Prime Asking for SPRS Score / SSP From Subcontractor

Prime Asking for SPRS Score / SSP From a Subcontractor? Here's Exactly What to Send First

Q: Can a prime contractor see my SPRS score directly?

Generally no. In the September 10, 2025 DFARS final rule (90 FR 43566), DoD stated it has no automated tool that lets primes access a subcontractor's information in SPRS, and that subcontractors may voluntarily share their CMMC SPRS scores or certificates. The request has to come to you, which is why a limited screenshot, certificate, UID, or status packet is the right first move.

Q: Can I send a screenshot of SPRS to my prime?

Yes, if you decide it is appropriate and redact unrelated information. DoD noted subcontractors may voluntarily share their CMMC SPRS assessment scores or certificates to facilitate teaming. Never share login credentials or unrelated records.

Q: Does a subcontractor need CMMC Level 2 if it only handles FCI?

No. Under 32 CFR 170.23, a subcontractor that only processes, stores, or transmits FCI and not CUI needs a CMMC Status of Level 1 (Self). CUI work requires Level 2 (Self) at minimum.

The Defense Compliance Report Editorial TeamIndependent CMMC and DIB compliance research

Published: May 26, 2026Last reviewed: May 26, 2026

Editorial research — not formally reviewed by a CMMC Subject Matter Advisor. Verify scope and applicability with a Registered Practitioner before acting.

Prime asking subcontractor for SPRS score or SSP — what to send, what to hold, and why

By The Defense Compliance Report Editorial Team · Last reviewed: June 2026 · Last verified: June 19, 2026

Provider-matching forms on this site may generate referral or lead-routing compensation. This page does not currently contain named provider rankings, endorsements, or "best provider" awards. If named provider reviews are published later, sponsored, affiliate, partner, or referral relationships will be labeled on the relevant provider card or review. See our Methodology and Editorial & Advertising Policy for details.

Not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. This is educational research, not legal, contractual, or compliance advice.

What we verified before writing this: DFARS 252.204-7021, 32 CFR § 170.23, Federal Register 90 FR 43566 (the September 10, 2025 CMMC DFARS final rule), the SPRS Awardee/Contractor User Guide, and NIST SP 800-171 Revision 2 — read at the primary source, with links inline below. Last verified June 19, 2026.

If a prime is asking for an SPRS score or SSP from a subcontractor, here’s the bottom line: send a short verification packet — not your full System Security Plan.Lead with your CAGE code, your required CMMC level, your assessment type, your assessment scope, your status date, your affirmation date, and a CMMC certificate or SPRS screenshot where one applies. Hold back the full SSP (System Security Plan), the full POA&M (Plan of Action and Milestones), and your control-by-control evidence until the request is specific, contractually justified, and covered by a secure transfer method.

And here’s the part most subcontractors don’t know — and it changes how you should feel right now: your prime has no automated way to pull your CMMC status out of SPRS. That’s not our opinion; the Department of Defense said so in the final rule (90 FR 43566). The request lands in your inbox precisely because they can’t look it up themselves.

The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.

Quick vocabulary, because the prime’s email probably threw five acronyms at you: SPRS is the Supplier Performance Risk System, the DoD-run database where your cybersecurity assessment results live. SSP is your System Security Plan, the internal document describing how your systems meet the security requirements. POA&M is your Plan of Action and Milestones, the running list of gaps and how you’ll close them. FCI is Federal Contract Information; CUI is Controlled Unclassified Information — the type of data you handle drives everything. CMMC is the Cybersecurity Maturity Model Certification program, established in 32 CFR Part 170. We define the rest as we go.

