The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base
Find your CMMC path →
Check my verification pathCheck my path →

How to Verify a Company’s CMMC Status in SPRS

By The Defense Compliance Report Editorial Team · Last verified: June 15, 2026 · How we verify CMMC sources · Corrections policy

A clause appears in a solicitation. A prime asks for proof. A supplier says, “Don’t worry — we’re CMMC certified.” Now you have to actually verify that, and the first surprise is how little of it you can look up yourself.

Bottom line, up front: To verify a company’s CMMC status in SPRS, start with the CMMC Unique Identifier (CMMC UID) the company will use for the contract — and if you’re an authorized SPRS user, open the CMMC Assessments module and search by that UID first. SPRS is the Supplier Performance Risk System, the Department of Defense database that holds CMMC results, reached through the Procurement Integrated Enterprise Environment (PIEE) at piee.eb.mil.

The catch that trips up almost everyone: CMMC status is not a public directory, and a prime contractor usually cannot just look up a subcontractor’s record in SPRS. Access is locked to the company that owns the record and to the government. So how you verify depends entirely on who you are.

We built this from the rule text and the official system documentation — not vendor marketing. Our editorial team read 32 CFR Part 170, DFARS 252.204-7021 and 252.204-7025, the SPRS CMMC Assessment Viewing Guide (Release V4.12, Nov 2025), and the DoD CIO’s official CMMC FAQ. Everything sourced, everything dated.

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with, endorsed by, or acting on behalf of the Department of Defense, the Cyber AB, CAICO, DCMA DIBCAC, SPRS, or any U.S. government agency. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. This page is informational and is not legal, contracting, or compliance advice.

Can you verify the status directly? Start here.

Before anything else, find yourself in this table. It tells you whether you can open SPRS and check the record yourself, or whether you have to get the proof another way.

You are…Can you verify directly in SPRS?Use this firstThe bottom line
DoD contracting / acquisition staffYes — with authorized SPRS government accessThe CMMC UID(s) listed in the proposalCheck SPRS before award, option exercise, or extension when the CMMC clause applies.
A company checking its own statusYes — with a PIEE/SPRS company roleYour CAGE/HLO, then the CMMC Assessments moduleUse the Cyber Vendor User or view-only role; confirm your affirmation is current.
A prime checking a subcontractorNo — there is no automated prime-to-sub lookupSupplier-provided proof packetRequest the SPRS record or certificate, UID, scope, and dates. Don't share FCI/CUI until it checks out.
A subcontractor proving status to a primeYes — for your own recordYour SPRS print/screenshot or certificateShare controlled proof voluntarily; primes can't pull it for you.
A member of the public or a competitorNo — there is no public directoryCompany-provided proof onlyYou cannot browse a list of companies that self-assessed or earned certificates.

Two quick jumps if you already know what you need: go to the verification worksheet or go to the supplier proof packet. If your row above says “No,” the proof packet is your section. If it says “Yes,” the step-by-step is next.

The DCR SPRS CMMC Status Verification Matrix

Last verified: June 15, 2026

We combined the official SPRS workflow, the DFARS award and subcontract rules, the CMMC UID mechanics, and the access limitations into a single decision matrix. Each row is a real verification scenario, the best key to verify it, what has to match, what does not prove enough on its own, and your next move.

ScenarioDirect SPRS check?Best verification keyWhat must matchWhat does NOT prove enoughNext action
CO verifying an offeror before awardAuthorized government SPRS usersCMMC UID(s) from the proposalCurrent status at the required level/type for every system that will touch FCI/CUI; current affirmationCompany name alone; an old screenshot; a generic 'CMMC compliant' claimCheck SPRS by UID; record UID, level/type, status, scope, affirmation date, and your verification date.
Prime verifying a subcontractor before subcontract awardNo automated prime-to-sub lookupSubcontractor-provided SPRS print/screenshot, certificate, UID, CAGE/HLORequired subcontract level/type, current status/certificate, scope that covers the flowed FCI/CUIA logo, a website badge, an old certification announcementRequest the proof packet; do not flow FCI/CUI until the evidence supports the required level.
Company checking its own statusYes, via PIEE/SPRS rolesCAGE/HLO → Cyber Reports → CMMC Assessments → UIDYour own status, status type, assessment date, status expiration, affirmation expiration, included CAGEsAssuming a CO or prime will fix your missing dataUse the Cyber Vendor User or view-only role; reaffirm if the affirmation lapsed.
Supplier proving status to a primeCan view and voluntarily share its own recordSPRS print/screenshot, UID, certificate for L2 (C3PAO) or L3 where requiredCurrent status/certificate and current annual affirmationA verbal claim or a PDF without UID, scope, and datesShare a controlled, current proof packet.
Public outsider / competitorNo public directoryCompany-provided proof onlyUID, legal entity, scope, dates, certificate/statusA public announcement or press releaseAsk the company directly; there is no public list to browse.
Verifying a Level 2 (C3PAO) statusGovernment via SPRS; supplier via own evidence; prime via shared proofUID, certificate, C3PAO name, status date, scopeLevel 2 (C3PAO) Final/Conditional, current affirmation, assessed scopeA Level 2 (Self) status when the contract requires Level 2 (C3PAO)Reconcile against the solicitation/flow-down; C3PAO results route through CMMC eMASS to SPRS.
No records found in SPRSAuthorized SPRS userUID, CAGE, company name, dateCould mean wrong search criteria — or no assessment entered/affirmed for that CAGETreating absence as proof of noncompliance before re-checking identifiersRe-check the UID/CAGE/HLO; ask the company for current proof.
Red / Not Current recordAuthorized SPRS user, or a supplier screenshotCurrent Status field, red highlight, expiration datesExpired, awaiting re-affirmation, retracted, or deletedAssuming a prior 'Final' label still countsTreat it as not current until it's resolved.

