SPRS Score: The Complete Guide for Defense Contractors in 2026

Posted: March 5, 2026 to Compliance.

What Is the SPRS Score and Why Does It Matter?

If you are a defense contractor or subcontractor handling Controlled Unclassified Information (CUI), your SPRS score is one of the most important numbers in your business. The Supplier Performance Risk System (SPRS) is the Department of Defense's platform for tracking supplier cybersecurity compliance, and your score directly determines whether you can compete for and win DoD contracts.

Since the implementation of DFARS 252.204-7012 and the evolving CMMC (Cybersecurity Maturity Model Certification) framework, every defense contractor is required to self-assess their implementation of the 110 security controls in NIST SP 800-171 and submit their score to SPRS. A low score — or a missing score — can disqualify you from contract awards, make you a target for audits, and expose your organization to False Claims Act liability.

At Petronella Technology Group, we have helped defense contractors across North Carolina and the Southeast navigate SPRS scoring, NIST 800-171 implementation, and CMMC compliance for years. This guide covers everything you need to know about the SPRS score in 2026.

How the SPRS Score Is Calculated

Your SPRS score is based on your organization's self-assessment of the 110 security controls in NIST SP 800-171 Revision 2. The scoring methodology works as follows:

The 110-Point Starting Point

A perfect SPRS score is 110, meaning all 110 security controls are fully implemented. Each control that is not fully implemented results in a deduction. The deduction values are weighted based on the severity and criticality of the control:

• 5-point deductions — The most critical controls, typically related to access control, incident response, and system integrity
• 3-point deductions — Important controls covering areas like audit logging, personnel security, and media protection
• 1-point deductions — Supporting controls that contribute to overall security posture

The lowest possible score is -203, which would indicate that no controls are implemented at all. In practice, most contractors fall somewhere between 50 and 110.

The Assessment Methodology

The DoD Assessment Methodology provides three levels of assessment:

• Basic (self-assessment) — The contractor evaluates their own implementation of NIST 800-171 controls. This is what most contractors have submitted to date.
• Medium — A more thorough assessment that includes validation by government assessors.
• High (DIBCAC assessment) — The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conducts an on-site, in-depth evaluation. This is required for some high-value contracts and is being expanded under CMMC.

What Goes Into SPRS

When you submit your SPRS score, you are also required to provide:

• Your overall numeric score (from -203 to 110)
• The date of your assessment
• The scope of the assessment (which systems and networks are covered)
• Your System Security Plan (SSP) — not uploaded to SPRS, but must be available upon request
• Your Plan of Action and Milestones (POA&M) — documenting controls not yet fully implemented and remediation timelines

What Is a Good SPRS Score?

There is no official pass/fail threshold for SPRS scores, but here is the practical reality:

• Score of 110: All controls implemented. This is the goal and the requirement for CMMC Level 2 certification. Very few organizations achieve this without significant effort.
• Score of 70-109: Most controls implemented with a credible POA&M for the remaining gaps. This range is generally acceptable for ongoing contracts, but contracting officers are increasingly scrutinizing lower scores.
• Score below 70: Significant gaps exist. This score range may trigger DIBCAC audits, reduce your competitiveness for new contracts, and expose potential False Claims Act risk if your score does not accurately reflect your actual implementation.
• Negative scores: Extremely risky. A negative SPRS score indicates major security deficiencies and will almost certainly result in contract award problems and potential government scrutiny.

Common Mistakes in SPRS Self-Assessment

In our experience working with defense contractors, these are the most frequent errors in SPRS scoring:

Inflating the Score

This is the most dangerous mistake. Some contractors claim full implementation of controls that are only partially implemented, or check off controls they believe are covered by their cloud provider without verifying shared responsibility models. An inflated SPRS score is not just inaccurate — it creates False Claims Act exposure. If the government discovers that your reported score does not match reality, the consequences can include contract termination, financial penalties, and debarment.

Ignoring the POA&M

A Plan of Action and Milestones is not a weakness — it is a legal requirement when controls are not fully implemented. Contractors who submit high scores without POA&Ms are implicitly claiming all controls are in place. If that claim is false, the lack of a POA&M compounds the problem.