The 30-second version: what to send, what to hold, and why

Quick-reference for each common prime request. Sources: DFARS 252.204-7021; 32 CFR § 170.23; 90 FR 43566; NIST SP 800-171 Rev. 2 §3.12.4; SPRS Awardee/Contractor User Guide.
Your prime asked for…	Send first	Hold back first	Primary-source basis
“Your SPRS score”	Score/status proof: CAGE code, scope summary, status date, level	Full SSP, full POA&M, 110-control evidence	DFARS 252.204-7021; DoD Assessment Methodology
“A screenshot from SPRS”	A redacted screenshot/PDF of your own status/affirmation screen	SPRS credentials, unrelated CAGEs, other assessments	90 FR 43566 (voluntary sharing)
“Your CMMC certificate”	Certificate or CMMC status copy if Level 2 (C3PAO) or Level 3 applies	Assessor workpapers, assessment artifacts	90 FR 43566
“Your SSP”	SSP name, date, version, scope boundary, CAGE alignment	The full SSP by email	NIST SP 800-171 Rev. 2 (§3.12.4)
“Your POA&M”	POA&M status: in use or not, target close date, conditional/final status	The detailed gap-by-gap list	32 CFR § 170.21 (POA&M closeout)
“This 110-control spreadsheet”	Status-level proof; ask what they actually need	Unreviewed line-by-line admissions	Editorial conclusion (assessment-document sensitivity)
“Be Level 2 certified by [date]”	Ask: Level 2 Self or Level 2 C3PAO? Does CUI flow to us?	Buying tools or booking an assessor before scope is set	32 CFR § 170.23
“Give us SPRS access”	Your own export, screenshot, UID, or certificate	Login credentials — never	SPRS Awardee/Contractor User Guide

We unpack every row below, give you word-for-word reply scripts, and tell you which CMMC level you’re actually being asked to prove. First, a deep breath.

You’re not being singled out — and you’re not cornered

A prime asking subcontractors for SPRS scores, SSPs, or CMMC proof is now routine across the Defense Industrial Base, not a sign your company did something wrong. Under DFARS 252.204-7021, the prime must flow down the correct CMMC level and confirm that subcontractors handling FCI or CUI hold the appropriate current CMMC status before awarding the subcontract; 32 CFR § 170.23supplies the level mapping. The request is the prime doing its job — and you can satisfy it without handing over your full security plan.

If it feels like this came out of nowhere, it didn’t. Since the CMMC contract clause took effect on November 10, 2025, the largest primes in the country have been pushing requirements down their supply chains. Industry reporting and the primes’ own supplier-facing pages show major primes — among them Lockheed Martin, RTX, and General Dynamics — publishing CMMC flow-down requirements for suppliers. The request is the prime doing its job: to document eligibility before they put work on a subcontract.

You can be completely right to protect your full SSP and POA&M — and still lose the subcontract if you hand the prime nothing usable instead.The losing move isn’t oversharing. It’s refusing everything. A prime that can’t document your eligibility will quietly route the work to a sub whose paperwork is cleaner, and you may never get the email explaining why.

Here’s the good news that makes that risk disappear: there’s a clean middle path, and it’s the entire point of this page. Give the prime exactly enough to satisfy their legitimate verification need — status, scope, CAGE alignment, affirmation, and a screenshot or certificate where one exists — and reserve the sensitive documents for a scoped, protected request. That’s not evasive. That’s professional. It keeps the award moving and keeps your security plan off a supplier portal it was never meant to sit on.

The right CMMC provider isn’t the same for every contractor — the category you need(a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist. Because a general answer can’t resolve those for you, use The Defense Compliance Report’s Find My CMMC Path tool to map your situation to the right provider category before you request quotes.

Map My CMMC Path →

Do not submit CUI, drawings, or sensitive contract details.

This is independent educational research, not legal, contractual, or compliance advice. Confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney before you make representations to a prime, contracting officer, or assessor.

Prime asking for SPRS score / SSP from subcontractor: what should you send first?

Send a limited verification packet, not your full SSP or POA&M.The prime usually needs proof that your CMMC level, assessment type, scope, CAGE code, and affirmation are current — your complete security plan and remediation details are far more sensitive and should be handled separately. Leading with status-level proof satisfies the prime’s award-risk problem without exposing your architecture or your known gaps.

Think of disclosure as a ladder. You start on the bottom rung and only climb when the request — and the protection around it — justifies it.