Sources: 32 CFR 170.16, 170.17, and 170.22; DFARS 252.204-7025; SPRS CMMC Assessment Viewing Guide V4.12.

How to verify a company’s CMMC status in SPRS (step by step)

If you’re authorized to use SPRS, open the CMMC Assessments module, search by the CMMC UID first when you have it, then use CAGE, company name, or assessment date as backups. Open the Details view and confirm the status type, Current Status, scope, and the status and affirmation dates — for the specific system that will process, store, or transmit FCI or CUI.
1

Confirm your role and access

SPRS lives inside PIEE at piee.eb.mil. Authorized government acquisition users — the role SPRS designates as "Acquisition Professional" — view assessment information through the CMMC Assessments module. A company's own staff use the SPRS Cyber Vendor User role, a privileged role that can view, enter, edit, and affirm CMMC and NIST SP 800-171 records for any CAGE in the company's hierarchy, or the view-only Contractor/Vendor (Support Role). If you don't have direct access, skip to the supplier proof packet below.

2

Collect the right identifiers before you search

You want the CMMC UID, the legal company name, the CAGE code(s), the Highest Level Owner (HLO) if relevant, the level and assessment type the solicitation or flow-down requires, and a clear picture of which system or environment will handle FCI or CUI.

3

Search by CMMC UID first

Under DFARS 252.204-7025, offerors must list a CMMC UID for each system that will touch FCI or CUI, and the contracting officer verifies status against those UIDs. CAGE codes and the HLO mainly serve access control, affirmations, and metrics — so if you have the UID, lead with it.

4

Open Details and read the actual fields

A green "Final" label at a glance isn't verification. Capture every field below before you close the record.

5

Save the evidence

Authorized users should drop a short note in the procurement file: verification date, who checked it, the search method, the UID, the status, the scope, the dates, and the conclusion. The SPRS detail view is print-friendly and can be saved as a PDF for your own records. That note is what protects you if anyone ever asks, "How did we confirm this supplier was eligible?"

Fields to capture in the SPRS Details view

FieldWhy it matters
CMMC UIDTies the status to a specific assessed system.
Company / legal entityConfirms the record belongs to the company you're evaluating.
Reported HLO / CAGEConfirms hierarchy and entity association.
CMMC Status TypeShows Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC), and Conditional vs. Final.
Current StatusThe direct green/red decision point.
Assessment dateStarts the validity clock.
CMMC Status Expiration DateShows the validity window.
Affirmation Expiration DateShows whether the annual affirmation is still current.
Assessment scopeConfirms the assessed environment matches the contract use case.

Your free verification worksheet

Copy this into your proposal or supplier file and fill it in. It’s the same structure our matrix is built on — a verifier can’t fake their way past it, and an AI summary can’t fill it in for your specific deal.

