SPRS Score: Your DoD Compliance Scorecard
The Supplier Performance Risk System (SPRS) score is the Department of Defense's standardized measure of your organization's cybersecurity posture. Every defense contractor handling Controlled Unclassified Information (CUI) must calculate, submit, and maintain a passing SPRS score based on NIST SP 800-171 compliance — or risk losing federal contracts.
NIST 800-171 Gap Analysis • SPRS Score Calculation • POA&M Development • CMMC Preparation
SPRS Score: Key Facts
- Score range: -203 to 110 — a perfect score of 110 means full NIST SP 800-171 compliance across all 110 security requirements
- Required for DoD contracts — DFARS clause 252.204-7012 mandates SPRS score submission for all contractors handling CUI
- Calculated from NIST SP 800-171 — each unimplemented security requirement reduces your score based on its weighted value (1, 3, or 5 points)
- Self-assessment required — contractors must perform their own assessment and enter results into the SPRS portal at sprs.csd.disa.mil
- Prerequisite for CMMC — your SPRS score directly informs your readiness for CMMC Level 2 certification
- Must be current — scores must be updated within 3 years or whenever there are significant changes to your security posture
Not sure where you stand? Schedule a free SPRS assessment and our team will evaluate your current NIST 800-171 compliance in detail.
What Is an SPRS Score?
The Supplier Performance Risk System (SPRS) is the Department of Defense's centralized platform for evaluating contractor cybersecurity compliance. Your SPRS score is a numerical representation of how fully your organization meets the 110 security requirements defined in NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
A DoD Mandate, Not a Suggestion
Since November 2020, the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7019 requires all defense contractors to submit a current SPRS score before they can be awarded new contracts involving CUI. The Defense Contract Management Agency (DCMA) and contracting officers check SPRS scores during the procurement process. Without a submitted score, your proposal will not be evaluated — regardless of how competitive your bid is. This requirement applies to prime contractors and subcontractors at every tier of the defense supply chain.
How SPRS Maps to NIST 800-171
NIST SP 800-171 organizes its 110 security requirements into 14 control families, including Access Control, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Media Protection, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity. Each requirement is assigned a point value of 1, 3, or 5 based on its criticality. Your SPRS score starts at 110 and subtracts the weighted value for each requirement that is not fully implemented. The resulting number is your SPRS assessment score — a direct reflection of your NIST 800-171 compliance posture.
How SPRS Scoring Works
Your SPRS score is calculated by subtracting weighted penalty values for each unimplemented NIST 800-171 control from a baseline of 110. The weighting reflects the criticality of each security requirement to protecting Controlled Unclassified Information.
What Does a Low SPRS Score Mean?
An SPRS score significantly below 110 signals major cybersecurity gaps that put Controlled Unclassified Information at risk. While the DoD has not published a specific minimum threshold, contracting officers use SPRS scores to evaluate supplier risk during source selection. A score of -203 means zero NIST 800-171 controls are implemented. Contractors with low scores are more likely to face additional scrutiny, may lose contract eligibility, and will need substantial remediation to achieve CMMC certification. Organizations with scores below 110 must maintain an active Plan of Action and Milestones (POA&M) documenting their remediation timeline for each deficient control.
Concerned About Your SPRS Score?
Our NIST 800-171 specialists identify every compliance gap, calculate your accurate SPRS score, and build a prioritized remediation plan — so you can protect your DoD contracts with confidence.
Request a Free AssessmentHow to Calculate Your SPRS Score
Calculating your SPRS score requires a methodical assessment of every NIST SP 800-171 security requirement against your current implementation status. Here is the process defense contractors must follow.
Identify Your CUI Boundary
Define every system, network segment, application, and storage location where Controlled Unclassified Information is processed, stored, or transmitted. This scoping exercise determines which assets fall under NIST 800-171 requirements. Many organizations undercount their CUI boundary, which leads to inaccurate assessments and compliance gaps discovered later during CMMC audits.
Assess Each of the 110 NIST 800-171 Controls
Evaluate every security requirement in NIST SP 800-171 Rev 2 against your current security environment. For each control, determine whether it is fully implemented, partially implemented, or not implemented. Use the DoD Assessment Methodology to assign an implementation status. Document evidence of implementation including policies, technical configurations, screenshots, and process documentation.
Calculate the Weighted Deductions
For each control that is not fully implemented, subtract its assigned weight (1, 3, or 5 points) from the starting score of 110. The DoD assessment methodology specifies the point value for every requirement. Partially implemented controls are typically counted as not met unless you can demonstrate that the residual risk is adequately mitigated through compensating controls documented in your System Security Plan (SSP).