Rung 1 — Status proof (start here, almost always enough)

Company legal name and the CAGE code(s) covered by your assessment or status
Your required CMMC level, if you know it
Your assessment type: Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC)
A short assessment scope summary (what’s in the boundary, in plain language)
Your status date and your annual affirmation date
Your CMMC UID (the unique identifier SPRS assigns each CMMC assessment) or NIST assessment identifier, where one applies
A screenshot or PDF of your own SPRS status/affirmation screen, or a certificate, where appropriate
A one-line FCI/CUI scope statement
A point of contact for any secure document exchange

Rung 2 — Scope proof (if they need more context)

SSP metadata: the plan’s name, date, and version; the system boundary; how it maps to your CAGE code; a high-level architecture summary if genuinely needed. No control-level detail.

Rung 3 — Redacted documentation (only when contractually required and protected)

Specific, redacted sections of the SSP, or a POA&M status summary, shared through a secure portal under an NDA. Not emailed.

Rung 4 — Full sensitive artifacts (rare, and only when justified)

The full SSP, full POA&M, or evidence files — only when a specific clause requires it, the transfer is secure, and confidentiality terms are in place. This is not the default response to any prime request.

Which SPRS fields to show — and which to redact

A common follow-up is: “Which fieldsdo I actually show, and which do I redact?” Here’s the quick version:

SPRS screenshot / verification packet field guide. Source: 90 FR 43566; SPRS Awardee/Contractor User Guide; editorial analysis.
Show (satisfies verification)	Redact or withhold
CMMC UID; CAGE code(s) covered	SPRS login credentials (always)
Required level and assessment type	CAGE codes or assessments unrelated to this work
Status date; whether the assessment is current	Your detailed, gap-by-gap POA&M contents
Assessment scope summary	Network diagrams, asset inventories, vulnerability data
Affirmation status and date	Evidence artifacts (configs, logs, access lists)
POA&M usage status (in use / not), where applicable	Anything that is itself CUI — drawings, technical data, contract attachments

Word-for-word reply scripts

These scripts are written to be professional, cooperative, and protective — the tone of a company that knows the rule and is responding to it correctly. Adapt to your situation. Send by email so you have a paper trail.

Reply script: “Send your SPRS score”

Thank you for the request. Please find our CMMC status information below:CAGE Code(s): [Your CAGE code(s) covered by this assessment]Required CMMC Level: [Level 1 / Level 2 / Level 3]Assessment Type: [Self / C3PAO / DIBCAC]Assessment Scope: [One-sentence boundary description — e.g., “Covers all systems processing CUI in support of [program/contract area]”]Status / Score Date: [Date of most recent assessment]Annual Affirmation Date: [Date of most recent affirmation in SPRS]CMMC UID: [Unique identifier from SPRS, if applicable]FCI/CUI Scope: [One line: “We will process/store/transmit [FCI/CUI] in support of this subcontract”]A redacted screenshot of our SPRS status screen is attached. Please let us know if you need additional information, and we will arrange an appropriate secure transfer method for any document-level requests.

Reply script: “Send your SSP”

Thank you for the request. Our System Security Plan is maintained as a sensitive internal document under NIST SP 800-171 Rev. 2 §3.12.4. To support your eligibility review, here is our SSP metadata:SSP Name/Identifier: [Plan name or reference number]Version/Date: [Current version and date]System Boundary: [Brief, non-sensitive boundary description]CAGE Code Alignment: [Which CAGE code(s) this plan covers]Status: [Whether you hold a Final or Conditional CMMC status]If a specific contract clause requires disclosure of the full SSP, please cite the clause and provision, and we will arrange a secure transfer under a written NDA. We do not transmit the full SSP by email or through unsecured supplier portals.

Reply script: “Send your POA&M”

Thank you for the request. Our Plan of Action & Milestones is maintained as a sensitive internal document. Here is the status information most relevant to your eligibility review:POA&M in Use? [Yes — we hold a Conditional CMMC status / No — we hold a Final CMMC status]Conditional Status Expiry (if applicable): [Date — within the 180-day window under 32 CFR § 170.21]Closeout Target Date: [Target date for POA&M closeout]The detailed gap list in our POA&M describes unimplemented security controls and is sensitive. If disclosure is specifically required by a contract clause, please cite the provision and we will discuss a protected transfer arrangement.

