How to Calculate Your SPRS Score for CMMC (2026)

Posted: May 21, 2026 to Compliance.

If you are a Department of Defense subcontractor or prime, your Supplier Performance Risk System (SPRS) score is the single number that decides whether contracting officers can award you a contract that touches Controlled Unclassified Information (CUI). Most subs we audit at Petronella Technology Group walk into their first SPRS conversation assuming the score works like an academic exam - start at zero, earn points for things you do well, finish somewhere between 0 and 100. That is exactly backwards. SPRS scoring under the DoD Assessment Methodology starts you at 110 points and subtracts for each of the 110 NIST 800-171r2 security controls you have not fully implemented. Partial credit exists, but it is grudging. The deduction values are weighted (5, 3, or 1 point) by how badly a missing control hurts your CUI posture. A perfect score is 110. The lowest legitimate score is -203. Most first-time DoD subs we assess score between 40 and 75 before remediation, which is enough to disqualify them from the contracts they were hoping to win.

This guide explains exactly how SPRS scoring works, walks through a worked example, and shows you how to use the free Petronella SPRS calculator to produce a defensible self-assessment in under five minutes. We have written it for a real DoD subcontractor audience - companies that have just received a DFARS 252.204-7019 or 252.204-7020 flow-down clause and are trying to figure out what their next 90 days look like. By the end, you should be able to compute your own score, file it correctly in the SPRS portal, and decide whether you need outside Cyber AB Registered Provider Organization (RPO) help to get from where you are to where the contract requires you to be.

What is the Supplier Performance Risk System (SPRS)?

SPRS is the DoD's enterprise-wide supplier risk database, operated by the Naval Sea Logistics Center. It collects three families of data about every CAGE-coded supplier in the defense industrial base. The first family is performance data - on-time delivery, quality escapes, and contract terminations. The second is supplier financial risk. The third, and the one this article is about, is cyber risk - specifically, your self-attested or third-party-assessed posture against the 110 NIST 800-171r2 controls that protect CUI.

SPRS is not a substitute for Cybersecurity Maturity Model Certification (CMMC). It is the system of record that contracting officers query before awarding a DoD contract. If you do not have a current SPRS score on file - or worse, you have a low one - your bid is administratively non-responsive on contracts that flow down DFARS 252.204-7019, 252.204-7020, or, once the CMMC final rule fully applies in 48 CFR contracts, the CMMC clause. Think of SPRS as the credit-bureau of the defense supply chain. The score does not have to be perfect, but it does have to be current, honest, and accompanied by a credible plan to close any gaps. Read more about how SPRS fits into the broader compliance picture in our CMMC compliance guide.

Why every DoD contractor needs a current SPRS score

Three rules force SPRS scoring into every CUI-handling contract.

DFARS 252.204-7019 (Notice of NIST SP 800-171 DoD Assessment Requirements) requires offerors to have a current Basic Assessment posted in SPRS at the time of contract award. "Current" means within the last three years. No score on file at solicitation closing equals no award. This clause has been mandatory in DoD contracts that touch CUI since November 30, 2020.

DFARS 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements) obligates contractors and their subcontractors to provide access for Medium and High DoD Assessments by DCMA's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) when required. It also requires you to flow the same clause down to every subcontractor in your chain that will handle CUI. That flow-down is one of the most overlooked compliance traps in the DIB.

The CMMC rule (48 CFR clause 252.204-7021) formalizes the certification tier that sits on top of NIST 800-171. Once CMMC is fully phased into solicitations, your SPRS score becomes the input to the C3PAO Level 2 assessment, and any gap between your self-attestation and the assessor's findings becomes a paper trail you would rather not have. Aligning the two now is cheap. Aligning them after a failed C3PAO trip is not. We cover the certification pathway separately in our CMMC Level 2 overview.

The DoD Assessment Methodology v1.2.1 in plain English

The DoD Assessment Methodology, version 1.2.1, dated June 24, 2020, is the rulebook for how SPRS scores get calculated. It is a 32-page document, but the entire scoring logic comes down to four ideas.

Idea one - 110 controls, three weights. Of the 110 NIST 800-171r2 controls, 42 are weighted at 5 points, 14 are weighted at 3 points, and the remaining 54 are weighted at 1 point. The weight reflects how much risk a missing control creates for the CUI you handle. Identification and authentication, access control, and incident response controls cluster heavily in the 5-point band. Awareness and training controls cluster in the 1-point band.

