SPRS Score Explained: The Complete Defense Contractor Guide to Scoring and Improvement [Video + Guide]
Posted: March 6, 2026 to Compliance.
Watch the video above for a quick overview of SPRS scoring, or read the full guide below for a detailed explanation of how the scoring methodology works and how to improve your score.
What Is the SPRS Score?
The Supplier Performance Risk System (SPRS) score is a numerical representation of your organization's cybersecurity posture based on the NIST SP 800-171 DoD Assessment Methodology. It measures how well you have implemented the 110 security controls required for protecting Controlled Unclassified Information (CUI) in the defense supply chain.
SPRS scores range from -203 to 110. A perfect score of 110 means you have fully implemented all 110 NIST 800-171 security requirements. The minimum acceptable score depends on contract requirements, but the DoD has made it clear that contractors with low scores face increased scrutiny and may be ineligible for new contracts.
Your SPRS score is not just a number on a form. It is a critical business metric that directly impacts your ability to win and retain DoD contracts. Contracting officers can view your SPRS score and use it as a factor in source selection decisions.
How SPRS Scoring Works
The SPRS scoring methodology assigns a weighted value to each of the 110 NIST 800-171 requirements. Not all controls are weighted equally. Some controls are considered more critical to security and carry higher point values. Here is how the scoring works:
Starting Point: Every organization starts at 110 (the perfect score). Points are deducted for each control that is not fully implemented.
Point Values: Controls are weighted at 1, 3, or 5 points based on their security criticality. The most impactful controls, such as multi-factor authentication, encryption, and access controls, carry 5-point values.
Deductions: For each unimplemented control, the corresponding point value is subtracted from 110. If you have not implemented a 5-point control, your score drops by 5 points.
Minimum Score: The theoretical minimum is -203, which would mean no controls are implemented. In practice, most organizations score between -50 and 80 on their first assessment.
Understanding the Point Categories
5-Point Controls (Highest Impact)
These are the controls the DoD considers most critical for protecting CUI. They include requirements like multi-factor authentication for privileged and network access, encryption of CUI at rest and in transit, media sanitization procedures, incident response capabilities, and risk assessments. Failing to implement these controls has the greatest negative impact on your score.
3-Point Controls (Moderate Impact)
These controls represent important but somewhat less critical security measures. They include requirements like audit log protection, configuration management baselines, system maintenance procedures, and personnel security screening.
1-Point Controls (Lower Impact)
These controls cover foundational security practices that are easier to implement. They include requirements like security awareness training, basic access control policies, and system boundary protections.
How to Calculate Your SPRS Score
Step 1: Review each of the 110 NIST 800-171 requirements and determine whether your organization has fully implemented the control.
Step 2: For each control that is not fully implemented, look up its point value using the DoD Assessment Methodology scoring table.
Step 3: Sum all the point deductions for unimplemented controls.
Step 4: Subtract the total deductions from 110 to get your SPRS score.
Step 5: Document each unimplemented control in your Plan of Action and Milestones (POA&M) with a remediation timeline.
For example, if you have not implemented controls worth a total of 47 deduction points, your SPRS score would be 110 - 47 = 63.
How to Improve Your SPRS Score
Prioritize High-Value Controls: Focus first on implementing the 5-point controls. Each one you complete adds 5 points to your score for a single control implementation. This gives you the fastest path to score improvement.
Address Low-Hanging Fruit: Some controls are easier to implement than others. Policy and procedure controls (like documenting incident response procedures or establishing configuration management plans) can often be completed quickly.
Deploy Technical Solutions: Many controls require specific technical implementations. Multi-factor authentication, encryption solutions, SIEM deployments, and endpoint detection platforms address multiple controls simultaneously.
Document Everything: Partial credit is not given, but having thorough documentation shows assessors that controls are fully implemented and operational. Every policy, procedure, and technical configuration should be documented in your System Security Plan (SSP).
Address POA&M Items: Your POA&M items represent known gaps. Each resolved POA&M item directly improves your score. Set realistic timelines and track progress regularly.
Common SPRS Score Mistakes
Self-Scoring Too Generously: Many organizations overestimate their compliance. A control is either fully implemented or it is not. Partial implementation counts as not implemented for scoring purposes. Be honest in your assessment, as C3PAO auditors will verify your claims.
Ignoring Inherited Controls: If you use cloud services, some controls may be partially or fully provided by your cloud service provider. Understand the shared responsibility model and document which controls are inherited and which remain your responsibility.
Not Updating Your Score: Your SPRS score should be updated as you implement new controls. Failing to update means contracting officers see an outdated, potentially lower score.
Missing the Submission: Your SPRS score must be submitted to the SPRS system through the Procurement Integrated Enterprise Environment (PIEE). Having a score but not submitting it is the same as not having one from the DoD's perspective.
Frequently Asked Questions
What is a good SPRS score?
While there is no officially defined "good" score threshold, most compliance experts recommend targeting a score of 80 or higher for competitive positioning. A score of 110 demonstrates full compliance. Scores below 0 indicate significant security gaps that need urgent attention. For CMMC Level 2 certification, you need to demonstrate full implementation of all applicable controls, which corresponds to a score near 110.
Do I have to submit my SPRS score even if it is low?
Yes. DFARS 252.204-7020 requires all defense contractors handling CUI to submit their SPRS score. Failure to submit is itself a compliance issue. Submitting a low score with a credible POA&M showing a clear remediation path is far better than not submitting at all.
How often should I update my SPRS score?
You should update your SPRS score whenever you implement new controls that change your score, and at minimum annually. Some contracts may require more frequent updates. Treat your SPRS score as a living metric that reflects your current security posture, not a one-time filing.
Can my SPRS score affect contract awards?
Yes. Contracting officers can access SPRS scores during source selection. While the DoD has not published specific score thresholds for contract eligibility, a higher score demonstrates stronger cybersecurity maturity and can be a competitive differentiator. Some contracting officers have begun using SPRS scores as evaluation criteria.
What is the relationship between SPRS and CMMC?
SPRS and CMMC are complementary. Your SPRS score reflects your self-assessed compliance with NIST 800-171, while CMMC adds third-party verification. A high SPRS score should correlate with readiness for a CMMC Level 2 assessment, as both measure the same 110 controls. However, a high SPRS score does not guarantee CMMC certification because the assessment methodology differs.
Improve Your SPRS Score with PTG
Petronella Technology Group has helped dozens of defense contractors improve their SPRS scores from negative numbers to certification-ready levels. Our CMMC compliance services include comprehensive SPRS scoring, gap analysis, remediation planning, and technical implementation of missing controls.
We provide the cybersecurity expertise, managed IT services, and compliance documentation needed to bring your SPRS score to a competitive level and prepare for CMMC certification.
Know your real SPRS score and how to improve it. Contact PTG today for a free SPRS assessment consultation. For cybersecurity and compliance education, join our Training Academy at petronellatech.com/training/.
![AI-Powered SOC: How Artificial Intelligence Is Transforming Security Operations Centers in 2026 [Video + Guide]](https://petronellatech.com/inc/modules/Blog/images/icons/1310.webp){kind=icon}