Reply script: “Give us SPRS access” / “your login”

Thank you for the request. SPRS credentials are unique to each awardee/contractor account and are not transferable under the SPRS Awardee/Contractor User Guide. Sharing login credentials would also create a security and audit risk.Per 90 FR 43566, the intended mechanism is a voluntary, redacted screenshot or certificate. We are attaching a redacted screenshot of our status/affirmation screen. If you need additional information, please let us know what specific field or clause drives the request.

Reply script: “Fill out this 110-control spreadsheet”

Thank you for sharing this. Before we complete it, we want to confirm what you need: are you looking for our posted CMMC status/level evidence, our NIST SP 800-171 assessment score, or control-level implementation detail?A completed 110-control spreadsheet contains unreviewed implementation admissions and functions similarly to a partial SSP or assessment artifact. We can provide status-level proof (CAGE, level, type, status date, affirmation date, UID/screenshot) that satisfies the DFARS 252.204-7021 eligibility check. If the spreadsheet is a prime-specific supplier-qualification requirement beyond the regulatory floor, please tell us which provision applies and we will respond accordingly.

When you’re ready — not before — get a second set of eyes on the category question.

You already have the reply scripts above; use them. If you’d also like to confirm which kind of help fits your level and environment, tell us your level, scope, and timeline and we’ll map your situation to the right provider category.

Find My CMMC Path →

Do not submit CUI, drawings, export-controlled technical data, or sensitive contract details. Compensation may be received for qualified introductions; does not control our regulatory analysis or category recommendations.

Can a prime contractor even see my SPRS score or CMMC status?

Generally, no — there is no automated tool for a prime to view a subcontractor’s CMMC status in SPRS. In the September 10, 2025 CMMC DFARS final rule (90 FR 43566), the Department of Defense stated it has no automated tool that gives upper-tier suppliers visibility into certification status or lets a prime access information in SPRS, and that subcontractors may voluntarily share their CMMC SPRS assessment scores or certificates to facilitate teaming. A voluntary, redacted screenshot or certificate — not a login or a full document dump — is the intended mechanism.

This is the fact that should change how you feel about the whole request. When industry asked DoD this exact question during rulemaking, DoD answered it on the record. Respondents pointed out that SPRS access is limited for primes and asked whether subcontractors would need to provide a screenshot of CMMC compliance. DoD’s response, paraphrased closely from 90 FR 43566: while DoD does not have an automated tool that gives upper-tier suppliers visibility into certification status or lets a prime access information contained in SPRS, subcontractors may voluntarily share their CMMC SPRS assessment scores or certificates to facilitate business teaming arrangements.

That’s the opposite of “your prime can audit your SPRS file.” Your prime is asking you precisely because there’s no button they can press to see it.

Three things are true at once, and holding all three is how you respond well:

There’s no automated way for your prime to view your CMMC status. The request has to come to you.
Your prime still has a real obligation to verify you before award (next section).
The intended answer is a voluntary, limited share — a screenshot, a score, a certificate — not your full security plan and not your credentials.

That’s the whole game. You’re not stonewalling DoD’s system; you’re using it exactly as designed.

What does the prime actually have to verify — and why does that protect you?

Under DFARS 252.204-7021 and 32 CFR § 170.23, the prime must include the CMMC requirement in subcontracts that will require the subcontractor’s systems to process, store, or transmit FCI or CUI, and confirm the subcontractor holds the appropriate current CMMC status and a current annual affirmation before awarding that subcontract.The prime’s eligibility check centers on your status, certificate/status, UID, SPRS entries, and affirmation — not on collecting your internal security documentation — which is exactly why a status-level packet satisfies it.

DFARS 252.204-7021, effective November 10, 2025, requires the contractor to have and maintain a current CMMC status, to process, store, or transmit FCI or CUI only on systems at the required status, to complete annual affirmations in SPRS through an affirming official (the senior company official who attests to continuing compliance), and to ensure its subcontractors complete those affirmations before subcontract award and annually after.