CMMC STATUS VERIFICATION WORKSHEET — [Company / Opportunity]
Date: ______  Reviewer: ______

1.  My role: CO / prime / subcontractor / supplier / consultant
2.  Required CMMC level & type (from solicitation or flow-down): ______
3.  Information being flowed: FCI / CUI / both
4.  Do I have direct SPRS access for this record? Yes / No → request proof packet
5.  CMMC UID(s): ______
6.  Legal entity name: ______     CAGE(s) / HLO: ______
7.  CMMC Status Type shown: ______
8.  Search result: Record found / No records found
9.  Current Status: Current / Not Current / No CMMC / Pending Affirmation / other: ______
10. Assessment date: ______  Status expiration: ______  Affirmation expiration: ______
11. Assessment scope: Enterprise / Enclave / Contract / unknown
12. Does the assessed scope cover the system that will handle our FCI/CUI? Yes / No / unclear
13. Level/type matches the requirement? Yes / No (mismatch)
14. Verdict: Appears sufficient / Missing evidence / Not current / Scope mismatch / Level mismatch / Needs review
15. Evidence saved to file? Yes / No

This worksheet helps you reach a documented verification decision; it is not a legal or compliance determination, and the final call rests with your contracting and compliance leadership.

If you’re staring at a record and you’re not sure the evidence is enough to rely on: tell us your role, the required level, the UID or CAGE information you have, and your deadline, and we’ll help you pin down the right next step.

Check my verification path →

Who can see a company’s CMMC status in SPRS?

Answer:CMMC status is not a public, searchable certificate directory. Authorized government procurement staff can view assessment information in SPRS; a company can view its own status; and primes generally have to rely on supplier-shared proof, because there is no automated process for a prime contractor to view a subcontractor’s CMMC status in SPRS. The DoD CIO’s official CMMC FAQ (item C-A4) states plainly that the public will not have access to a list of companies that completed CMMC self-assessments or received certificates, and that a company can view its own scores and status in SPRS.

You usually cannot just log into SPRS and pull another company’s record. There’s no public search box, and there’s no button that lets a prime browse a subcontractor’s CMMC status. When DoD finalized the DFARS rule, industry asked for exactly that capability. DoD’s published response in the Federal Register final rule was direct: there is no automated process for primes to view subcontractor CMMC status, and subcontractors can print or screenshot their own status and affirmation information to share as they see fit.

That sounds like a gap. Operationally, it is friction. But it exists by design — to protect each company’s data — and it actually works in your favor once you know how to handle it. A controlled proof packet with a UID, a scope, and current dates, backed by a right-to-request clause in the subcontract, gives you a cleaner, more defensible paper trail than a screenshot you can’t control ever would.

Government acquisition staff

Authorized contracting users — SPRS Acquisition Professional users — access SPRS to view the assessment information they need to make award decisions.

A company, for itself

With the right PIEE/SPRS role, a company sees its own CMMC and NIST records across its CAGE hierarchy. The privileged Cyber Vendor User role can also enter and affirm; the view-only role just reads.

A subcontractor sharing with a prime

The sub can view its own record and voluntarily hand over proof. That's the intended channel.

The public and competitors

No access. There's no list to browse, by design.

What does “Current” mean for a CMMC status in SPRS?

Answer:“Current” is not a vibe — it depends on the status type, the assessment date, the expiration date, and the annual affirmation. Per the SPRS CMMC Assessment Viewing Guide, a Final Level 1 (Self) is current for one year from the assessment date; a Level 2 Conditional self-assessment is current for 180 days; and a Level 2 Final assessment is current for three years but requires annual reaffirmation — and in every case the affirmation must be current. Records with expired affirmations show up red and Not Current.
Status / displayWhat it means in practiceWhat to verify
Final Level 1 (Self)Current for one year from the assessment date, once affirmedFinal L1, current affirmation, FCI-only fit
CMMC Level 2 Conditional (Self)Current for 180 days while a POA&M is closed outStatus date, the 180-day window, the affirmation
CMMC Level 2 Final (Self)Current for three years, but requires annual reaffirmationThe 3-year clock and the annual affirmation
Conditional / Final Level 2 (C3PAO)Visible once affirmed; C3PAO results route through eMASS to SPRSC3PAO status, UID, certificate, affirmation
Conditional / Final Level 3 (DIBCAC)Visible once affirmed; the DIBCAC path with a Level 2 (C3PAO) prerequisiteL3 status plus the underlying Final Level 2 (C3PAO)
Pending AffirmationA completed record awaiting the Affirming Official's affirmation (for a previously affirmed Conditional L2 record being updated — the only Pending case a government viewer sees)Determine which case it is; confirm Current Status, status date, and affirmation date
No CMMC StatusNot current — typically an expired Final assessment, or a 'Not Met' requirement that can't be placed on a POA&M; appears redThe reason, and whether an affirmation is missing
IncompleteA saved record with only partial assessment informationThat a complete, affirmed record exists before relying on it
No records foundWrong search criteria — or nothing entered/affirmed for that CAGERe-check the UID, CAGE/HLO, name, and dates

Source: SPRS CMMC Assessment Viewing Guide and 32 CFR 170.22. POA&M = Plan of Action and Milestones; a Conditional status means a company passed with open items on a POA&M and has 180 days to close them.