Idea two - start at 110, subtract for misses. You begin with the maximum score of 110 points - one point credit for each control. For every control you have not fully implemented, you subtract the weighted value (5, 3, or 1). The math is deduction-based, not additive.

Idea three - limited partial credit. Two of the 5-point controls (3.5.3 Multifactor Authentication and 3.13.11 FIPS-validated cryptography) allow partial credit if you have implemented the control for a defined subset of your environment (for example, MFA on privileged accounts but not on regular user accounts). Partial credit on 3.5.3 is 3 points instead of 5; partial on 3.13.11 is 3 points instead of 5. Three additional controls (3.5.3 again in a different scope, 3.13.11 again, and 3.13.8) have similar limited partials. Most controls are binary - implemented or not.

Idea four - the floor is negative. If you fail every control, your score is not zero. It is -203 (the sum of every weighted deduction). Negative scores are real and they are visible to contracting officers in SPRS. Most of the conversations we have with new DoD subs at Petronella Technology Group involve scores in the +40 to +75 range, which feels okay until you realize the contract you want requires +88 or better.

Step-by-step: how to calculate your SPRS score

Here is the procedure we walk every Petronella client through during a Basic Self-Assessment. You can do this with a spreadsheet, the official DoD Assessment Methodology PDF, and a few hours of focused work. Or you can drop your control responses into the Petronella SPRS calculator and have the math done in five minutes.

1. Define your CUI scope. Before scoring any control, document which information systems process, store, or transmit CUI. Out-of-scope systems do not count, but you must be honest about boundaries. Most subs over-scope (counting their entire network) or under-scope (counting only a single workstation). Both are wrong and both create audit risk later.
2. Assemble your System Security Plan (SSP). The SSP is the document that describes how each of the 110 controls is implemented. NIST 800-171r2 requires you to have one. If you do not have an SSP, you cannot honestly score - you can only guess. Our NIST 800-171 overview covers SSP scope in detail.
3. Score each control as Met, Not Met, or Partial. For each of the 110 controls, document objective evidence (a screenshot, a policy reference, a configuration export) that supports the score. "We have a firewall" is not evidence. "Palo Alto PA-440 running PAN-OS 11.1 with rule set exported 2026-03-14 attached" is evidence.
4. Apply the weighted deductions. Start at 110. For each Not Met, subtract the control's weight (5, 3, or 1). For each Partial on the eligible controls, apply the partial-credit value listed in DoD Assessment Methodology Annex A.
5. Sum your score. The result is your Basic Assessment SPRS score, valid for three years from the date you sign the self-attestation.
6. Build a POA&M for every Not Met or Partial. A Plan of Action and Milestones is not optional - it is the bridge from your current score to compliance. SPRS does not award POA&M credit, but C3PAO assessors and contracting officers will absolutely read it.
7. Submit your score in SPRS. The supplier or an authorized representative posts the score, the SSP version date, and an attestation date through the SPRS web portal at sprs.csd.disa.mil.

Worked example: a small machine shop scoring six controls

Imagine a 20-person CNC machining sub in Greensboro, NC, that just received a flow-down on a Navy aerospace contract. They have basic IT, no MDM, and a single shared admin account on their domain controller. Here is what their first six control reviews look like.

• 3.1.1 (Limit system access to authorized users) - 5 points. Active Directory in place, accounts provisioned per role. Met. No deduction.
• 3.1.2 (Limit system access to authorized transactions) - 5 points. No application-layer access control beyond OS file permissions. Not Met. Subtract 5. Score now 105.
• 3.5.3 (Use multifactor authentication for privileged and remote access) - 5 points. MFA on the VPN, but not on local admin or domain admin accounts. Partial. Subtract 2 (5 minus 3). Score now 103.
• 3.6.1 (Establish incident-handling capability) - 5 points. No written IR plan, no tabletop exercise. Not Met. Subtract 5. Score now 98.
• 3.8.3 (Sanitize or destroy media before disposal) - 3 points. Drives are shredded by a NAID-certified vendor with certificates of destruction. Met. No deduction.
• 3.13.11 (Employ FIPS-validated cryptography to protect CUI) - 5 points. BitLocker on laptops in FIPS mode, but no FIPS mode on Microsoft 365 message encryption. Partial. Subtract 2. Score now 96.

