Department of War Contractor Compliance

Get Registered on SPRS

A clear, step-by-step guide to accessing the Supplier Performance Risk System — from PIEE account setup through NIST SP 800-171 and CMMC self-assessment submission.

Start the Guide Go to PIEE
5Phases
4Official Docs
1Help Desk Line
Department of War Official Seal — Eagle Emblem

Your Compliance Journey

Understand SPRS
Gather Company Info
PIEE Account
NIST 800-171
CMMC Assessment
Overview

What is SPRS?

The foundational system every DOW (Department of War) contractor must understand before starting compliance.

Supplier Performance Risk System

SPRS is the authoritative Department of War (DOW) system for collecting, processing, and displaying vendor performance information. It is the single authorized source for contractor cybersecurity assessments required by DFARS 252.204-7012.

All DOW contractors who handle Controlled Unclassified Information (CUI) or Federal Contract Information are required to have a score on record in SPRS.

Accessed Via PIEE

SPRS is accessed through the Procurement Integrated Enterprise Environment (PIEE), which provides single sign-on for a variety of acquisition-related DOW applications.

piee.eb.mil

Required Role

To view, enter, edit, or delete Cyber Assessments, your PIEE account must be assigned the "SPRS Cyber Vendor User" role, approved by your Contractor Account Administrator (CAM).

What Gets Submitted

Your SPRS score reflects your implementation of the 110 NIST SP 800-171 security controls. Scores range from -203 to +110. Contracting officers review this score when awarding DOW contracts.

Phase 1

Gather Your Company Information

Before you can register, have these identifiers ready. These are the credentials associated with Lionfish Cyber Holdings LLC.

EIN
83-1805542
Employer Identification Number
DUNS® Number
117179318
Dun & Bradstreet Identifier
CAGE Code
96LH8
Commercial and Government Entity Code
Unique Entity ID
GGV3KKTQFTS3
SAM.gov Unique Entity Identifier
Legal Business Name
Lionfish Cyber Holdings LLC-S
Lionfish Cyber Security Series #1
Registered legal entity name
Pro Tip: Keep these identifiers on hand throughout the entire registration process. You will be asked to reference your CAGE Code and Unique Entity ID at multiple steps.
Phase 2 & 3

PIEE Account Setup & CAGE Code Registration

Follow these steps in order. You must complete PIEE setup before you can access SPRS.

01

Call the PIEE Help Desk First

Before registering online, a company representative must contact the PIEE Help Desk to have your CAGE Code (96LH8) added to a Vendor Group in the system. This must happen before any employees can register for PIEE applications.

Phone 866-618-5988
Help Desk Hours Monday – Friday, 06:30 – 24:00 EST
Call Now
02

Register on PIEE

Once your CAGE Code has been added to a Vendor Group, navigate to the PIEE portal and create your account.

  1. Go to https://piee.eb.mil/
  2. Click "Register" on the PIEE landing page
  3. Select "Vendor/Contractor" as your user type
  4. Complete all required personal and company information
  5. Select your CAGE Code (96LH8) to associate with your account
  6. Submit your registration for approval
Vendor Getting Started Guide
03

Request the "SPRS Cyber Vendor User" Role

After your PIEE account is created, you must request the specific role needed to access SPRS Cyber Reports. This role is required to submit any cybersecurity assessments.

  1. Log in to PIEE at piee.eb.mil
  2. Navigate to My Account → Manage Roles
  3. Search for and select the application "SPRS"
  4. Request the role: SPRS Cyber Vendor User
  5. Your request will be reviewed and approved by the Contractor Account Administrator (CAM) associated with your CAGE Code
Once the CAM approves your role request, you will receive an email notification and can log back in to access SPRS Cyber Reports.
04

Access SPRS Within PIEE

Once your role is approved, here is how to navigate to the SPRS Cyber Reports module.

Go to piee.eb.mil/piee-landing/
Click "LOG IN" with your credentials
From the application dashboard, select "SPRS"
Select "Cyber Reports" or "Cyber Reports (CMMC & NIST)"
Select your desired Hierarchy from the dropdown (identified by HLO), then click "Run Cyber Reports"
Phase 4

Submit Your NIST SP 800-171 Assessment

The NIST SP 800-171 Basic Self-Assessment is required for all DOW (Department of War) contractors handling CUI. Your score is calculated from 110 security controls.

What is NIST SP 800-171?

Published by the National Institute of Standards and Technology (NIST), SP 800-171 defines 110 security requirements to protect Controlled Unclassified Information (CUI) in nonfederal systems. DOW (Department of War) requires contractors to assess themselves against these controls and submit the score to SPRS.