The annual-affirmation trap: a company can hold a perfectly valid three-year Level 2 assessment and still be Not Current because nobody reaffirmed at the one-year mark. DFARS 252.204-7021 requires an annual affirmation of continuous compliance in SPRS for each assessment tied to the contract. A passing score with a lapsed affirmation is a red record. Check the affirmation date every time.

What if SPRS shows “No records found,” red, “Pending,” or “No CMMC”?

Answer:Treat any unclear or negative result as a verification item to resolve — not as something to explain away, and not as automatic proof of noncompliance. “No records found” can simply mean your search criteria didn’t match, or that no assessment has been entered and affirmed for that CAGE. A red record means Not Current. “Pending Affirmation” means a completed record awaiting affirmation.

The mistake we see most often: reading “No records found” as “this company failed.” It might mean you searched the wrong CAGE, or used a company name when you should have used the UID. Re-check the identifiers before you draw a conclusion. Then ask the company for current proof.

ResultFirst assumptionWhat to do next
No records foundWrong UID/CAGE/name/date, or nothing entered/affirmedRe-check identifiers; request a current proof packet
No CMMC StatusExpired Final assessment, a non-POA&M 'Not Met,' or an affirmation issueAsk the company to explain and provide corrected, current evidence
Red / Not CurrentExpired, needs reaffirmation, retracted, or deletedTreat as not current until resolved
Pending AffirmationA completed record awaiting affirmation; possibly a previously affirmed Conditional being updatedDetermine which case it is; confirm the actual Current Status, status date, and affirmation date
Conditional statusValid only within a limited windowCheck the status date, the 180-day closeout timeline, and whether the solicitation allows Conditional
Level / type mismatchThe company has a different status than requiredDon't treat it as compliant for that requirement
Scope mismatchA status exists, but it doesn't cover the contract systemRequest the correct UID/scope, or treat it as insufficient

If the status is missing, red, expired, or mismatched, the next move depends entirely on why. Tell us what the record or the supplier proof shows and what level the contract requires, and we’ll help you sort whether it’s a SPRS admin issue, a readiness gap, a scope problem, or an assessment-path problem.

Sort out what this status means →

What should you ask a company for before you trust its CMMC status?

Answer: Ask for the evidence that ties the status to the actual entity, system, scope, and contract requirement: the CMMC UID, the legal entity, CAGE/HLO, the CMMC Status Type, the Current Status, the status and affirmation dates, the assessment scope, and a certificate if Level 2 (C3PAO) or Level 3 applies. Under DFARS 252.204-7025, the offeror must provide a CMMC UID for each contractor information system that will process, store, or transmit FCI or CUI during performance — so “which system, exactly?” is a fair and necessary question.

The supplier proof packet — request all of this

  • CMMC UID(s)
  • Legal entity name
  • CAGE code(s) and the Highest Level Owner (HLO), if applicable
  • The required CMMC level and assessment type
  • CMMC Status Type and Current Status
  • Assessment date
  • CMMC Status Expiration Date
  • Affirmation Expiration Date
  • Assessment scope (Enterprise / Enclave / Contract) and a short description of the assessed environment
  • A Certificate of CMMC Status for Level 2 (C3PAO) or Level 3, where applicable
  • The name of the C3PAO that performed the Level 2 certification, or confirmation of the DIBCAC path for Level 3
  • The date the proof was generated

Copy-and-paste supplier request

Subject: CMMC status verification for [contract / subcontract / opportunity]

We need to verify current CMMC status for the system(s) that will process, store, or transmit [FCI / CUI] under [reference]. Please provide: the CMMC UID(s), legal entity name, CAGE code(s), HLO if applicable, CMMC Status Type, Current Status, assessment date, CMMC Status Expiration Date, Affirmation Expiration Date, assessment scope, and a current SPRS print/screenshot or certificate where applicable. If the required status is Level 2 (C3PAO) or Level 3, please also include the certificate and the assessing organization.

To be clear, we are not requesting CUI or sensitive technical artifacts — only the status information needed for procurement due diligence.

What not to accept as final proof

"We're CMMC compliant." (No UID, no scope, no dates.)
A website badge or logo.
An old press release or certification announcement.
A screenshot with no Current Status or affirmation date.
A certificate that doesn't show the assessed scope or system.
A Level 2 (Self) status when the solicitation requires Level 2 (C3PAO).
A provider's own CMMC status, offered as proof that your environment is compliant. (It isn't — more on that below.)