Six controls reviewed, two Not Met, two Partial, two Met. Running score after just 6 of 110 controls: 96. Real-world Basic Assessments for unprepared subs end up in the +40 to +70 range because the Not Met count climbs into the 30s and 40s as you work through access control, audit/accountability, and incident response. The good news: the same controls that cost the most points to fail are also the ones that benefit most from a single tooling investment (typically an XDR platform combined with managed identity).

All 110 NIST 800-171 controls by weighting

The table below summarizes how the 110 controls distribute across the three weight categories, with representative high-impact controls in each band. The full list lives in DoD Assessment Methodology Annex A.

Weight	Control count	Representative controls (deduction if Not Met)
5 points	42 controls	3.1.1 access control, 3.1.2 transaction control, 3.1.20 connections to external systems, 3.3.1 audit logging, 3.4.1 baseline configuration, 3.4.2 configuration enforcement, 3.5.3 multifactor authentication, 3.6.1 incident handling, 3.11.2 vulnerability scanning, 3.13.1 boundary protection, 3.13.5 publicly accessible system components, 3.13.8 cryptographic protection, 3.13.11 FIPS cryptography, 3.14.1 flaw remediation, 3.14.2 malicious code protection, 3.14.4 update signatures
3 points	14 controls	3.1.12 monitor remote access, 3.5.7 password complexity, 3.8.3 media sanitization, 3.10.3 escort visitors, 3.11.1 risk assessments, 3.12.1 control assessments, 3.13.6 deny network communications by default, 3.13.16 protect confidentiality of CUI at rest
1 point	54 controls	3.2.1 security awareness training, 3.2.2 role-based training, 3.7.1 maintenance, 3.7.2 maintenance tools, 3.8.1 media protection, 3.9.1 personnel screening, 3.10.1 physical access authorizations, 3.10.2 monitor physical facility, 3.11.3 remediate vulnerabilities, 3.12.2 develop POA&Ms

If you are early in your CMMC journey and have limited budget, the 42 five-point controls are where you should focus first. A single Not Met five-point control costs you more than five Not Met one-point training controls combined. Triage by weight, not by the order the controls appear in the standard.

POA&M: what improves your score and what does not

A Plan of Action and Milestones (POA&M) is the project plan that documents how and when you will close each gap identified during your Basic Assessment. It is required under NIST 800-171 control 3.12.2 and is the artifact every C3PAO assessor opens first.

Here is the rule that trips up most subs: posting a POA&M in SPRS does not raise your score. The score reflects implemented controls, not planned ones. The only way to raise your number is to implement the control, document the implementation in your SSP, and re-attest in SPRS. A POA&M does, however, signal to a contracting officer that you are actively closing the gap, which can be the difference between a Conditional CMMC Level 2 award and no award.

Effective POA&Ms include four elements per gap. First, the specific control number and a one-sentence description of the deficiency. Second, the remediation owner (a named individual, not a department). Third, the milestone date by which the gap will be closed (typically 90, 180, or 270 days). Fourth, the resource commitment (budget, tooling, headcount) required to hit that date. Vague POA&Ms - "we will address this in 2026" - do not survive contact with a DIBCAC assessor.

How to submit your score in the SPRS portal

SPRS submission is procedurally simple, but the access path catches first-timers. Here are the high-level steps. Always validate against the current SPRS Access Procedure at sprs.csd.disa.mil before submitting.

1. Obtain Procurement Integrated Enterprise Environment (PIEE) access. SPRS is reached through the PIEE single-sign-on portal. Your company likely already has PIEE access for invoicing through WAWF; the same login works.
2. Register a Cyber Reports Contractor/Vendor Submitter role. The PIEE administrator at your company (often the contracts officer) grants this role. Without it you cannot post a score.
3. Confirm your CAGE code is associated correctly. One CAGE per legal entity. If you operate multiple business units, each CAGE needs its own assessment.
4. Enter the assessment record. Required fields include CAGE code, assessment date, score, scope description, SSP version and date, and SSP authoring date.
5. Attest and submit. The submitter certifies the data is accurate. False statements expose the company and the individual signer to False Claims Act liability - treat the attestation as seriously as you treat your tax return.

Common SPRS scoring mistakes (and how to avoid them)

After reviewing dozens of pre-existing SPRS submissions during Petronella Technology Group RPO engagements, we see the same seven patterns. None of these are theoretical - they are the actual reasons subs lose contracts.

