eMASS vs SPRS for CMMC
What Gets Submitted Where — Scores, UIDs, and Assessment Packages
SPRS (Supplier Performance Risk System) is where summary-level assessment scores and affirmations are made visible to the government per DFARS 252.204-7020 — and where CMMC status reporting under DFARS 252.204-7021 ties to SPRS-issued identifiers. eMASS (Enterprise Mission Assurance Support Service) is where C3PAOs submit the standardized CMMC pre-assessment and assessment-results data using the DoD's data standard templates — referencing evidence via hashing rather than uploading proprietary artifacts.
The two systems serve different audiences and carry different data. Contractors post to SPRS. C3PAOs submit to eMASS. Confusing the two — or assuming that a C3PAO assessment means uploading your SSP and network diagrams to a government database — leads to both operational planning errors and significant compliance risk.
SPRS and eMASS Defined Side by Side
The two systems have overlapping purposes but completely different submission workflows, data types, and responsible parties. Most compliance confusion stems from conflating them.
What Goes Into SPRS: Scores, UIDs, and Required Reporting Touchpoints
Under DFARS 252.204-7020, contractors with DoD contracts are required to conduct a NIST SP 800-171 self-assessment and post the resulting score to SPRS. The score is a numeric value derived from the 110-control point-weighted methodology — a perfect score is 110 and the minimum possible score is −203 when all controls are unimplemented. That score and the date it was assessed must be current and visible in SPRS before contract award.
Under DFARS 252.204-7021, CMMC Level 2 certification status — once achieved — is tracked in SPRS via a CMMC Unique Identifier (UID) issued by the system when a C3PAO assessment is initiated. The UID ties the organization's certification record to the assessment workflow in eMASS, linking the two systems without exposing assessment artifacts in the contractor-visible SPRS portal.
| CMMC Level | Reporting Type | Cadence | Who Posts | Governing Clause |
|---|---|---|---|---|
| Level 1 | Self-assessment score + affirmation | Annually | Contractor (OSC) | DFARS 252.204-7020 |
| Level 2 — Year 1 | C3PAO assessment results + CMMC UID issued | Triennial cycle start | C3PAO → eMASS; SPRS updated via UID | DFARS 252.204-7021 |
| Level 2 — Year 2 | Self-assessment score + annual affirmation | Annual (self) | Contractor (OSC) | DFARS 252.204-7021 |
| Level 2 — Year 3 | Self-assessment score + annual affirmation | Annual (self) | Contractor (OSC) | DFARS 252.204-7021 |
| Level 2 — Year 4 | C3PAO reassessment + certification renewal | Triennial cycle renewal | C3PAO → eMASS; SPRS updated | DFARS 252.204-7021 |
What Goes Into eMASS: Data Standards, Templates, and Assessment Artifacts
eMASS is not a document storage system — it is a structured data intake system. C3PAOs submit assessment information using the CMMC Assessment Data Standard, which defines the exact schemas and templates that eMASS accepts. The system is rigid by design: if a C3PAO attempts to submit data that does not conform to the required format, eMASS rejects the upload.
The consequence of that rigidity is significant for assessment planning. C3PAOs cannot customize the assessment worksheets — columns, field types, and data structures are fixed. If an assessor interviews two control owners for a single practice, both names must fit within a single field with a character limit, separated by a defined delimiter. Understanding this constraint helps OSCs understand why assessor documentation requests are formatted the way they are.
The Hashing Process: Why Your SSP Never Touches eMASS
The most operationally misunderstood aspect of the CMMC reporting workflow is evidence handling. Contractors frequently assume that a C3PAO assessment means handing over their system security plans, network diagrams, and configuration documentation to a government database. This assumption is incorrect — and the mechanism that makes it incorrect is the DoD Artifact Hashing Tool.
The original evidence artifacts are archived by the OSC in secure, controlled storage for a minimum of three years from the assessment date. If DIBCAC conducts a spot audit, they will request the archived files, re-run the hashing tool, and compare the resulting hash to the value stored in eMASS. An exact match provides cryptographic proof that the files are unchanged. Any modification — even a metadata change — produces a different hash and flags the discrepancy.
Only the cryptographic hash string enters eMASS. No policies. No network diagrams. No system security plans. The government record contains mathematical proof that an evidence package was evaluated — and can verify its integrity on demand — without ever holding a copy of the contractor's proprietary security architecture.