How do CMMC UIDs, CAGE codes, HLO, and scope fit together?

Answer: The CMMC UID identifies the assessed system; the CAGE code and HLO tie records to corporate identity and access; and the scope tells you whether the assessed system is the one that will actually handle your FCI or CUI. The DFARS rule describes the CMMC UID as a 10-character alphanumeric code assigned to each CMMC assessment and reflected in SPRS for each contractor information system.
IdentifierWhat it identifiesWhy it mattersCommon mistake
CMMC UIDThe assessment / system recordThe primary verification anchor for contract systemsSearching by company name when you have the UID
CAGELegal / entity relationshipEntity and hierarchy associationAssuming every location needs its own CAGE
HLOThe top of the corporate CAGE hierarchyHelps organize and search the hierarchyTreating hierarchy as proof of scope
Company nameA discovery aidHelps locate records when UID/CAGE are missingRelying on a partial-name match alone
Assessment scopeThe assessed environment (Enterprise / Enclave / Contract)Shows what was assessedAccepting a status that covers a different system
SSP / system descriptionThe boundary evidenceConfirms which system handles FCI/CUIAssuming a provider's or customer's systems are covered
The scope warning: Because DFARS 252.204-7025 requires a current status for eachsystem that will touch FCI or CUI, a system that isn’t represented by a provided UID can’t be used to handle that data during performance. A real Level 2 status that covers the wrong environment is not coverage for the work in front of you.

Is a CMMC status the same as an SPRS score?

Answer: No. A NIST SP 800-171 SPRS score and a CMMC status are related but not interchangeable. They overlap (a Level 2 status rests on a NIST SP 800-171 self-assessment), but verifying one is not verifying the other. See our full SPRS score guide.
ItemWhat it isWhere it appearsWhat it provesWhat it does NOT prove
NIST SP 800-171 SPRS scoreA DoD Assessment score (-203 to 110)The SPRS NIST assessment areaA posted self-assessment scoreA current CMMC status by itself
CMMC statusA level/type status tied to a CMMC UIDSPRS CMMC Assessments (or eMASS → SPRS)A current CMMC level/path, when validScope fit, unless the UID/system matches
CMMC certificateA Certificate of Status for the C3PAO/DIBCAC pathsIssued through the assessment processFormal certificate details for the assessed systemPublic browsability, or unlimited scope
Annual affirmationA senior official's attestation of continued complianceSPRSThat the affirmation requirement is metA new assessment or remediation by itself

The takeaway: don’t say “SPRS score” when you mean “CMMC status,” and don’t say “certified” when the record is a self-assessment. The contract requirement controls which one you actually need.

How does verification change by level — Level 1, Level 2 Self, Level 2 C3PAO, Level 3?

Answer: The verification question is always the same — current status, correct level and type, correct scope, current affirmation — but where the result comes from changes by level. Level 1 and Level 2 self-assessments are entered into SPRS by the organization itself. Level 2 (C3PAO) and Level 3 (DIBCAC) results are entered into CMMC eMASS and then transmitted to SPRS automatically. Under 32 CFR 170.17, the C3PAO submits results into eMASS, “which then provides automated transmission to SPRS.”
Required pathWho assessesWhere results liveWhat to verify
Level 1 (Self)The organizationSPRSFinal Level 1 (Self), current annual cycle, affirmation, FCI-only fit
Level 2 (Self)The organizationSPRSFinal/Conditional L2 (Self), score/status, POA&M if Conditional, affirmation
Level 2 (C3PAO)An authorized/accredited C3PAOCMMC eMASS → SPRSC3PAO status, certificate, UID, scope, affirmation
Level 3 (DIBCAC)DCMA DIBCACeMASS → SPRSLevel 3 status plus a Final Level 2 (C3PAO) for the same scope
Don’t accept a self-assessment where a third-party certification is required. Level 2 (Self) and Level 2 (C3PAO) measure the same NIST SP 800-171 Revision 2 control set, but the assessment type differs and the contract requirement controls. See our CMMC self-assessment vs C3PAO guide.
Level 3 hard prerequisite: Under 32 CFR 170.18, a company must hold a Final Level 2 (C3PAO) status for the systems within the Level 3 scope before it can undergo a Level 3 (DIBCAC) assessment.
Revision note: CMMC Level 2 currently maps to NIST SP 800-171 Revision 2, not Revision 3. NIST marks Rev. 2 as withdrawn/superseded by Rev. 3 (May 14, 2024), but DoD has not adopted Revision 3 for CMMC — the DoD CIO FAQ states it will be incorporated through future rulemaking. Until DoD makes that change, verify against Revision 2. If a vendor tells you their “Rev. 3 readiness” satisfies CMMC today, treat that as a forward-looking claim, not the current requirement. See our CMMC levels overview.