Misunderstanding the Scope

Your SPRS score applies to the systems that process, store, or transmit CUI. Some contractors assess only a subset of their systems, leaving entire networks or cloud environments unscored. Conversely, some organizations include systems that do not handle CUI, unnecessarily complicating their compliance burden.

Not Updating the Score

Your SPRS score is not a one-time submission. It should be updated whenever significant changes occur — new systems, organizational changes, completed remediation items, or re-assessments. The DoD expects scores to be current and will question stale assessments.

Relying on Generic SSPs

Template System Security Plans that are not customized to your specific environment are a red flag for auditors. Your SSP must accurately describe your systems, your implementation of each control, and your organization-specific policies and procedures.

How SPRS Connects to CMMC

The CMMC framework is building on the SPRS foundation. Here is how they connect:

• CMMC Level 1: Requires implementation of 17 controls from FAR 52.204-21. Self-assessment with annual affirmation.
• CMMC Level 2: Requires implementation of all 110 NIST SP 800-171 controls (the same controls used for SPRS scoring). For most contracts involving CUI, a third-party assessment by a C3PAO is required. Your SPRS score should be 110 before pursuing Level 2 certification.
• CMMC Level 3: Adds controls from NIST SP 800-172 and requires government-led assessment.

As CMMC rule implementation progresses through 2026, the SPRS score becomes even more important. It is the DoD's primary tool for evaluating contractor cybersecurity readiness before CMMC assessments are complete.

How PTG Helps Defense Contractors Improve Their SPRS Score

Petronella Technology Group provides end-to-end support for defense contractors working to improve their SPRS score and achieve CMMC compliance:

• Gap assessment — We evaluate your current implementation of all 110 NIST 800-171 controls against the DoD Assessment Methodology to determine your accurate SPRS score.
• Remediation planning — We develop a prioritized POA&M that addresses the highest-impact controls first, optimizing your score improvement over time.
• Technical implementation — Our team implements the security controls, policies, and technologies needed to close gaps. This includes endpoint protection, network segmentation, access controls, audit logging, encryption, and more.
• SSP development — We create comprehensive, audit-ready System Security Plans that accurately document your environment and control implementations.
• CMMC preparation — Beyond SPRS, we prepare your organization for CMMC Level 2 certification by a C3PAO, including readiness assessments and mock audits.
• Ongoing compliance management — Compliance is continuous. We provide ongoing monitoring, annual re-assessments, and score updates as your environment evolves.

Frequently Asked Questions

Where do I submit my SPRS score?

SPRS scores are submitted through the Supplier Performance Risk System at https://www.sprs.csd.disa.mil/. Access requires a DoD-approved PKI certificate (CAC or ECA). If you need help navigating the submission process, PTG can guide you through it.

How often should I update my SPRS score?

At minimum, you should update your score annually and whenever significant changes occur to your systems, network, or organizational structure. The DoD can request your current assessment at any time, so keeping your score current protects you from compliance gaps.

Can my subcontractors affect my SPRS score?

Indirectly, yes. If your subcontractors handle CUI on your behalf, they need their own SPRS scores and compliance documentation. As a prime contractor, you have an obligation to flow down DFARS requirements and verify that your supply chain maintains appropriate security controls.

What happens if my SPRS score is too low to win contracts?

A low SPRS score does not necessarily disqualify you immediately, but it makes you less competitive and may trigger additional scrutiny. The best course of action is to engage a qualified provider like PTG to conduct an honest gap assessment, develop a realistic remediation plan, and systematically improve your score. Most organizations can make significant improvements within 90-180 days with focused effort.

Is it possible to get an SPRS score of 110?

Yes, but it requires disciplined implementation of all 110 controls, comprehensive documentation, and ongoing maintenance. PTG has helped multiple defense contractors achieve scores of 110 through methodical gap remediation and rigorous compliance management.

Strengthen Your SPRS Score Today

Your SPRS score is not just a compliance checkbox — it is a competitive differentiator that directly impacts your ability to win and retain DoD contracts. If your score needs improvement, or if you are not confident in the accuracy of your current self-assessment, contact Petronella Technology Group for a confidential consultation. Call 919-422-2607 or submit a request through our website.