have to be honest and organized about the gap, and that is what two artifacts capture (the same pair the CMMC path leans on):
- The System Security Plan (SSP) describes your environment and, requirement by requirement, how you meet it and where the proof lives. It is fundamentally a policy-and-evidence exercise, and a vague SSP fails the same way a vague policy fails an auditor — the gap between the page and the practice is what gets flagged.
- The Plan of Action and Milestones (POA&M) is the honest register of what you have not finished, with an owner and a committed date for each item. This is precisely the remediation-tracking discipline pointed at a government reader: an open requirement with a named owner and a fix-by date is a managed risk; the same gap undocumented is just a finding waiting to be discovered. Note that a POA&M is meant to close real gaps on a real timeline, not to park requirements indefinitely — some contracts limit which items may sit on a POA&M and for how long.
If you already run a genuine findings workflow and collect evidence continuously, both documents are reorganizations of work you are doing rather than net-new bureaucracy — which is exactly where organizing and proving your posture pays for itself.
How the self-assessment relates to CMMC
It helps to see the two as layers rather than alternatives. The 800-171 self-assessment and SPRS score are what a CUI-handling sub owes today under the DFARS clauses. CMMC's Level 2, for most contracts, is built on the same 110 requirements — the difference is who does the assessing: for many contracts CMMC replaces "trust me, my score is 88" with an independent assessment that verifies it, while some lower-risk cases remain a self-assessment even under CMMC. Practically, that means the work you do now to raise your SPRS score honestly is not throwaway effort you will redo for CMMC — it is the CMMC Level 2 preparation, done early and without a deadline breathing down your neck. Getting your SSP written, your POA&M live, and your evidence current for the self-assessment is the least painful on-ramp to the assessed bar arriving behind it.
Where a platform genuinely helps — and where it cannot
To keep the scope honest: our platform can hold the 110 requirements as tracked controls, map them to the monitoring you actually run, surface unmet ones as findings with owners and due dates that feed your POA&M, and keep the evidence an assessor will ask for current and exportable. What it does not and cannot do is compute or submit your official SPRS score, perform the assessment, decide whether a given requirement is fully met, or determine which clauses legally apply to your contract. Those are judgment calls and legal determinations that belong to you, your assessor, your contracting officer, and your counsel. The tool organizes and proves the work; it does not certify it, and no honest vendor would claim otherwise.
Before CMMC ever arrives, a DFARS clause likely already requires CUI-handling subs to implement NIST 800-171 and post a current self-assessment score in SPRS — and to report incidents within 72 hours. The 110 requirements are the control families you already recognize; the score starts at 110 and drops by weighted points for each gap, so fix the 5-point holes like missing MFA first. Keep an honest SSP and a living POA&M, and the same work becomes your on-ramp to CMMC. Submit a true score with a credible plan — never an inflated one — and remember that the assessment and submission are yours, not a vendor's to confer.