How should a prime document subcontractor verification before award?

Answer: A prime should keep a procurement-file record showing the flowed-down requirement, the subcontractor’s proof, the fields reviewed, the date reviewed, and the conclusion. DFARS 252.204-7021 requires the contractor to ensure, before subcontract award, that a subcontractor has a current CMMC certificate or current CMMC status at the level appropriate for the information being flowed down.

Prime procurement-file checklist

  • Prime contract / solicitation reference
  • The flowed-down DFARS clause and the required CMMC level/type
  • The type of information flowed: FCI / CUI / both
  • Subcontractor legal name
  • Subcontractor CAGE(s) / HLO
  • Subcontractor CMMC UID(s)
  • Status type and Current Status
  • Assessment date; status expiration; affirmation expiration
  • Assessment scope / system description
  • Certificate evidence, where applicable
  • Whether the proof matches the work being subcontracted
  • The date the proof was generated, and the date the prime reviewed it
  • The reviewer's name and title
  • The decision: Accepted / Insufficient / Mismatch / Not current / Pending clarification

Five clear file labels for every review

Accepted:Current, matching level/type, matching scope, current affirmation.
Insufficient evidence:Missing UID, scope, or dates.
Not current:Red, expired, missing affirmation, or unresolved Conditional.
Scope mismatch:A status that doesn't cover the system used for this work.
Contract mismatch:A status that doesn't meet the required level/type.
False Claims Act enforcement context: Since October 2021, the Department of Justice’s Civil Cyber-Fraud Initiative has used the False Claims Act to pursue contractors that knowingly misrepresent their cybersecurity practices. A knowingly false affirmation in SPRS, or knowingly relying on one, is exactly the kind of misrepresentation that creates that risk. A documented verification file is your evidence of good-faith diligence.

If you’ve found a subcontractor — or your own environment — that isn’t where it needs to be: tell us your level, scope, and timeline, and we’ll help you identify the right category of help and source-checked CMMC provider options to close the gap.

Get matched with provider categories that fit →

Can you verify a provider’s own CMMC status the same way?

Answer: Yes — apply the same evidence logic. Ask for the UID, CAGE, certificate or status type, assessed scope, dates, and the assessing C3PAO where applicable. But a provider’s own CMMC status does not automatically make yourenvironment compliant. It tells you something about the provider’s assessed system or services, within their stated scope — nothing more. Your shared-responsibility boundary still has to be assessed as part of your scope.
Provider categoryWhat to verifyWhat not to assume
RPO / readiness consultantTheir role, scope, and deliverables; their Cyber AB status if they claim oneThat they can also perform your formal assessment
MSP / MSSPTheir own CMMC status if claimed; the assessed scope; the shared-responsibility splitThat their status automatically covers your environment
GRC / evidence softwareWhat the tool supports; how it maps and exports evidenceThat software equals compliance, or a status in SPRS
CUI enclave providerThe boundary, the shared responsibility, and the cloud provider's FedRAMP postureThat an enclave alone satisfies all 110 requirements
C3PAOTheir authorized/accredited status in the Cyber AB Marketplace; conflict-of-interest posture; assessment scopeThat they can both remediate your gaps and independently assess the same work
Independence note: Under 32 CFR 170.9, C3PAOs must comply with the Accreditation Body’s Conflict of Interest, Code of Professional Conduct, and Ethics policies. Those policies prohibit a C3PAO from performing your Level 2 certification assessment if it also prepared or remediated you for it — readiness help and the formal assessment have to stay separate. And the Cyber AB does not endorse or introduce specific C3PAOs; it maintains the Marketplace of authorized assessors. See our authorized C3PAO selection guide.