1. Optimistic self-attestation. Scoring 105 because "we have most of the controls" without evidence. DIBCAC Medium Assessments routinely cut these scores by 30 to 50 points.
2. Misreading partial credit. Partial credit applies to a handful of controls only. Marking a control "Partial" when the methodology does not allow partial scoring is an automatic Not Met during third-party review.
3. Scope mismatch between SSP and reality. The SSP says CUI is processed only on a segmented enclave, but employees are emailing CUI from their personal laptops. The score reflects the SSP scope; the audit reflects reality.
4. Forgetting to flow down to subs. Your score reflects your environment, but DFARS 252.204-7020 requires every subcontractor handling CUI to have their own SPRS score. Primes are increasingly checking sub scores at solicitation.
5. Stale SSP. You scored 88 last year, but you migrated to Microsoft 365 GCC High and never updated the SSP. Your real current score is lower. SPRS scores age out at three years; SSPs should be re-baselined annually.
6. Treating POA&M completion as score improvement. Closing a POA&M item raises your score only after you re-attest. Many subs close items and never re-post.
7. Submitting before the SSP exists. You cannot honestly score 110 controls without a documented basis for each control's status. Posting a score without an SSP behind it is a False Claims Act time bomb.

Using the Petronella SPRS calculator

The Petronella SPRS calculator is a free, browser-based tool that walks you through all 110 NIST 800-171r2 controls in the official DoD Assessment Methodology order, applies the correct 5/3/1 weighting and partial-credit rules, and returns your Basic Assessment score in about five minutes. It runs entirely in your browser - no data leaves your device, no account is required, and the calculator never stores your responses on Petronella servers. We built it because the spreadsheet templates floating around the DIB get the partial-credit rules wrong roughly 30% of the time when we audit them.

The calculator produces three outputs. First, your numerical Basic Assessment score. Second, a per-control summary showing Met / Not Met / Partial and the deduction for each. Third, a starter POA&M template populated with your Not Met and Partial controls, weighted by the points they would recover. Use the third output as the input to your remediation roadmap. Then, when you are ready to validate the score against a Cyber AB Registered Practitioner's eye, call us at (919) 348-4912 for a free 15-minute review.

What does a good SPRS score look like?

The honest answer is "it depends on the contract." There is no universal pass/fail threshold, but a few benchmarks help.

110 - perfect. Every control fully implemented, every gap closed. Achievable, but rare without sustained investment. Most clients who reach 110 do so after a 12 to 18-month remediation program supported by an RPO.

88 to 110 - strong. This is the band where contracting officers stop scrutinizing your cyber posture and start scrutinizing your price. Below 88, you are likely to face additional pre-award questions or a Medium Assessment request.

55 to 88 - work in progress. Acceptable for a Conditional CMMC Level 2 award if you have a credible POA&M with closure dates inside 180 days. Below 55 with no POA&M, you are functionally non-responsive on most CUI-handling solicitations.

Below 55 - red flag. Real, common, and recoverable. Petronella clients in this band typically reach +88 within 90 days with a focused remediation sprint targeting the 42 five-point controls.

One nuance worth flagging: the delta between your self-attested SPRS score and a DIBCAC-reviewed score is the metric that gets attention. A self-scored 95 that audits to 60 is worse than a self-scored 60 that audits to 60. Honesty in the Basic Assessment is the strongest signal you can send to a contracting officer.

CMMC Level 1, Level 2, and Level 3 SPRS implications

SPRS scoring intersects with the three CMMC levels differently.

CMMC Level 1 (FCI only, 15 controls from FAR 52.204-21). SPRS scoring per NIST 800-171 is not directly required at Level 1 because Level 1 protects Federal Contract Information, not CUI. However, contractors at Level 1 that anticipate growing into CUI work routinely post NIST 800-171 SPRS scores anyway, to be prepared for the next contract tier. Level 1 is annual self-attestation.

CMMC Level 2 (CUI, all 110 NIST 800-171 controls). SPRS scoring is mandatory and feeds directly into the C3PAO assessment. The Basic Assessment posted in SPRS is what a C3PAO assessor uses as the starting baseline for an on-site Medium Assessment. Discrepancies between SPRS and observed reality are the most common cause of a Conditional certification (rather than Final certification) at Level 2.

CMMC Level 3 (high-value CUI, NIST 800-171 plus a subset of NIST 800-172). SPRS scoring covers the 110 NIST 800-171 controls; Level 3 adds 24 controls from NIST 800-172 assessed by DCMA DIBCAC. The Level 3 assessment is government-led, with DIBCAC personnel on site. A clean SPRS posture is a prerequisite, but it is no longer sufficient on its own. Petronella Technology Group consults across all three CMMC levels, including the harder Level 3 environments common in defense aerospace and nuclear-adjacent supply chains. Background on the level distinctions sits in our CMMC compliance guide.

