CMMC & SPRS Changes Explained

Recent DoD clause updates have changed how contractors demonstrate cybersecurity compliance.
Here is what matters:
DFARS 252.204-7019 (NIST SP 800-171 SPRS scoring requirement) has been retired
Numerical NIST 800-171 scoring is no longer required
CMMC Level 2 self-assessments now replace legacy SPRS scoring
SPRS remains the reporting system
Self-assessments function as formal contractual attestations
This shift reduces scoring ambiguity but increases accountability.
SPRS Scoring vs. CMMC Self-Assessment: What Changed

Figure 1: Transition from NIST SP 800-171 Scoring to CMMC Self-Assessment Framework
The retirement of DFARS 252.204-7019 eliminates the numerical scoring model many contractors relied on for several years. However, this is not a relaxation of enforcement.
It is a consolidation under the formal CMMC framework.
Contractors should not interpret the removal of scoring as reduced oversight. Instead, the DoD has shifted from score reporting to structured attestation.
Clause-Level Breakdown: What Actually Changed
DFARS 252.204-7019 required contractors to:
Conduct a NIST SP 800-171 self-assessment
Post a numerical score in SPRS
Update the score every three years
That clause has now been retired.
In its place, compliance is demonstrated through:
CMMC Level determination (Level 1 or Level 2)
Completion of a formal self-assessment (or third-party assessment where required)
Recording results in SPRS
The mechanism has changed. The obligation to protect CUI has not.
This consolidation removes the confusion surrounding negative scoring and partial implementation while increasing the enforceability of attestations.

Figure 2: Current CMMC Compliance Demonstration Process
What Has Not Changed
Despite structural updates, the technical obligations remain intact.
Organizations handling CUI must still:
Implement NIST SP 800-171 Rev. 2 controls (110 security requirements)
Use FedRAMP Moderate (or equivalent) cloud environments
Report cyber incidents within 72 hours
Flow requirements down to subcontractors
CMMC does not reduce technical burden.
It formalizes validation of existing obligations.
Some organizations assumed CMMC would simplify compliance requirements. It does not. It enforces them more clearly.
Understanding CMMC Levels
Requirement | Level 1 | Level 2 |
Data Type | FCI | CUI |
Practices Required | 17 | 110 |
Assessment Type | Self | Self or Third-Party |
SPRS Entry Required | Yes | Yes |
Validation Risk | Lower | Higher |
Contractors should operate with the expectation that validation authority remains active, particularly at Level 2.
What This Means for Contractors and Subcontractors
Prime contractors are accelerating compliance expectations to reduce their own contractual exposure.
Increasingly, primes may:
Require CMMC alignment before federal enforcement timelines
Remove subcontractors that cannot demonstrate readiness
Require proof of assessment prior to award
Self-assessments now function as formal contractual attestations.
Given False Claims Act exposure, inaccurate or unsupported attestations create measurable legal risk.
Organizations should ensure their documented posture matches operational reality.
What Organizations Should Do Now
To reduce exposure and avoid contract disruption:
Validate scope and segmentation
Complete the appropriate CMMC self-assessment
Ensure SPRS entries align with actual implementation
Reconcile SSP documentation with current control maturity
Prepare for potential validation
Organizations that adapt early reduce both operational and legal risk.
CMMC is no longer theoretical. It is embedded in contract language and procurement decision-making.
The retirement of SPRS scoring does not simplify compliance. It clarifies responsibility.
Organizations that proactively align their documentation and implementation reduce both operational disruption and legal exposure.
Clarifying Your CMMC Position Before It Becomes a Contract Issue
Sherpa supports defense contractors in scoping, documenting, and preparing defensible CMMC assessments.
If your organization is evaluating its current compliance posture, our team can help clarify next steps and reduce uncertainty.
Contact Sherpa to discuss your CMMC readiness.
Further Reading
This blog provides a structured breakdown of the recent clause updates.
For additional perspective on what these shifts signal about DoD enforcement trends and prime contractor expectations, read my LinkedIn article: CMMC Update: Big Changes to Defense Contract Cybersecurity Rules (What You Need to Know)