What to do if a status is missing, expired, or mismatched

Diagnose the failure before you buy a fix. The instinct, when a status comes back missing or red, is to call a C3PAO. But if the real problem is a missing UID, a broken CAGE hierarchy, a lapsed affirmation, fuzzy scope, or a thin evidence file, an assessment is the wrong first move. Match the fix to the actual gap.
Problem foundLikely first moveCategory of help, if you need it
Wrong / missing CAGE or HLOFix the SAM/CAGE hierarchy and SPRS role accessInternal CAM/SAM admin; CMMC admin support
No CMMC statusDetermine whether the assessment, affirmation, or score is the issueReadiness consultant, RPO, MSP/MSSP, or vCISO
Expired affirmationAn Affirming Official process gapInternal governance; compliance-operations support
Conditional status near its deadlineClose out the POA&M within the 180-day windowReadiness support
Scope mismatchRe-scope before buying tools or scheduling an auditScoping consultant, enclave architect, or readiness provider
Contract requires Level 2 (C3PAO)Confirm readiness firstAn authorized C3PAO — after a readiness review
Supplier won't provide proofA procurement-risk decisionContracts / legal / procurement escalation — not a sales pitch

A word of honesty: a supplier who won’t provide enough evidence may still be telling the truth. But your procurement file can’t run on trust. If the proof isn’t there, the eligibility risk is real, and it’s yours to manage.

See also: CMMC provider categories: who to hire first and who to hire first for CMMC.

Need scoped help from the right category, not a random CMMC vendor?Tell us the gap you found and your timeline, and we’ll match you with source-checked CMMC provider options that fit your level, scope, and stage.

Get matched with source-checked provider options →

When does a current SPRS status start affecting eligibility?

Answer: It already does. CMMC requirements began appearing in DoD solicitations on November 10, 2025 — the effective date of the DFARS final rule — and a current status in SPRS is now an award-eligibility factor when the clause applies. The program rolls out in four phases, set by 32 CFR 170.3(e).
PhaseDatesWhat it brings (per 32 CFR 170.3(e))
Phase 1Nov. 10, 2025 – Nov. 9, 2026Level 1 (Self) or Level 2 (Self) for applicable solicitations and contracts as a condition of award. DoD may, at its discretion, require Level 2 (C3PAO) in place of Level 2 (Self), and may apply self-assessment requirements as a condition to exercise an option on a pre-existing contract.
Phase 2Nov. 10, 2026 – Nov. 9, 2027Adds Level 2 (C3PAO) for applicable solicitations and contracts as a condition of award. DoD may delay Level 2 (C3PAO) to an option period, and may, at its discretion, include Level 3 (DIBCAC).
Phase 3Nov. 10, 2027 – Nov. 9, 2028Adds Level 2 (C3PAO) for all applicable solicitations and contracts as a condition of award and to exercise an option on contracts awarded after the effective date. DoD intends to include Level 3 (DIBCAC) for all applicable contracts.
Phase 4Nov. 10, 2028 onwardFull implementation: DoD includes CMMC Program requirements in all applicable solicitations and contracts, including option periods on contracts awarded before Phase 4.

Phase-to-verification impact: what changes for you, and when

PhaseWho is checking statusWhat proof typically changesWhat primes should retainWhat subcontractors should prepare
Phase 1 (now)CO at award; primes screening subs for FCI/CUILevel 1 (Self) or Level 2 (Self) status + affirmation in SPRS; UID per systemUID, status type, scope, dates, and proof source for each sub touching FCI/CUIA current self-assessment, affirmation, and a clean SPRS print/screenshot to share on request
Phase 2 (Nov 2026)CO at award; primes verifying CUI subsLevel 2 (C3PAO) certificate where the contract requires it, not just a self-assessmentThe certificate, C3PAO name, UID, and assessed scope, plus your level-match determinationA scheduled or completed C3PAO assessment; the Certificate of CMMC Status
Phase 3 (Nov 2027)CO at award and at option exerciseLevel 2 (C3PAO) for all applicable; Level 3 (DIBCAC) where requiredRe-verification at each option exercise, not just at awardMaintained Final status, current affirmations, and Level 3 readiness if applicable
Phase 4 (Nov 2028)CO across essentially all applicable contracts and optionsCMMC status required in virtually all FCI/CUI workA standing, repeatable verification file and re-verification cadenceA durable compliance program, not a one-time push

For contractors whose contracts will require a Level 2 (C3PAO) certification, the date to plan around is November 10, 2026. Readiness commonly takes 6 to 18 months, and assessor capacity is finite — the calendar is already the constraint. See CMMC deadlines 2026 and how long CMMC certification takes.

What we actually verified

Last verified: June 15, 2026. Next scheduled review: July 2026, or sooner if SPRS, DFARS, 32 CFR Part 170, or Cyber AB guidance changes.

