Who needs one
If your contracts include DFARS clause 252.204-7012 (and its companions 7019/7020), you’re required to implement NIST SP 800-171 and to have a current self-assessment score on file in SPRS — the Supplier Performance Risk System. That covers a long tail of subcontractors: machine shops, engineering firms, and services companies in the supply chains of primes and the national labs, many of whom first hear about it from a prime’s flow-down questionnaire.
The scoring, honestly
You start at 110 points — one per requirement — and deduct weighted penalties (1, 3, or 5 points) for each requirement not fully implemented. Scores range down to -203. Two things matter more than the number itself:
- The score must be true. It’s submitted to the government; knowingly inflated scores have become False Claims Act cases. An honest 45 with a remediation plan is defensible. A fictional 110 is a liability.
- The trajectory matters. Primes increasingly ask not just for your score but for your plan to raise it.
The two documents behind the score
- SSP (System Security Plan): describes your environment and how each of the 110 requirements is met — or isn’t yet.
- POA&M (Plan of Action & Milestones): the dated, owned to-do list for every gap.
No SSP means no legitimate self-assessment; assessors and primes both start there.
Where CMMC fits
CMMC is the DoD’s program for verifying 800-171 implementation. Its phased rollout is underway, and from November 10, 2026 (Phase 2), CMMC Level 2 certification requirements — third-party assessment by a C3PAO — begin appearing in applicable new solicitations rather than self-attestation alone. The practical takeaway for subcontractors: the self-assessment work is the foundation either way. A firm with a truthful SSP, a worked POA&M, and a rising SPRS score is most of the way to whatever level its contracts end up requiring.
Getting started
- Determine whether you actually hold CUI, and where it lives.
- Write the SSP against your real environment — commercial Microsoft 365 can satisfy many requirements when configured properly.
- Score honestly, submit to SPRS, and put the POA&M on a calendar.
- Re-score as gaps close; keep the SSP current.
How Z1 helps
We provide NIST 800-171 self-assessment support for Tri-Valley subcontractors — many in the Livermore labs’ orbit: building the SSP and POA&M, implementing controls on commercial Microsoft 365, and raising your SPRS score with documentation to match. Our scope is deliberate: full CMMC Level 2 certification audit preparation and GCC High migrations are referred to specialist partners rather than learned on your dime.