Vanta shipped something genuinely useful for defense contractors last week. Their May 2026 update added SPRS Score tracking directly inside the platform — meaning CMMC Level 2 customers can now track their 110-point NIST SP 800-171 self-assessment score in real time, with automatic updates as controls are marked implemented. When the score hits 110, Vanta surfaces the guidance needed to complete the self-assessment and submit to the SPRS portal.
That's a real workflow improvement. SPRS submissions have historically been a manual, painful process. Automating the tracking layer saves compliance teams hours.
But there's a gap in this picture that Vanta's announcement doesn't address — and it's the gap that matters most for AI-era DoD contractors.
What SPRS Actually Measures
SPRS stands for Supplier Performance Risk System. It's a self-assessed score submitted to the Department of Defense that reflects your organization's compliance posture against all 110 security requirements in NIST SP 800-171. Higher scores mean better posture. Submitting an accurate score is a fundamental requirement for CMMC Level 2 certification.
The key word is self-assessed. Your SPRS score reflects what your security policies say your organization does. It does not reflect what your employees are actually doing at 2pm on a Tuesday when they're stuck on a deliverable and they paste a project brief into ChatGPT.
The AI Enforcement Gap CMMC Doesn't Cover
NIST SP 800-171 Requirement 3.13.1 requires organizations to protect the confidentiality of CUI at rest and in transit. CUI — Controlled Unclassified Information — is exactly the kind of sensitive defense-related data that cannot leave your organization's security boundary.
Your SPRS score might be 110 points. Your CMMC documentation might be immaculate. And your employees might still be pasting CUI into publicly-accessible LLMs daily, without any system intercepting that traffic.
This isn't a hypothetical. Shadow AI use in enterprise settings is now the norm, not the exception. Defense contractors are under particular pressure to move fast on AI-enabled workflows — the same pressure that leads to CUI going places it shouldn't.
CMMC's current framework treats AI tools as a data-handling risk (which they are), but the enforcement mechanisms it specifies are policy-based: document what's allowed, train employees on acceptable use, track compliance through the self-assessment process.
None of that stops an employee from opening a browser tab.
What Runtime Enforcement Actually Looks Like
Vanta's SPRS tracking closes a documentation gap. What CMMC Level 2 contractors also need is a runtime enforcement layer — a system that sits between the employee and the LLM, checks each submission against your CUI policies in real time, and blocks or alerts before data leaves your security boundary.
That's what Containment.AI's proxy layer does. When an employee on a contractor network tries to paste a document into ChatGPT, the request routes through Containment.AI's policy gateway. If the content triggers a CMMC-aligned CUI policy — identifying controlled technical data, export-controlled information, or contractor-sensitive details — it's blocked before it reaches the LLM. The incident is logged with a full audit trail: who tried, what they pasted, what policy fired, and when.
The SPRS score tells DoD that you have a policy. The audit trail tells DoD that the policy ran — in production, in real time, against real employee actions.
The Compliance Stack Defense Contractors Actually Need
CMMC compliance requires documentation and enforcement. Vanta and tools like it handle the documentation layer well. But as employees increasingly use AI tools to accelerate delivery on defense contracts, the enforcement layer matters more, not less.
Vanta automating SPRS tracking is good news for compliance teams. It doesn't change the fundamental gap between "we have a policy about LLM use" and "we enforce that policy in real time."
If you're a CMMC Level 2 contractor evaluating your AI governance stack, ask this one question: when an employee opens ChatGPT and starts typing, what intercepts that request and checks it against your CUI policies?
If the answer is "our acceptable use policy document" — that's a SPRS score waiting to take a hit.
Containment.AI enforces AI governance policies in real time — at the proxy layer, before sensitive data leaves your organization. Try it free.