Recent DoD clause updates have changed how contractors demonstrate cybersecurity compliance.
Here is what matters:
- DFARS 252.204-7019 (NIST SP 800-171 SPRS scoring requirement) has been retired
- Numerical NIST 800-171 scoring is no longer required
- CMMC Level 2 self-assessments now replace legacy SPRS scoring
- SPRS remains the reporting system
- Self-assessments function as formal contractual attestations
This shift reduces scoring ambiguity but increases accountability.
SPRS Scoring vs. CMMC Self-Assessment: What Changed
The retirement of DFARS 252.204-7019 eliminates the numerical scoring model many contractors relied on for several years. However, this is not a relaxation of enforcement.
It is a consolidation under the formal CMMC framework.
Contractors should not interpret the removal of scoring as reduced oversight. Instead, the DoD has shifted from score reporting to structured attestation.
Clause-Level Breakdown: What Actually Changed
DFARS 252.204-7019 required contractors to:
- Conduct a NIST SP 800-171 self-assessment
- Post a numerical score in SPRS
- Update the score every three years
That clause has now been retired.
In its place, compliance is demonstrated through:
- CMMC Level determination (Level 1 or Level 2)
- Completion of a formal self-assessment (or third-party assessment where required)
- Recording results in SPRS
The mechanism has changed. The obligation to protect CUI has not.
This consolidation removes the confusion surrounding negative scoring and partial implementation while increasing the enforceability of attestations.
What Has Not Changed
Despite structural updates, the technical obligations remain intact.
Organizations handling CUI must still:
- Implement NIST SP 800-171 Rev. 2 controls (110 security requirements)
- Use FedRAMP Moderate (or equivalent) cloud environments
- Report cyber incidents within 72 hours
- Flow requirements down to subcontractors
CMMC does not reduce technical burden.
It formalizes validation of existing obligations.
Some organizations assumed CMMC would simplify compliance requirements. It does not. It enforces them more clearly.
Understanding CMMC Levels
| Requirement | Level 1 | Level 2 |
| Data Type | FCI | CUI |
| Practices Required | 17 | 110 |
| Assessment Type | Self | Self or Third-Party |
| SPRS Entry Required | Yes | Yes |
| Validation Risk | Lower | Higher |
Contractors should operate with the expectation that validation authority remains active, particularly at Level 2.
What This Means for Contractors and Subcontractors
Prime contractors are accelerating compliance expectations to reduce their own contractual exposure.
Increasingly, primes may:
- Require CMMC alignment before federal enforcement timelines
- Remove subcontractors that cannot demonstrate readiness
- Require proof of assessment prior to award
Self-assessments now function as formal contractual attestations.
Given False Claims Act exposure, inaccurate or unsupported attestations create measurable legal risk.
Organizations should ensure their documented posture matches operational reality.
What Organizations Should Do Now
To reduce exposure and avoid contract disruption:
- Confirm whether CUI exists in your environment
- Validate scope and segmentation
- Complete the appropriate CMMC self-assessment
- Ensure SPRS entries align with actual implementation
- Reconcile SSP documentation with current control maturity
- Prepare for potential validation
Organizations that adapt early reduce both operational and legal risk.
CMMC is no longer theoretical. It is embedded in contract language and procurement decision-making.
The retirement of SPRS scoring does not simplify compliance. It clarifies responsibility.
Organizations that proactively align their documentation and implementation reduce both operational disruption and legal exposure.
Clarifying Your CMMC Position Before It Becomes a Contract Issue
Sherpa supports defense contractors in scoping, documenting, and preparing defensible CMMC assessments.
If your organization is evaluating its current compliance posture, our team can help clarify next steps and reduce uncertainty.
Contact Sherpa to discuss your CMMC readiness.
Further Reading
This blog provides a structured breakdown of the recent clause updates.
For additional perspective on what these shifts signal about DoD enforcement trends and prime contractor expectations, read my LinkedIn article: CMMC Update: Big Changes to Defense Contract Cybersecurity Rules (What You Need to Know)