We didn’t summarize other people’s summaries. Our editorial team read and cross-checked:

Frequently asked questions

Can anyone look up a company's CMMC status in SPRS?
No. The DoD CIO's official CMMC FAQ states the public will not have access to a list of companies that completed CMMC self-assessments or received certificates. That information is available to government procurement staff, and a company can view its own status in SPRS. There is no public directory to search.
Can a prime contractor directly see a subcontractor's CMMC status in SPRS?
Not through an automated lookup. In its final-rule response, DoD stated there is no automated process for prime contractors to view subcontractor CMMC status in SPRS, so primes work with suppliers to verify — typically via a shared SPRS print/screenshot or certificate.
What is a CMMC UID?
A CMMC Unique Identifier is a 10-character alphanumeric code SPRS assigns to each CMMC assessment, tied to a specific contractor information system. It's the primary key for verifying a status against the system a contract will actually use.
Should I search by CMMC UID or by CAGE code?
Lead with the CMMC UID when you have it. SPRS also allows searches by CAGE, company name, and assessment date, but under DFARS 252.204-7025 contracting officers verify status against the UIDs the offeror lists in its proposal.
What does "Current" mean in SPRS?
A status is current only within its validity window and with a current affirmation. Per the SPRS CMMC Assessment Viewing Guide, a Final Level 1 (Self) is current for one year, a Level 2 Conditional self-assessment for 180 days, and a Level 2 Final assessment for three years — and the annual affirmation must be in place. An expired affirmation makes the record red and Not Current.
What does "No records found" mean?
It can mean the search criteria didn't match, or that no assessment has been entered and affirmed for that CAGE. Re-check the UID, CAGE/HLO, company name, and dates, and ask the company for current proof before concluding anything.
What does "Pending Affirmation" mean?
It's a completed record waiting for the Affirming Official to affirm. A previously affirmed Conditional Level 2 record that's been updated will show Pending Affirmation until the affirmation is completed — and that's the only Pending category a government viewer sees. Confirm the actual Current Status and the affirmation date.
Is an SPRS score the same as a CMMC status?
No. The SPRS score (under DFARS 252.204-7019/-7020) is a NIST SP 800-171 DoD Assessment number. CMMC status (under DFARS 252.204-7021/-7025) is a level/type status tied to a UID and an affirmation. The contract decides which one you need.
Can a Conditional Level 2 status support an award?
Only within the limited conditions the rule allows and only inside its 180-day window. Don't assume a Conditional status is sufficient — check the status date, the closeout timeline, and what the solicitation actually permits.
What if the solicitation requires Level 2 (C3PAO) but the company has Level 2 (Self)?
That's a mismatch. Both measure the same NIST SP 800-171 Revision 2 control set, but the assessment type differs and the contract requirement controls. A self-assessment doesn't satisfy a third-party certification requirement.
Do subcontractors need a current CMMC status too?
Yes, when CMMC flows down for the FCI or CUI being shared. DFARS 252.204-7021 requires the prime to ensure, before subcontract award, that the subcontractor has a current certificate or status at the appropriate level.
Who enters Level 2 (C3PAO) results into SPRS?
The C3PAO submits results into CMMC eMASS, which then provides automated transmission to SPRS. The annual affirmation still applies.
Does NIST SP 800-171 Revision 3 apply to this verification?
Not yet. CMMC Level 2 currently uses Revision 2. NIST marks Rev. 2 as withdrawn/superseded by Rev. 3 (May 14, 2024), but DoD has not adopted Rev. 3 for CMMC and the DoD CIO FAQ says it will be incorporated through future rulemaking. Verify against Revision 2 until DoD changes the rule.
What proof should I keep in the procurement file?
The CMMC UID, CAGE/HLO, status type, Current Status, assessment date, status expiration, affirmation expiration, assessed scope, the proof source, the reviewer, the review date, and your conclusion — plus the supplier's SPRS print/screenshot or certificate for prime-to-sub verification.

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options. If you’d rather move at your own pace first, our CMMC Readiness Checklist — mapped to the 14 NIST SP 800-171 control families — is a no-strings place to start.

Get matched with source-checked provider options →CMMC Readiness Checklist →

Related reading

Sources and primary references

Last verified: June 15, 2026. Next scheduled review: July 2026, or sooner if SPRS, DFARS, 32 CFR Part 170, or Cyber AB guidance changes. See our methodology and corrections policy.

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with, endorsed by, or acting on behalf of the Department of Defense, the Cyber AB, CAICO, DCMA DIBCAC, SPRS, or any U.S. government agency. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. Provider names appear as examples of categories; inclusion is not endorsement, and any provider claim is the provider’s own statement that buyers should verify independently. This page is informational and is not legal, contracting, or compliance advice. CMMC requirements vary by contract, scope, and information type — confirm yours with your contracting officer, your prime, qualified counsel, or a source-checked CMMC advisor before making contractual commitments.