Petronella SPRS support services

Petronella Technology Group is a Cyber AB Registered Provider Organization (RPO #1449) headquartered at 5540 Centerview Dr., Suite 200, Raleigh, NC 27606. Our entire four-person delivery team holds the Cyber AB CMMC-RP credential, and we have supported DoD contractors across the Carolinas, Virginia, and the broader Mid-Atlantic and Southeast since 2002.

For SPRS scoring specifically, we offer three tiers of engagement.

Free 15-minute SPRS triage call. Call (919) 348-4912. We review your current score (or lack of one), the contracts you are pursuing, and the realistic gap to target. No proposal pressure.

Fixed-fee Basic Assessment review. A Petronella CMMC-RP reviews your self-attested SPRS score, your SSP, and the underlying evidence, then produces a written delta report identifying every control where your scoring is likely to fail third-party scrutiny. Scope and pricing depend on environment size; published From pricing is available on request.

ComplianceArmor ongoing scoring + POA&M tracking. Our SaaS compliance platform tracks SPRS scoring, SSP version control, POA&M aging, and re-attestation deadlines on a live dashboard. From $497/month for the platform with optional CMMC-RP review hours. ComplianceArmor is the same tool we use internally to manage our own RPO clients. Details on our ComplianceArmor page.

Frequently asked questions about SPRS scoring

How often do I need to update my SPRS score?

The DoD Assessment Methodology treats a Basic Assessment as current for three years from the date of submission. In practice, most defense subs re-score annually because the underlying environment changes (new tooling, new business units, new CUI workflows), and a stale SSP behind a current score is a False Claims Act exposure.

Can a POA&M item raise my SPRS score?

No. The score reflects implemented controls only. Closing a POA&M item raises your score only when you implement the control, update the SSP, and re-attest in SPRS with the new score. POA&Ms signal intent; they do not move the number.

What happens if I submit a wrong score?

SPRS attestations carry False Claims Act weight. Honest mistakes that get corrected do not typically generate enforcement action; deliberate misrepresentation can trigger civil penalties, treble damages, and qui tam exposure. The DOJ's Civil Cyber-Fraud Initiative, launched in October 2021, has produced several seven-figure settlements against defense contractors for SPRS-related misrepresentation.

Do I need a CMMC-RP to file my SPRS score?

No, the Basic Assessment is by definition a self-assessment. However, working with a Cyber AB Registered Practitioner reduces the risk of partial-credit errors, scope mistakes, and SSP-to-evidence drift. Most subs that engage an RPO save the engagement fee back in contract-eligibility upside.

Is the SPRS score visible to my competitors?

No. SPRS scores are visible to authorized DoD contracting officers and to the contractor itself. They are not public, not visible to other contractors, and not subject to FOIA in their raw form. The score becomes practically visible only at award time, when a contracting officer references it.

How long does a Basic SPRS Assessment take?

For a 20-person sub with an existing SSP, a thorough Basic Assessment takes 8 to 16 hours of internal time plus 4 to 8 hours of RPO review if you engage one. For a larger or multi-site organization without an SSP, the SSP build itself is a 60 to 120-hour project; the scoring then takes another 16 to 32 hours.

What is the difference between a Basic, Medium, and High Assessment?

Basic is self-attested by the contractor. Medium is conducted by DIBCAC and involves document review, no on-site visit. High is conducted by DIBCAC on-site, with technical validation of controls. Only Basic scores can be self-posted in SPRS; Medium and High scores are posted by DIBCAC.

Calculate your SPRS score now

Stop guessing. The Petronella SPRS calculator walks you through all 110 NIST 800-171r2 controls in the order the DoD Assessment Methodology expects, applies the correct weighted deductions, and produces a defensible Basic Assessment score plus a starter POA&M in roughly five minutes. It runs entirely in your browser, no signup, no data collection.

When you are ready to have a Cyber AB CMMC-RP review your score - either before you post it in SPRS or after you have already filed and want a sanity check - contact Petronella Technology Group or call (919) 348-4912 for a free 15-minute triage call. We will tell you honestly whether your current posture clears the contracts you are pursuing, and what the fastest path to +88 looks like for your environment. Petronella Technology Group, Cyber AB RPO #1449, has been protecting the DoD supply chain since 2002.