CMMC CHANGED THE FSO ROLE.
Understand where industrial security ends, cybersecurity begins, and how FSOs fit into CMMC readiness.
Executive Brief
A Supplier Performance Risk System (SPRS) score of 88 can sound reassuring. But it is not a universal pass.
In a Cybersecurity Maturity Model Certification (CMMC) Level 2 context, an 88 only works when controls that cannot be deferred to a Plan of Action and Milestones (POA&M) are already complete and defensible.
That nuance is often missed, and across the Defense Industrial Base (DIB), it is quietly costing government contractors real revenue.
Prime contractors are no longer treating SPRS as a pass-fail metric. They are using it as a risk signal. And in competitive bids, an 88 increasingly reads as “not ready.”
As CMMC enforcement expands, SPRS scores are becoming an early filter. Contractors with marginal scores are being asked harder questions, pushed to the side, or excluded entirely.
Dig deeper below to understand why meeting the minimum SPRS threshold is no longer enough to stay competitive in today’s defense supply chain.
Why an 88 Signals Conditional Risk
On paper, an 88 suggests progress.
In practice, it often signals Conditional Level 2 status under CMMC, and that comes with strict regulatory limits.
Under 32 Code of Federal Regulations (CFR) § 170.21, an Organization Seeking Assessment (OSA) may only achieve Conditional CMMC Level 2 if:
- The assessment score divided by total Level 2 requirements is at least0.8
- No requirements worth more than one point are included on a Plan of Action and Milestones (POA&M)
- Certain prohibited controls are not placed on a POA&M
Those prohibited controls include:
- The System Security Plan (SSP) requirement
- External connections handling Controlled Unclassified Information (CUI)
- Public information controls tied to CUI
- Multiple physical security controls protecting CUI environments
There is one narrow exception. Encryption of CUI that is not validated under Federal Information Processing Standards (FIPS) may appear on a POA&M, even though it carries three points.
That means an 88 only works if the remaining gaps are limited, low-weighted, and not tied to any prohibited requirements.
And even then, the clock starts.
Conditional status requires all POA&Ms to be closed within 180days of the Conditional CMMC Status date.
Closure is not informal. It requires a POA&M closeout assessment:
- For Level 2 self-assessment, the OSA must perform a formal close out self-assessment
- For Level 2 certification, a Certified Third-Party Assessment Organization (C3PAO) must validate closure
- For Level 3 certification, the Defense Contract Management Agency Defense Industrial Base Cybersecurity Assessment Center (DCMA DIBCAC) performs the closeout
If remediation is not completed and confirmed within 180 days, the Conditional status expires.
As Darryl Jones, Information Technology (IT) Compliance Manager at ISI, explains:
“Although a CMMC Conditional Certification enables contractors to be awarded DoD contracts with CMMC Level 2 (C3PAO) requirements, it is critical to maintain focus on remediation. As with most businesses, 180 days, when competing with changing priorities, can approach quicker than expected.”
For prime contractors, that matters.
An 88 can represent:
- Open security gaps
- Regulatory limitations on what may remain unresolved
- A defined remediation deadline
- The risk of certification expiring mid-performance
For multi-year programs, that is not a minor variable. It is measurable risk.
SPRS as a Competitive Differentiator
SPRS was designed as a Department of Defense (DoD) (also known as the Department of War) risk indicator. The supply chain has taken that idea further.
Today, primes use SPRS scores to:
- Gauge supply chain readiness for CMMC
- Determine if individual contractors can remain on their supply chains
- Find opportunities to replace risky suppliers with compliant alternatives
An 88 might keep you eligible. It does not keep you competitive.
We are seeing real scenarios where:
- Contractors lose awards despite meeting minimum requirements for conditional Level 2 certification
- Teams are asked for additional evidence before being approved
- Lower-scoring vendors are sidelined late in the process
Some of this scrutiny now appears directly in solicitations and sources sought, while the rest happens during evaluation, vetting, and prime-led risk reviews.
How CMMC Raises the Bar
CMMC has changed expectations.
Under CMMC Level 2, the end state is full implementation of all 110 NIST SP 800-171 controls. SPRS scores are now being viewed through that lens.
An 88 suggests:
- Remediation is still underway
- Documentation may not fully align with implementation
- Assessment readiness is uncertain
- Final Level 2 certification is not achievable yet
For primes planning multi-year programs, that gap matters.
They are not just buying a product or service. They are inheriting risk.
What Contractors Should Do Now
This is not about chasing a higher number. It is about addressing the specific control gaps that signal risk to prime contractors and undermine CMMC Level 2 readiness.
Strong next steps include:
- Re-evaluating high-value controls tied to access, audit, and authentication
- Validating that your System Security Plan (SSP) reflects actual implementation
- Reducing reliance on open POA&Ms where possible
- Treating SPRS improvement as part of CMMC readiness, not a separate task
In today’s market, credibility is proven through implementation, evidence, and readiness, not by meeting the minimum.
FAQs
Is an SPRS score of 88 still acceptable today?
An SPRS score of 88 may meet the minimum DoD requirement in some cases, but acceptability is no longer the same as competitiveness. Prime contractors increasingly expect higher scores that demonstrate stronger implementation and lower risk. An 88 often triggers follow-up questions, additional scrutiny, or quiet exclusion in competitive bids.
Why do primes care so much about SPRS scores?
Prime contractors are accountable for the security of their supply chain. SPRS scores provide a fast way to assess subcontractor risk against NIST SP 800-171 requirements. A lower score suggests potential delays, audit issues, or remediation timelines that could impact contract performance and compliance obligations.
Should contractors wait to improve their score until CMMC is enforced?
Waiting creates risk. SPRS scores are already influencing award decisions, even before full CMMC enforcement. Improving your score now strengthens trust with primes, reduces future remediation pressure, and positions your organization for smoother CMMC assessments.
