Who needs one

If your contracts include DFARS clause 252.204-7012 (and its companions 7019/7020), you’re required to implement NIST SP 800-171 and to have a current self-assessment score on file in SPRS — the Supplier Performance Risk System. That covers a long tail of subcontractors: machine shops, engineering firms, and services companies in the supply chains of primes and the national labs, many of whom first hear about it from a prime’s flow-down questionnaire.

The scoring, honestly

You start at 110 points — one per requirement — and deduct weighted penalties (1, 3, or 5 points) for each requirement not fully implemented. Scores range down to -203. Two things matter more than the number itself:

  1. The score must be true. It’s submitted to the government; knowingly inflated scores have become False Claims Act cases. An honest 45 with a remediation plan is defensible. A fictional 110 is a liability.
  2. The trajectory matters. Primes increasingly ask not just for your score but for your plan to raise it.

The two documents behind the score

  • SSP (System Security Plan): describes your environment and how each of the 110 requirements is met — or isn’t yet.
  • POA&M (Plan of Action & Milestones): the dated, owned to-do list for every gap.

No SSP means no legitimate self-assessment; assessors and primes both start there.

Where CMMC fits

CMMC is the DoD’s program for verifying 800-171 implementation. Its phased rollout is underway, and from November 10, 2026 (Phase 2), CMMC Level 2 certification requirements — third-party assessment by a C3PAO — begin appearing in applicable new solicitations rather than self-attestation alone. The practical takeaway for subcontractors: the self-assessment work is the foundation either way. A firm with a truthful SSP, a worked POA&M, and a rising SPRS score is most of the way to whatever level its contracts end up requiring.

Getting started

  1. Determine whether you actually hold CUI, and where it lives.
  2. Write the SSP against your real environment — commercial Microsoft 365 can satisfy many requirements when configured properly.
  3. Score honestly, submit to SPRS, and put the POA&M on a calendar.
  4. Re-score as gaps close; keep the SSP current.

How Z1 helps

We provide NIST 800-171 self-assessment support for Tri-Valley subcontractors — many in the Livermore labs’ orbit: building the SSP and POA&M, implementing controls on commercial Microsoft 365, and raising your SPRS score with documentation to match. Our scope is deliberate: full CMMC Level 2 certification audit preparation and GCC High migrations are referred to specialist partners rather than learned on your dime.