Notice what the prime’s eligibility check is built around: your status and your affirmation. A full SSP or POA&M request is a separate supplier-risk, audit, or contract-specific document request — not the default proof packet. When a prime opens with “send the full plan,” they’ve usually overshot what the eligibility check requires — sometimes because a procurement template is dated, sometimes because a cautious supply-chain manager is being thorough. Either way, you’re allowed to meet the actual requirement with status-level proof and to ask before you climb the ladder.

Quick level map — what CUI flow means for your status

No FCI or CUI flows to your systems: CMMC isn’t triggered by the information flow. Confirm your contract terms. (32 CFR § 170.23(a))
FCI only, no CUI: Level 1 (Self) — 15 FAR 52.204-21 requirements; annual affirmation; no POA&Ms allowed. (32 CFR § 170.23(a)(1))
CUI, prime’s contract is Level 2 (Self): Level 2 (Self) minimum — 110 NIST SP 800-171 Rev. 2 requirements. (32 CFR § 170.23(a)(2))
CUI, prime’s contract is Level 2 (C3PAO): Level 2 (C3PAO) — same 110 requirements, assessed by a C3PAO. (32 CFR § 170.23(a)(3))
CUI, prime’s contract is Level 3: Level 2 (C3PAO) minimum, not Level 3, unless DoD provides specific guidance. (32 CFR § 170.23(a)(4))

Source: 32 CFR Part 170 §170.23. See also: CMMC flow-down requirements.

Do you have to give a prime your full SSP or POA&M?

Usually not as your first response. You are required to havean SSP — it’s a NIST SP 800-171 Revision 2 requirement (§3.12.4), and you can’t produce a valid SPRS score without one — but disclosing the full SSP or POA&M to a prime is a separate security and contract decision. Start with metadata and status; reserve full documents for a scoped, protected, contractually justified request.

Here’s why the instinct to attach the whole SSP and “look cooperative” is the wrong one. Your SSP describes your actual security architecture: what systems you use, what controls you’ve implemented (and which you haven’t yet), your data flows, your access model, and your gaps. A POA&M lists every control you haven’t fully met, along with your planned remediation. Sending either document to a supplier portal or by email exposes your architecture to anyone who receives that email, stores it in a shared drive, or has access to the portal — including people with no need to know. It can also expose you to liability if your stated commitments in the POA&M aren’t met.

The rule doesn’t require it. The prime’s legitimate need is to verify your status — not to audit your implementation. Use the reply scripts above to give them what they need while protecting what they don’t need to see.

Dates that anchor this page

32 CFR Part 170 took effect December 16, 2024; the CMMC DFARS rule took effect November 10, 2025. Phase 1 runs from November 10, 2025 through November 9, 2026; Phase 2 begins November 10, 2026. See our CMMC phases guide.

A note on clause numbers in transition

The FAR/DFARS overhaul is moving and renumbering some clauses by class deviation — the SPRS guide and deviation materials use DFARS 252.240-7997 for the NIST SP 800-171 DoD Assessment requirements (previously 252.204-7019/7020), while Acquisition.gov’s codified DFARS still lists 252.204-7019 and 252.204-7020. Until rulemaking codifies the changes, expect to see both. Follow the clause cited in your solicitation or subcontract.

NIST SP 800-171 Rev. 2 vs Rev. 3

CMMC Level 2 currently maps to NIST SP 800-171 Revision 2, not Revision 3. DoD has stated that Revision 3 is not currently applicable to the CMMC rule, and substantive changes to CMMC requirements must go through rulemaking. We watch this and update if it changes.

FAQ: prime asking for SPRS score, SSP, or CMMC evidence from a subcontractor

Can a prime contractor see my SPRS score directly?+

Generally, no. In the September 10, 2025 DFARS final rule (90 FR 43566), DoD stated it has no automated tool that lets primes access a subcontractor’s information in SPRS, and that subcontractors may voluntarily share their CMMC SPRS scores or certificates. The request has to come to you — which is exactly why a limited screenshot, certificate, UID, or status packet is the right first move.

Can I send a screenshot of SPRS to my prime?+

Yes, if you decide it's appropriate and you redact unrelated information. DoD noted that subcontractors may voluntarily share their CMMC SPRS assessment scores or certificates to facilitate teaming. Never share login credentials or unrelated records.

