DoD subcontractors handling Federal Contract Information (FCI) must have a valid SPRS score on file. Thousands of small manufacturers don't. Most think they need a $30,000 cybersecurity audit. They don't.
If you have a DoD contract and handle any Federal Contract Information, you're already legally required to implement these controls. The deadline just made enforcement real.
FAR 52.204-21 has been in your contracts for years. CMMC Level 1 codifies it with mandatory self-assessment and SPRS score reporting starting 2026.
Prime contractors will require proof of SPRS score before awarding subcontracts. No score on file = no contract. The cutoff is mid-2026.
Cybersecurity firms charge $300/hr for enterprise compliance. CMMC Level 1 for a small shop is 15 controls. Most take one afternoon to implement and document.
If you check any of these boxes, you need a SPRS score:
Total Level 1 Controls
To complete the free assessment
Typical time to become compliant
Full assessment and SPRS filing package
We've simplified a process that typically costs $10,000-$50,000 with a cybersecurity firm down to a straightforward, affordable package for small DoD subcontractors.
Answer yes/no for each of the 15 CMMC Level 1 controls. Plain English - no cybersecurity degree required. Takes about 5 minutes. Your gaps are identified immediately.
We send a detailed report showing exactly which controls you're missing and what that means. Most small manufacturers have 3-7 gaps. Each one has a clear, specific fix.
A compliance advisor walks through every control with you. We tell you exactly what to implement, what documentation to create, and how to score yourself honestly. No guessing.
We calculate your score using the official NIST SP 800-171 methodology and submit it to the Supplier Performance Risk System (SPRS) on your behalf. You get confirmation and a copy for your records.
The assessment is completely free. No credit card required.
No hourly rates. No surprise add-ons. One flat fee to get fully compliant and documented.
Flat fee. No surprises.
Compare to typical cybersecurity firm rates: $300-500/hour for the same service. Our flat $3,500 package covers everything a small DoD subcontractor needs.
"I thought CMMC would cost us $20,000 and three months. We were done in one afternoon. The whole thing was way simpler than the cybersecurity companies made it sound."Mike T. - CNC Machine Shop Owner, Ohio
"Our prime contractor gave us 60 days to get a SPRS score or we'd lose the subcontract. These guys saved our contract. Worth every penny of the $3,500."Karen L. - Defense Parts Distributor, Texas
"Took the quiz and found out we had 5 gaps I didn't even know about. The walkthrough showed us exactly what to fix. We were fully submitted within a week."Robert M. - Sheet Metal Fabricator, Pennsylvania
CMMC stands for Cybersecurity Maturity Model Certification. Level 1 is the basic tier - 15 fundamental security practices that every DoD contractor should already be doing. If your company has any federal contract that involves "Federal Contract Information" (any info provided by or generated for the government under a contract), you're required to implement these 15 controls under FAR clause 52.204-21.
The new requirement (effective 2025-2026) is that you must self-assess against these controls and submit your score to the SPRS database. The controls themselves aren't new - the mandatory reporting is.
SPRS stands for Supplier Performance Risk System - it's a DoD database that contracting officers check before awarding contracts. Your CMMC self-assessment score is submitted here. A score of -203 means zero controls in place; 110 means perfect.
Prime contractors are increasingly requiring subcontractors to have a SPRS score on file before the prime can award work. Without a score, you may be disqualified from bidding or lose existing contract renewals.
Yes - you can technically self-assess and submit to SPRS without hiring anyone. The SPRS portal is free. The NIST SP 800-171A assessment guide is publicly available.
The challenge is: (1) understanding what each control actually requires in plain English, (2) knowing what counts as acceptable evidence/documentation, (3) calculating the score correctly using the official weighting methodology, and (4) navigating the SPRS portal submission. Most business owners spend 20-40 hours trying to figure this out on their own - or give up and pay a cybersecurity firm $15,000+. Our $3,500 package is the middle path.
Yes - and this surprises most shop owners. The controls don't require enterprise IT infrastructure. Many of them are basic common sense:
If you're doing all 15, you just need to document it and submit your score. If you're missing some, they're usually quick to fix.
The DoD's phased rollout has been accelerating. Current guidance requires Level 1 self-assessments to be submitted and current in SPRS. Practically speaking, prime contractors are already requiring this from subcontractors - many have already included SPRS score requirements in new subcontract awards.
If you miss the deadline: you may be unable to bid on new contracts, existing contracts may not be renewed, and you're exposed to False Claims Act liability if you've been certifying compliance without actually doing the assessment. The downside risk is significant.
Take the free 5-minute assessment. Get your gap report. Know exactly where you stand before the deadline hits.
The assessment is free. A compliance advisor is available same-day.
⏰ June 2026 deadline approaching. Get your SPRS score on file before you lose your contracts.
Start Free Assessment