Common Misconceptions That Create Compliance Risk
Absolutely no proprietary security artifacts enter eMASS. The government record contains structured assessment data — objective-level findings, scores, and a cryptographic hash that can verify evidence integrity. The underlying documents remain exclusively with the OSC. This architecture exists specifically to prevent the government from holding copies of contractors' security blueprints, which would create exposure if eMASS were ever compromised.
DFARS 252.204-7021 requires annual affirmations during Years 2 and 3 of the triennial certification cycle. These are not passive — they require a current self-assessment score to be posted to SPRS and a senior official attestation affirming ongoing compliance. An organization that assumes the C3PAO certification from Year 1 covers its SPRS obligations in Years 2 and 3 will have a stale SPRS record and will be disqualified from new contract bids during that window.
The CMMC Assessment Data Standard defines the exact schemas, column structures, and field types that eMASS accepts. C3PAOs use templates downloaded directly from eMASS and cannot modify the data structure. eMASS will immediately reject any upload that does not conform to the required format. This rigidity is by design — it ensures consistency and comparability across all Level 2 assessments regardless of C3PAO or OSC.
SPRS is one of the first checks the DoD runs during acquisition screening. An outdated score, a score that reflects a posture the contractor knows has degraded, or a missing affirmation can trigger disqualification before other evaluation criteria are applied. Beyond acquisition, an annual affirmation submitted without a current supporting self-assessment — or an affirmation attesting to compliance the contractor knows is false — carries False Claims Act exposure. SPRS is an active compliance and contracting mechanism, not a background database.
Recordkeeping: What You Must Retain Locally So Integrity Can Be Verified
Because eMASS holds hashes rather than evidence, and SPRS holds scores rather than supporting documentation, the full burden of evidentiary recordkeeping falls on the contractor. The DoD can verify that an assessment occurred and that a specific evidence corpus was evaluated — but only if the OSC has properly archived the artifacts the hash was generated from.
| Record Type | Custodian | Minimum Retention | Audit Use |
|---|---|---|---|
| Original evidence artifacts (policies, configs, screenshots, interview records) | OSC | 3 years from assessment date | DIBCAC re-hashes to verify files match the eMASS hash. Tampering is detectable. Missing files produce hash mismatch. |
| Self-assessment workpapers supporting annual SPRS submissions | OSC | 3 years from affirmation date | FCA investigation or DIBCAC review may request the supporting documentation behind each annual affirmation. A score without documentation is not defensible. |
| Assessment results package (findings, checkpoint logs, deficiency list) | C3PAO | Per C3PAO retention policy | The C3PAO maintains their own copy of the assessment documentation. eMASS holds the structured data; the C3PAO holds the full package. |
| Cryptographic hash value and hashing tool run record | OSC | 3 years from assessment date | The OSC should retain both the hash output and a record of when the hashing tool was run and against which file set. This supports any future integrity challenge. |
| Objective-level findings, final score, CMMC UID | eMASS (DoD) | Maintained in eMASS indefinitely | The government's authoritative record of assessment results and certification status. OSCs can view their own records in eMASS via the portal. |
| SPRS scores and affirmation records | SPRS (DoD) | Maintained in SPRS; OSC retains supporting workpapers separately | SPRS history shows score trends over time. Contracting officers can review score history during acquisition screening and during contract performance reviews. |
The Bottom Line
SPRS and eMASS are complementary but distinct systems with different users, different data types, and different compliance obligations. Contractors post scores and affirmations to SPRS on the schedules defined in DFARS 252.204-7020 and 252.204-7021. C3PAOs submit structured assessment data and hashes to eMASS using the CMMC Assessment Data Standard. Proprietary security artifacts stay with the contractor, archived for three years against the possibility of a DIBCAC audit that will verify their integrity cryptographically.
The practical consequence of misunderstanding either system — a missed annual affirmation, a stale SPRS score, an evidence archive that has been modified — ranges from contract disqualification to False Claims Act exposure. Neither system is administrative overhead. Both are active compliance mechanisms with immediate consequences for non-compliance.
The three-year archive is not something you set up after the assessment. It is something you design before it — a controlled, access-restricted location where the exact files the hashing tool ran against will remain unchanged until three years after the assessment date. The hash is only as trustworthy as the archive behind it.