In September 2025, the Department of Defense finalized DFARS updates implementing the Cybersecurity Maturity Model Certification (CMMC) program into the Federal Acquisition Regulation Supplement. Effective November 10, 2025, the rule makes both self- and third-party cybersecurity assessments contractually enforceable for defense contractors (Federal Register, 2025).

Under the final rule, contractors handling only Federal Contract Information (FCI) may continue to self-assess annually at CMMC Level 1, while those that handle Controlled Unclassified Information (CUI) will fall under Level 2 requirements. For Level 2, the Department of Defense differentiates between contracts that permit self-assessment versus those that require third-party certification by a CMMC Third-Party Assessment Organization (C3PAO). The DoD’s phased rollout anticipates that a substantial proportion of Level 2 contractors will require independent C3PAO validation prior to contract award (DoD).


This paper examines the operational and legal challenges posed by self-attestation and Supplier Performance Risk System (SPRS) scoring under CMMC. Public reporting through 2024 and 2025 shows persistent readiness shortfalls across the Defense Industrial Base (DIB), with low average SPRS readiness metrics and relatively few final or conditional CMMC Level 2 certifications compared to the estimated population of covered entities (Cyber AB, 2025; businesswire; National Defense, 2024). These gaps highlight the difficulty many contractors face in attaining the 110-point SPRS threshold required for final Level 2 certification and underscore the need for rigorous self-assessment practices and stronger verification mechanisms.

The following sections analyze these challenges and present evidence-informed mitigations, including structured gap analysis, cross-functional governance, automated evidence collection, and disciplined POA&M management, to help organizations attain accurate SPRS scores and preserve DoD contract eligibility. This shift from voluntary attestation to enforceable validation reshapes contractor readiness planning across the DIB.

When Self-Assessment Is Allowed, and When Third-Party Assessment Is Required

The 2025 DFARS final rule formalizes the CMMC assessment model across three levels:

• Level 1 – Self-Assessment Only: Annual self-assessment and executive affirmation in SPRS

• Level 2 – Mixed Model: Contractors handling CUI may perform self-assessments for lower-risk programs, but contracts deemed critical to national security require third-party assessment by a C3PAO.
• Level 3 – Government Assessment: Contractors supporting the most sensitive missions undergo government-led assessments against NIST SP 800-172 controls.

This tiered structure allows DoD to scale assurance based on risk while reducing unnecessary burden on small and medium contractors that handle less sensitive information (DoD; Federal Register).

Understanding SPRS and the Assessment Process

The Supplier Performance Risk System (SPRS) is the DoD’s authoritative database for supplier performance and cybersecurity assessment information. Under DFARS 252.204-7019, contractors must submit their NIST SP 800-171 assessment scores to SPRS, which DoD acquisition officials reference during source-selection and award decisions (Acquisition.GOV, 2025; SPRS).

SPRS scoring evaluates implementation of the 110 NIST SP 800-171 requirements. A fully implemented environment earns +110 points, while deductions for unmet controls can reduce scores to –203 under the DoD Assessment. Under current guidance, organizations scoring between approximately 88 and 109 points may provisionally qualify for CMMC Level 2 status if all deficiencies are documented in approved POA&Ms. Final certification requires a perfect score of 110, with all deficiencies addressed and POA&Ms closed within 180 days (CMMC Level 2 Assessment Guide v2; NIST; NIST).

In addition to scores, SPRS captures metadata, such as assessment dates and POA&M completion, which acquisition officials consider alongside numerical scores when evaluating supplier cybersecurity posture.

While SPRS provides a structured framework for tracking performance and cybersecurity compliance, accurately reporting and maintaining these records presents ongoing operational challenges for contractors.

Operational Challenges in Accurate SPRS Scoring

Defense contractors face persistent operational barriers when reporting cybersecurity posture through SPRS mechanisms. Despite expanded DoD guidance and automation efforts, accurately capturing and maintaining scores remains challenging.

While self-assessments may identify many deficiencies internally, third-party C3PAO evaluations often uncover documentation or technical gaps that internal reviews overlook, requiring objective verification and remediation. For contractors pursuing third-party certification, additional challenges include coordinating evidence reviews, maintaining consistent control implementation across business units, and responding to assessor findings during the remediation window. These implementation difficulties can lead to compliance deficiencies, contract disqualification, or potential legal liability.

Below are notable pain points:


1. Incomplete or outdated System Security Plans (SSP)

SSPs serve as foundational evidence. Common deficiencies include outdated or incomplete control descriptions, missing system boundaries, or absent evidence of implementation. Because DoD assessors validate SSP-described controls against actual practice, SSP shortcomings surface during assessments (CMMC Assessment Guide Level 2 v2.13).

2. Limited internal expertise for accurate scoring

Small and medium contractors often lack dedicated cybersecurity and DoD-assessment expertise, making accurate interpretation of NIST SP 800-171 and SPRS scoring difficult. Industry guidance and DoD small-business outreach resources confirm that limited internal capability is a major readiness barrier (DoD; Defense.GOV).

3. Failure to track POA&M remediation timelines

DoD guidance ties conditional status to documented POA&Ms and expects timely remediation of deficiencies. Contractors that fail to maintain POA&M discipline risk losing certification or contract eligibility.

Together, these operational challenges can result in inaccurate self-attestations, exposing the organization to serious legal and contractual consequences.

Legal and Operational Risks of Inaccurate SPRS Reporting

Inaccurate or exaggerated SPRS self-assessments expose organizations to both legal and operational risks, including False Claims Act (FCA) liability, contract ineligibility, potential suspension or debarment.