How Scoring Works

-203 (All controls missing) +110 (All controls met)
  • Start at 110 points
  • Points are deducted for each unimplemented control (weighted by severity)
  • Minimum possible score is -203
  • A score of 110 means full compliance

Step-by-Step Submission

1
Log in to PIEE and navigate to SPRS → Cyber Reports (CMMC & NIST)
2
Select the desired Hierarchy (identified by HLO) from the dropdown, then click "Run Cyber Reports"
3
Click "Create New Assessment" or select "NIST SP 800-171" from the assessment type menu
4
Enter your Assessment Date — the date you completed the self-assessment
5
Enter your calculated Total Score (ranging from -203 to +110)
6
Enter the Plan of Action & Milestones (POA&M) date if any controls are not yet implemented
7
Provide a brief description of the system or enclave being assessed
8
Review all entries and click "Submit" to record your score in SPRS
SPRS Access Instructions
Phase 5

CMMC Self-Assessment Submission

The Cybersecurity Maturity Model Certification (CMMC) is the DOW's (Department of War) framework for verifying contractor cybersecurity practices. Learn the difference between Level 1 and Level 2 assessments.

CMMC 2.0 Model Overview

Three tiered levels of cybersecurity maturity — each with increasing requirements and assessment rigor.

Model
Requirements
Assessment
LEVEL 3
Advanced
134 requirements
(110 from NIST SP 800-171 R2
+ 24 from NIST SP 800-172)
DIBCAC Certification Assessment every 3 years
Annual Affirmation
LEVEL 2
Advanced
110 requirements
aligned with NIST SP 800-171 R2
C3PAO Certification every 3 years, or
Self-Assessment every 3 years (select programs)
Annual Affirmation
LEVEL 1
Foundational
15 requirements
aligned with FAR 52.204-21
Annual Self-Assessment
Annual Affirmation
Source: DOW CIO — dodcio.defense.gov/CMMC/About/
Level 1

CMMC Level 1 — Self-Assessment

Applies to contractors handling Federal Contract Information (FCI). Covers 15 practices aligned with FAR 52.204-21. Annual self-assessment is required.

Submission Steps

1
Log in to PIEE and navigate to SPRS → Cyber Reports
2
Select your Hierarchy from the dropdown and click "Run Cyber Reports"
3
Click "Create New CMMC Assessment" and select Level 1
4
Review each of the 15 practices and mark as Met or Not Met
5
Enter the Assessment Date and affirmation by a senior company official
6
Click "Submit" to finalize and record your Level 1 assessment

Key Facts

  • 15 practices to assess
  • Annual self-assessment required
  • Senior official must affirm results
  • Applies to FCI (Federal Contract Information)
  • No third-party assessment needed
  • Results recorded directly in SPRS
Level 2

CMMC Level 2 — Self-Assessment

Applies to contractors handling Controlled Unclassified Information (CUI). Aligns with all 110 NIST SP 800-171 practices. Self-assessments are allowed for some programs; others require a C3PAO assessment.

Submission Steps

1
Log in to PIEE and navigate to SPRS → Cyber Reports (CMMC & NIST)
2
Select your Hierarchy from the dropdown and click "Run Cyber Reports"
3
Click "Create New CMMC Assessment" and select Level 2
4
Review all 110 practices across 14 domains and mark each as Met, Not Met, or Not Applicable
5
For any "Not Met" practices, enter your POA&M with planned remediation dates
6
Enter the Assessment Date and review your overall score summary
7
A senior official must affirm the accuracy of the assessment results
8
Click "Submit" to finalize — your CMMC Level 2 assessment is now on record in SPRS

Key Facts

  • 110 practices across 14 domains
  • Applies to CUI (Controlled Unclassified Info)
  • POA&M required for gaps
  • Senior official affirmation mandatory
  • Some programs require C3PAO assessment
  • Triennial C3PAO assessment or annual self-assessment
Resources

Official Links & Documents

All the official DOW (Department of War) and DISA resources you need throughout the registration process.

PIEE Portal

Main login portal for all PIEE applications including SPRS

piee.eb.mil

Vendor Getting Started Guide

Official step-by-step PIEE vendor onboarding instructions

piee.eb.mil/vendor-guide

SPRS Access Instructions

Step-by-step guide for gaining PIEE/SPRS access as a vendor

sprs.csd.disa.mil/access.htm

PIEE Landing Page

Direct link to the PIEE application login and launch page

piee.eb.mil/piee-landing/

PIEE Help Desk

Mon–Fri, 06:30 – 24:00 EST

866-618-5988

PIEE Help Desk Email

For ticket requests and CAGE code additions

disa.global.servicedesk.mbx.eb-ticket-requests@mail.mil
Quick Reference

At-a-Glance Checklist

Use this interactive checklist to track your progress through the SPRS registration process.

Before You Start

PIEE Setup

NIST SP 800-171

CMMC Assessment

Overall Progress: 0%