The CMMC OMB Review marks the final stage before the Cybersecurity Maturity Model Certification (CMMC) rule is finalized. For small and medium DIB contractors, this is the time to complete your Level 1 SPRS self‑assessment and secure DoD contract eligibility.

Here’s why this matters: OMB review is usually the last stop before a final rule is published in the Federal Register. Once approved, contracting officers will be prohibited from awarding new contracts or exercising options unless your company is compliant.

Depending on interagency coordination, the final rule could be approved in as little as 60 days or take up to six months. Either way, small and medium Defense Industrial Base (DIB) companies need to act now to secure their eligibility for DoD contracts.

Waiting until the rule is finalized is risky. DoD has made it clear:

• If you handle Federal Contract Information (FCI), you must have a current Level 1 self‑assessment in SPRS.

• Without an active record in SPRS, contracting officers cannot award your company new work.

The key takeaway: proactive compliance protects your pipeline.

The Supplier Performance Risk System (SPRS) is the DoD’s official database for tracking contractor cybersecurity compliance. Contracting officers check it before making awards or exercising contract options.

To submit your self‑assessment, you need to:

1. Have a valid CAGE Code for your business.

2. Register in PIEE (Procurement Integrated Enterprise Environment) to access SPRS.

3. Assign the “SPRS Cybersecurity Assessment” role to the responsible employee.

4. Submit your Level 1 self‑assessment with an attestation from a senior company official.

Once submitted, your assessment in SPRS becomes your proof of eligibility for DoD contracts.

If you’re unsure where to start, the DoD has an official resource: Project Spectrum.

Project Spectrum provides:

• Interactive self‑assessment tools for both Level 1 (FCI) and Level 2 (CUI).

• Checklists, guides, and wizards to walk you through every control.

• Reports you can generate and retain for internal documentation.

Pro tip: Use Project Spectrum to perform your self‑assessment, then submit the attestation in SPRS to officially register compliance.

Level 1 focuses on protecting Federal Contract Information (FCI) with 15 basic safeguarding controls defined in FAR 52.204‑21.

Key points for Level 1:

• 15 controls must be fully implemented—no partial credit

• POA&Ms (Plans of Action & Milestones) are not allowed

• Self‑attestation is required annually and must be submitted in SPRS

Completing your self‑assessment is straightforward:

• Select your assessment date and scope

• Confirm compliance with all 15 controls

• Enter your CAGE Code(s)

• Submit the attestation in SPRS

If your company handles Controlled Unclassified Information (CUI), you’ll eventually need to meet CMMC Level 2 requirements:

• 110 cybersecurity controls from NIST SP 800‑171 Rev 2.

• C3PAO (third‑party) certification instead of self‑attestation.

• System Security Plan (SSP) and limited POA&M usage for remediation.

Level 2 compliance takes planning—gap analysis and remediation can take months. Starting early is critical if your contracts involve CUI.

• Complete Your Level 1 Self‑Assessment

  • Implement the 15 FAR-based controls.

  • Verify compliance using Project Spectrum.

• Submit Your Attestation in SPRS

  • Required to remain eligible for DoD contracts.

  • Update annually or after any major environment change.

• Plan Ahead for Level 2 if Handling CUI

  • Begin gap analysis against NIST 800‑171.

  • Schedule remediation and prepare for C3PAO assessment.

Kell Engineering specializes in helping small and medium DIB companies achieve and maintain CMMC compliance:

• Level 1 Self‑Assessment & SPRS Submission Support

• Level 2 Gap Analysis, POA&M Development, and Readiness

• Solution Architecture for DoD Cybersecurity Compliance

We make compliance clear, efficient, and contract‑ready—so you can focus on winning work.

📞 Contact Kell Engineering Today

• Phone: +1 (813) 602‑0668

• Email: contact@kellengineering.com

• Web: www.kellengineering.com

The CMMC OMB Review could move to a final rule in as little as 60 days.

• Use Project Spectrum to assess your compliance

• Submit your Level 1 attestation in SPRS

• Plan ahead for Level 2 if you handle CUI

Acting now ensures your company remains DoD contract‑eligible during and after the CMMC OMB Review.