Success Error
CMMC & SPRS: What DoD Contractors Need to Do Before October 31, 2026
If you're bidding on any Department of Defense construction contract, you must have a SPRS score on file. Here's exactly what that means, why it matters, and the steps to get it done.
Hard Deadline: October 31, 2026
Under DFARS 252.204-7021, all DoD contractors must have a current SPRS score on file by this date. After October 31, 2026, bids without a valid SPRS score will be disqualified before a contracting officer even reads them. There is no grace period.
What Is This, in Plain English?
The Department of Defense is requiring every contractor, including construction companies, to prove they take basic cybersecurity seriously before they can bid on DoD work. This is called CMMC (Cybersecurity Maturity Model Certification).
The way you prove it is by filing a score with a government database called SPRS (Supplier Performance Risk System). You score yourself against 110 security controls, then submit that number to the government.
Think of it like a health inspection score for your company's data security, except instead of a restaurant inspector showing up, you do the inspection and report your own score. The score ranges from -203 to 110. Every control you're missing deducts points.
If your score isn't filed by October 31, 2026, your bids on DoD contracts are automatically thrown out.
Does This Apply to My Construction Company?
Yes, if you:
- Bid on any Army, Navy, Air Force, Marine Corps, or DoD contract
- Are listed as a subcontractor on a DoD prime contract
- Handle any drawings, specs, or project files related to a DoD facility
- Have ever won a DoD contract and want to bid on the recompete
You may be exempt if you only do:
- Purely commercial work with no DoD contracts at all
- Work where you handle zero technical or controlled data (very rare in practice)
When in doubt, file the score anyway. It costs nothing and protects your eligibility.
What You Need to Do: Step by Step
Register on SAM.gov (if you haven't already)
Go to sam.gov and create or verify your entity registration. You need an active SAM.gov registration to bid on any federal contract. This is separate from the SPRS score but required first.
Download the NIST SP 800-171 Self-Assessment Guide
This is the official checklist of 110 security controls you'll assess yourself against. Get it free from NIST at csrc.nist.gov. DoD also provides a free scoring worksheet.
Score yourself against the 110 controls
Work through each control and mark it as "Met" or "Not Met." Each unmet control deducts a set number of points from the maximum score of 110. Common controls for construction companies:
Access control: Do you control who can log into your company systems?
Multi-factor authentication (MFA): Do your employees use a second step to log in, like a code texted to their phone?
Laptop encryption: Are company laptops encrypted so data can't be read if stolen?
System access policy: Do you have a written policy about who is allowed to use your systems and how?
Incident response plan: Do you have a written plan for what to do if someone hacks your systems?
Regular backups: Are your project files and company data backed up regularly to a separate location?
You don't need to be perfect. You need to be honest, have a plan to fix gaps, and file the score.
Write your System Security Plan (SSP)
This is a document that describes how your company protects information. It doesn't need to be long; it needs to describe what you have, what you don't have, and what you're doing about it. Required to keep on file (you won't submit it, but you must have it ready if the government audits you).
Write a Plan of Action & Milestones (POA&M)
For every control you're not yet meeting, write down what you plan to do about it and by when. This shows the government you're aware of your gaps and working to fix them. Having a POA&M is required; it protects you even if your score isn't 110.
Submit your score to SPRS
Go to sprs.csd.disa.mil. Log in with your CAC or PIV card, or create an account. Enter your score, the assessment date, and your plan scope. This is the official government record of your cybersecurity compliance.
What Happens If You Don't File?
| Situation | Impact |
|---|---|
| No SPRS score filed | Bid automatically disqualified before review |
| Score filed but very low (negative) | Contracting officers can see your score and may skip you |
| You win a contract, then get audited with no SSP | Contract termination, possible debarment from future work |
| Your subcontractors don't have SPRS scores | You're responsible; the requirement flows down to every sub |
| Score filed, POA&M in place, actively improving | You're eligible to bid; this is all the government currently requires |
Common Questions
Do I need a perfect score of 110?
No. You need to file an honest score with a POA&M that shows you know your gaps and have a plan to fix them. A score of even 0 or negative is compliant for Level 1 contracts as long as you have it on file and are actively improving.
My company is a small GC. Do we really have to do this?
Yes. Size doesn't matter. If you're bidding on DoD construction contracts, you must comply. The controls for Level 1 (which applies to most construction) are actually straightforward: 17 basic controls focused on who can access your systems and data.
What's the difference between CMMC Level 1 and Level 2?
Level 1 (17 controls): Self-assessed. Applies to most construction contracts. Basic cyber hygiene: control who can access your files, use antivirus, back up your data. Level 2 (110 controls): Applies when you handle CUI (Controlled Unclassified Information) like sensitive defense facility blueprints or classified specs. Most standard construction work is Level 1.
Do my subcontractors need SPRS scores too?
Yes. The requirement flows down. If you're the prime contractor, your subs who touch any project information need their own SPRS scores. You need to confirm this before you name them in your bid.
How long does the SPRS filing process take?
Getting access to the SPRS portal can take a few days if you need to set up a CAC/PIV login. The self-assessment itself takes 4–8 hours for someone who knows their company's systems. Give yourself 2–3 weeks to do it properly. Don't start the day before a bid deadline.
Should I hire a consultant?
For Level 1, most small construction companies can handle the self-assessment on their own using the free DoD resources. For Level 2 (CUI-handling contracts), hiring a CMMC consultant or Registered Practitioner Organization (RPO) is strongly recommended. Errors at that level can cost you the contract. MS Tech Alpine offers CMMC readiness services specifically for Defense Industrial Base contractors, including the SPRS self-assessment, SSP documentation, and POA&M.
Free Official Resources
DoD CMMC Official Site
acq.osd.mil/cmmc: official requirements, FAQs, and guidance documents
SPRS Portal (submit your score here)
sprs.csd.disa.mil: the official portal where you file your assessment
NIST SP 800-171 Rev 2 (the 110 controls)
csrc.nist.gov: free download of the complete control list and assessment guide
Find Your Local PTAC (free consulting)
ptac.org: Procurement Technical Assistance Centers offer free, one-on-one help with CMMC compliance for small contractors
MS Tech Alpine — CMMC Readiness for DIB Contractors
mstechalpine.com: SPRS self-assessment, SSP documentation, POA&M, and CMMC Level 2 prep for construction firms bidding on DoD work
Track Your DoD Opportunities in One Place
RenovationRoute surfaces active DoD construction contracts from SAM.gov, analyzes what it takes to win, and flags compliance requirements so you know exactly what you're walking into before you spend time bidding.
Browse Active DoD Contracts