Should I send my full SSP to a prime?+

Not as your default first response. Start with SSP metadata — name, date, version, scope boundary, CAGE mapping. Full SSP disclosure should be scoped, protected by an NDA and secure transfer, and contractually justified, because the SSP can reveal sensitive architecture and unimplemented controls.

Should I send my POA&M?+

Usually not in full as a first response. Provide POA&M status and a target close date where relevant, then require a specific basis, a secure transfer method, and a confidentiality review before sharing detailed gaps.

Does a subcontractor need CMMC Level 2 if it only handles FCI?+

No. Under 32 CFR § 170.23, a subcontractor that only processes, stores, or transmits FCI (not CUI) needs a CMMC Status of Level 1 (Self). CUI work requires Level 2 (Self) at minimum. See: CMMC levels explained.

Does a Level 3 prime contract mean the subcontractor needs Level 3?+

Not automatically. If you handle CUI under a Level 3 prime contract, your minimum is Level 2 (C3PAO) under 32 CFR § 170.23, unless the government provides specific guidance.

Is CMMC Level 2 based on NIST SP 800-171 Rev. 2 or Rev. 3?+

For CMMC under the current rule, Level 2 is based on NIST SP 800-171 Revision 2. DoD has stated Revision 3 is not currently applicable to the CMMC rule, and substantive changes to CMMC requirements must go through rulemaking.

What if the prime's form says DFARS 7019 or 7020?+

Ask whether they want NIST SP 800-171 DoD Assessment score evidence, CMMC status evidence, or both. Clause numbers are in transition: the SPRS guide and FAR-overhaul deviation materials use DFARS 252.240-7997 for the NIST assessment requirements, while Acquisition.gov's codified DFARS still lists 252.204-7019 and 252.204-7020. Follow the clause cited in your subcontract.

Who signs the CMMC affirmation?+

An affirming official from your organization submits the affirmation in SPRS after the applicable assessment events and annually thereafter, attesting to continuing compliance.

What is the safest first attachment to send a prime?+

A limited verification packet: your CAGE code, assessment scope, required level, status date, affirmation date, a CMMC UID/certificate/screenshot where appropriate, and a one-line FCI/CUI scope statement. See our SPRS status verification guide for what these fields look like.

Can I submit CUI into the Find My CMMC Path tool?+

No. Do not submit CUI, drawings, export-controlled technical data, contract attachments, or sensitive system details into any matching form.

You’ve got the answer — here’s the one next step

You now know more than most of the supply chain about how to handle this request: send status-level proof, hold the sensitive documents, match your level to your data, and remember there’s no button your prime can press to see your record anyway. If the only thing left is figuring out whocan help you close a real gap, we’ll point you to the right category — not a sales pitch, a starting point.

Need help deciding what type of CMMC provider you need? Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Get Matched With Source-Checked Provider Options →

Do not submit CUI, drawings, export-controlled technical data, contract attachments, vulnerability details, or sensitive system information through this form.

Primary sources (expand)+

Last reviewed: June 2026. Last verified: June 19, 2026. The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance and is not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. Educational research only — not legal, contractual, or compliance advice. See our editorial standards.

Keep going

SPRS score guide — how CMMC and NIST assessment results appear in SPRS, and how to read them
How to verify CMMC status in SPRS — step-by-step lookup guide
CMMC annual affirmation — who files, when, and what breaks “current” status
CMMC flow-down requirements — the complete rule: who owes what to whom
CMMC for subcontractors — the full subcontractor guide to level, scope, and assessment
Prime contractor requiring CMMC certification — what you actually owe and what to do first
CMMC self-assessment vs C3PAO — cost, evidence, and decision criteria
Conditional CMMC Level 2 POA&M closeout — the 180-day clock
CMMC levels explained — Level 1, 2 (Self), 2 (C3PAO), and 3 side by side
CMMC provider categories — RPO, C3PAO, MSP/MSSP, GRC, enclave — who does what
DFARS 252.204-7021 in my contract — what to do in the first 48 hours
CMMC readiness checklist — 32-point Level 2 readiness checklist for small DoD contractors
Editorial standards — how we source and verify every regulatory claim on this site