CMMC LEVEL 2 SELF- ASSESSMENT
QUICK ENTRY GUIDE

VERSION 4.0

1. PIEE Access:

A “SPRS Cyber Vendor User” role is required to enter CMMC
Assessment information. PIEE Access Instructions:
https://www.sprs.csd.disa.mil/access.htm

2. SPRS Application and Module Access:

a. PIEE landing page: https://piee.eb.mil/piee-landing/
b. Click “LOG IN”

Screenshot of the US government website for the President's Information and Enterprise Environment (PIEE), showing menu options like About, Features, Capabilities, Help, Contact, and login buttons.

c. Select SPRS:

Supplier Performance Risk System logo with blue and white colors

d. Select Cyber Reports (CMMC & NIST):

Screenshot of an online compliance reporting dashboard showing sections for home, logout, compliance reports, and cyber reports.

3. Cyber Reports (CMMC & NIST):

Select the desired Hierarchy, identified by the HLO, from the drop down and select Run Cyber Reports button.

Dropdown menu showing options to select CAGE, with a button labeled 'Run Cyber Reports'.

NOTE: An asterisk * indicates the user has the SPRS Cyber Vendor User role (access to add/edit/delete)

3.1 Add New CMMC Level 2 Self-Assessment:

Within the CMMC Assessments and CMMC Level 2 (Self) tabs, select “Add New Level 2 CMMC Self-Assessment”.

Screenshot of a cybersecurity reports webpage showing assessment details, company hierarchy, CMMC assessments, and options to add new assessments.

3.2 Enter Assessment Details:

Enter assessment data; review Requirement Objectives to each Requirement Number by selecting the Requirement Objectives button. Select the applicable Compliance Status. Select Save and Continue to navigate through each Requirement Family.

Screenshot of a cybersecurity report form titled 'CYBER SECURITY REPORTS' for Company A, focusing on 'Access Control (AC)' requirements, showing requirement objectives, descriptions, compliance status, and options to save or continue.

3.3 Review Assessment Details:

Answers to Requirements must be complete prior to continuing.

Screenshot of a computer screen displaying a CAGE code self-assessment form with various compliance status indicators, buttons labeled 'Previous' and 'Continue,' and a table showing requirement numbers with their compliance statuses.

3.4 Additional Assessment Details:

Add Assessing Scope, Employee Count, and Included CAGE(s) as required. Select the “Open CAGE Hierarchy” button to add CAGEs or enter comma delimited CAGEs in the data field provided. Select “Save and Continue.”

Screenshot of a cybersecurity report form titled "CYBER SECURITY REPORTS" showing company details, assessment standards, and a step-by-step progress bar. The form is on the 'Enter CMMC Assessment Details' step, with fields for assessing scope, number of employees, and included CAGE codes. There are buttons for navigating back and saving progress.

NOTE: CAGE Hierarchy data is imported from the System for Award Management (SAM). Users are unable to add CAGEs that are not part of their company hierarchy.

3.5 Score:

Only CMMC L2 Conditional (score = 88 to 109) and Final Self-Assessments (score = 110) can be affirmed.

Screenshot of a cybersecurity report showing the final score of 107, assessment details, and instructions for further steps.

NOTE: If a requirement is not able to be subject to a Plan of Action and Milestones (POA&M), then the Status Type will be No CMMC Status regardless of score.

3.6 Transfer to Affirming Official (AO):

If the user entering the assessment is not the AO, the assessment can be forwarded via email, to the AO by entering their email and selecting “Transfer to AO”.

Screenshot of an online form for Affirming Official confirmation. It includes instructions to select or enter an email and buttons labeled 'Continue to Affirmation,' 'Transfer to AO,' and 'Cancel.'

3.7 Affirm the Assessment:

Review the assessment details, certify review of the affirmation statement, and select “Affirm”.

Screenshot of an online assessment submission form for a cybersecurity maturity assessment, showing details like report date, assessment standard, score, scope, and options to view results and additional information.

3.8 Assessment Edit/Cancel/Delete:

A Cyber Vendor User may Edit, Cancel, or Delete certain CMMC Status Types. Select the available icon to complete the action.

Screenshot of a report table showing CMMC compliance status details, including assessment phases, dates, scope, and company size, with a highlighted row in red indicating the final self-assessment.

NOTE: A “CMMC L2 Conditional Level 2 Self-Assessment” is valid for 180 days. A “CMMC L2 Final Level 2 Self-Assessment”, with annual affirmations verifying compliance, is valid for 3 years.”