Both self-assessment and third-party verification data must now be entered into SPRS. Under DFARS 252.204-7020 and the 2025 final rule, each contractor’s assessment, whether internally completed or validated by a C3PAO, receives a unique identifier (UID) used by contracting officers to verify compliance before award. Misstatements tied to these UIDs may be considered material to DoD’s payment decisions.

Legal Accountability and Executive Attestation Under the False Claims Act

The Department of Justice’s Civil Cyber-Fraud Initiative has pursued multiple enforcement actions against defense contractors that misrepresented compliance or inflated SPRS scores. Under the False Claims Act (31 U.S.C. §3729 et seq.), violators may face treble damages and statutory penalties. For example:

  • Raytheon Technologies (RTX) paid $8.3 million following a whistleblower complaint about cybersecurity misrepresentations (OPA, 2025).
  • MORSE Corporation paid $4.6 million to resolve allegations of false SPRS scoring (OPA, 2025).
  • Higher-education contractors and others have likewise reached settlements resolving FCA allegations tied to cybersecurity non-compliance. For instance, The Pennsylvania State University agreed to pay $1.25 million in 2024 to resolve related allegations (OPA, 2024).

Each contractor must also ensure that the Affirming Official (AO), typically a senior company executive, signs off that the SPRS assessment is accurate and complete. False affirmations may trigger FCA liability (SPRS; SMITHERS).

Impact of expired or missing SPRS entries on contract eligibility

Beyond legal exposure, inaccurate or expired SPRS entries can directly affect contract eligibility and award timelines. Beginning November 10, 2025, contracting officers will be required to verify contractors’ SPRS assessment scores before award or renewal, in accordance with DFARS 252.204-7019 and associated rules. Organizations without a current and validated SPRS entry may be deemed ineligible for new contracts, and existing awards may be delayed or suspended pending compliance verification (Federal Register, 2024; Acquisition.GOV).

Best Practices to Improve CMMC Self-Assessment Accuracy

Given the heightened legal and contractual risks associated with inaccurate self-attestation, precision in CMMC self-assessments is essential. Contractors must adopt structured, repeatable processes to address the vulnerabilities identified across the Defense Industrial Base (DIB).

1. Conduct structured gap analyses to validate CMMC readiness and engage cross-functional teams

Begin with a structured gap analysis across all 110 controls and 320 assessment objectives (NIST SP 800-171A Rev. 3). Involve leadership, compliance, IT, and business units to ensure complete visibility and accountability.

2. Leverage automation for continuous evidence validation

Automated evidence collection tools help maintain compliance accuracy by continuously validating control implementation across cloud and on-premises systems. Integration with environments such as AWS GovCloud, Azure Government, and Microsoft GCC High supports generation of traceable documentation consistent with CMMC and NIST evidence requirements.
3. Maintain annual SPRS updates and executive affirmations

Contractors must conduct and affirm at least one self-assessment annually in SPRS. The Affirming Official should certify that the assessment accurately reflects the organization’s compliance status. The CMMC Level 1 Assessment Guide recommends routine internal reviews to ensure continuous readiness and prevent score degradation that can jeopardize contract eligibility (Acquisition.GOV, SPRS, CMMC Level 1 Assessment Guide).

4. Prepare for third-party assessment proactively

Contractors anticipating third-party assessments should adopt pre-assessment readiness reviews to identify documentation gaps and technical deficiencies before engaging a C3PAO. Early preparation reduces costs, minimizes findings during formal assessment, and improves the likelihood of achieving a passing score within the remediation window.

Implementing these measures is especially critical as CMMC 2.0 enters Phase 1 of its enforcement rollout in November 2025, when contracting officers may begin including CMMC requirements in solicitations and contracts, especially for self-assessments of Level 1 or 2 systems.

Conclusion

CMMC 2.0 compliance marks a pivotal shift for defense contractors operating in an increasingly regulated cybersecurity environment. Many contractors continue to report scores below full implementation. And because the Department of Justice’s Civil Cyber-Fraud Initiative actively pursues false or misleading SPRS attestations, accurate self-assessment has become both a compliance obligation and a legal imperative.

Under the False Claims Act, organizations and their Affirming Officials, may face treble damages and civil penalties for knowingly submitting inaccurate information. Addressing core challenges (misinterpretation of NIST requirements, incomplete SSPs, inflated self-assessments, limited internal expertise, and lax POA&M discipline) is essential as CMMC 2.0 requirements phase into DoD solicitations and contracts starting November 2025.

To mitigate risks and ensure readiness, organizations should institutionalize disciplined, evidence-based assessment processes, maintain verifiable SPRS records, and prepare for third-party validation. Those that adopt these practices will be in the strongest position for contract eligibility, legal defensibility, and competitive stability as CMMC enforcement unfolds throughout FY 2026.

At Atlantic Digital, we help contractors bridge the gap between self-assessment readiness and successful third-party certification. Our team provides tailored readiness assessments to identify compliance gaps; implement required security controls aligned with NIST SP 800-171; assist with policy development, System Security Plan (SSP) and POA&M creation; and conduct pre-assessment or mock-audit exercises to reduce surprises during formal C3PAO engagements. For contractors already approaching their SPRS scoring thresholds, we ensure that both self-attestations and third-party assessments are conducted with confidence, supported by verifiable evidence sufficient to meet DoD contracting and CMMC 2.0 requirements.

Contact us today for a complementary consultation.