Transitioning from SPRS to CMMC Level 1: What Government Contractors Need to Know About the New Compliance Path

In 2025, the landscape of cybersecurity compliance for government contractors is evolving rapidly, and the shift from the System for Award Management (SAM) Supplier Performance Risk System (SPRS) to the Cybersecurity Maturity Model Certification (CMMC) Level 1 is one of the most notable changes. This transition marks a significant milestone in strengthening the security posture of the U.S. Department of Defense (DoD) supply chain, and it comes with new requirements that contractors must understand to stay compliant and continue doing business with the federal government. We’re going to dive into the key elements of this shift and what contractors need to know to successfully navigate the transition. 

Understanding SPRS vs. CMMC 

First, let’s clarify the two systems and the differences between them. 

• SPRS: This was a self-attestation system where contractors provided their cybersecurity practices in order to be eligible for DoD contracts. Contractors would score themselves on whether they met NIST SP 800-171 standards, the cybersecurity framework that focuses on protecting Controlled Unclassified Information (CUI). However, this system lacked independent verification and didn’t require a third-party audit or certification. 

• CMMC Level 1: The CMMC program is designed to assess and certify contractors' cybersecurity practices and maturity levels to ensure that they are capable of protecting Federal Contract Information (FCI) and other sensitive information in the supply chain. Level 1 of CMMC focuses on basic cybersecurity hygiene, with 17 practices that are aligned with the Federal Acquisition Regulation (FAR) and are designed to provide a foundational level of security. 

The shift from SPRS to CMMC is not just a change in how contractors report their security practices, but a fundamental change in how those practices are verified. Under CMMC, a third-party assessment is now required, which brings added credibility and rigor to the compliance process. 

Key Changes in the Transition 

1. Third-Party Audits: Unlike SPRS, where contractors could self-attest to their cybersecurity posture, CMMC Level 1 requires contractors to undergo an independent assessment by a certified third-party assessor. This ensures that cybersecurity practices are actually implemented, rather than just reported. Contractors will need to find a CMMC Third-Party Assessment Organization (C3PAO) to evaluate their compliance and issue a certification. 
2. Basic Cyber Hygiene: CMMC Level 1 focuses on 17 practices derived from NIST SP 800-171, specifically aimed at protecting Federal Contract Information (FCI), rather than Controlled Unclassified Information (CUI). These practices include basic cybersecurity measures like multi-factor authentication, proper access control, regular system monitoring, and basic security training for employees. While not as comprehensive as higher CMMC levels, Level 1 is still a significant step forward in safeguarding sensitive government data. 
3. No Self-Attestation: Previously, contractors would self-attest their compliance with SPRS, but the transition to CMMC eliminates this option. A verified assessment by an accredited third-party assessor is now mandatory for contractors looking to bid on or continue participating in DoD contracts. 
4. DoD Contracting Requirements: Starting in 2025, most DoD contracts will include CMMC requirements. Contractors must have the appropriate CMMC certification at the required level in order to compete for or win new contracts. For many, CMMC Level 1 will be the baseline, but higher levels may be required for contractors handling more sensitive information or providing critical infrastructure support. 

What Contractors Need to Do 

For contractors looking to transition smoothly from SPRS to CMMC Level 1, here are the essential steps to take: 

1. Assess Current Security Practices: Contractors should start by evaluating their current cybersecurity practices and comparing them to the CMMC Level 1 requirements. This includes reviewing their compliance with NIST SP 800-171 and ensuring that all 17 practices required for CMMC Level 1 are in place. 
2. Prepare for Third-Party Assessment: Since CMMC requires an independent assessment, contractors should begin by identifying an accredited C3PAO. These assessors will conduct a formal audit of the company’s cybersecurity practices. Contractors should prepare for the assessment by ensuring that they have the necessary documentation, procedures, and controls in place. 
3. Implement Basic Cyber Hygiene Practices: Even though CMMC Level 1 is focused on basic cybersecurity hygiene, contractors must ensure that these practices are fully implemented. This includes secure access controls, ensuring systems are up to date with the latest patches, enforcing multi-factor authentication, and providing basic cybersecurity training to employees. 
4. Plan for Ongoing Compliance: Compliance is not a one-time event. Contractors need to develop a process for continuous monitoring and improvement to ensure that their cybersecurity practices remain in line with CMMC Level 1 requirements and are ready for future assessments. Regular internal audits and reviews will help ensure ongoing compliance. 
5. Consider the Future: While CMMC Level 1 is a starting point, contractors should keep an eye on higher levels of certification, particularly if they plan to work with the DoD on contracts involving CUI or other sensitive data. Moving beyond Level 1 will require additional controls and security measures, so planning for future certifications is important. 

Challenges and Opportunities 

The transition to CMMC Level 1 is not without its challenges. Contractors will need to invest time and resources into developing compliant cybersecurity practices and paying for third-party assessments. Smaller contractors may face financial or resource constraints as they work to meet these new requirements. 

However, this transition also presents opportunities. By adopting CMMC and improving cybersecurity practices, contractors can build trust with the DoD and improve their overall security posture. These improvements help prevent costly data breaches and protect critical infrastructure from cyber threats. 

IE Can help guide you through the SPRS to CMMC Level 1 Transition 

The move from SPRS to CMMC Level 1 marks a significant shift in how the DoD manages cybersecurity within its supply chain. Contractors must understand these new requirements and take proactive steps to become CMMC-certified to remain eligible for DoD contracts. With basic cybersecurity hygiene at the core of CMMC Level 1, this is an opportunity for contractors to enhance their security posture. Internetwork Engineering, a Presidio Company, can help guide you through the complexities of these evolving requirements with our expert IT consulting services. Our team ensures that your organization is well-prepared for compliance, strengthening your security measures while securing continued access to government opportunities. Partner with us to stay ahead of the curve and achieve success in 2025 and beyond.