Document Gaps in a Plan of Action and Milestones
For every unimplemented or partially implemented control, create a POA&M entry that describes the deficiency, the planned corrective action, the responsible party, and the estimated completion date. A well-structured POA&M demonstrates to the DoD that you have a credible plan to close gaps. Without a POA&M, a low SPRS score provides no path forward — it simply signals unmitigated risk.
Submit Your Score to the SPRS Portal
Log into the Supplier Performance Risk System at sprs.csd.disa.mil and enter your assessment results. You will need your organization's CAGE code, the date of assessment, the scope of systems assessed, and your calculated score. The submitted score must accurately reflect your current implementation status — misrepresenting your SPRS score can result in False Claims Act liability, contract termination, and debarment from future DoD contracting.
Maintain and Update Your Assessment
SPRS scores are not a one-time exercise. The DoD requires that your assessment be updated at least every three years, or whenever there are significant changes to your security posture, system architecture, or CUI handling processes. Ongoing monitoring, periodic internal assessments, and continuous improvement of your cybersecurity program ensure your SPRS score remains current and defensible.
How Petronella Technology Group, Inc. Helps Improve Your SPRS Score
With over 25 years of cybersecurity and compliance experience, PTG provides defense contractors in the Raleigh-Durham-Research Triangle region and nationwide with comprehensive SPRS assessment and remediation services.
NIST 800-171 Gap Analysis
Our certified assessors conduct a thorough evaluation of your security environment against all 110 NIST SP 800-171 requirements. We identify exactly which controls are fully implemented, partially implemented, or missing — giving you an accurate, defensible SPRS score. Our gap analysis includes detailed evidence documentation, risk prioritization, and a clear picture of your current compliance posture. This assessment forms the foundation for your System Security Plan and all subsequent remediation efforts.
POA&M Development & Management
For every gap identified, we develop actionable Plan of Action and Milestones entries with specific remediation steps, realistic timelines, resource requirements, and responsible parties. Our POA&Ms satisfy both DoD and CMMC requirements and provide a clear roadmap for closing compliance gaps efficiently. We also help you track progress, update completion status, and ensure your POA&M remains current as your security program evolves.
Remediation & Implementation
PTG does not just identify problems — we fix them. Our technical team implements the security controls needed to raise your SPRS score, including multi-factor authentication deployment, encryption configuration, network segmentation, endpoint protection, security logging and monitoring, access control hardening, and security awareness training programs. Every implementation is documented with evidence that directly maps to NIST 800-171 requirements.
CMMC Preparation & SPRS Submission Assistance
Your SPRS score is the starting point for CMMC certification. PTG guides you through the entire journey — from initial SPRS self-assessment through CMMC Level 2 readiness. We prepare your System Security Plan, validate your POA&M closure evidence, assist with SPRS portal submission, and conduct pre-assessment mock audits to ensure you are fully prepared for your official C3PAO assessment. Our virtual CISO services provide ongoing strategic oversight of your compliance program.
Explore More PTG Compliance Solutions
Frequently Asked Questions About SPRS Scores
What is a good SPRS score?
A perfect SPRS score is 110, meaning all 110 NIST SP 800-171 security requirements are fully implemented. The higher your score, the stronger your cybersecurity posture and the more competitive you are for DoD contract awards. While the DoD has not published an official minimum passing score, most contracting officers view scores significantly below 110 as a risk indicator. Organizations with lower scores must have an active Plan of Action and Milestones (POA&M) demonstrating a credible path to full compliance. Practically speaking, a score above 80 with a solid POA&M and realistic remediation timeline is generally viewed as a reasonable starting position, but the goal should always be to reach 110.
How often must you update your SPRS score?
DFARS clause 252.204-7019 requires contractors to have a current assessment on file. Assessments must be updated at least every three years. However, you should also update your SPRS score whenever there are significant changes to your information systems, security architecture, CUI boundary, or organizational structure. Additionally, as you close gaps identified in your POA&M, updating your SPRS score reflects your improved compliance posture and can strengthen your position for future contract awards. Many organizations conduct annual internal assessments as a best practice to maintain an accurate, current score.
Where do you submit your SPRS score?
SPRS scores are submitted through the Supplier Performance Risk System portal at sprs.csd.disa.mil, maintained by the Defense Logistics Agency (DLA). To access the portal, you need a valid DoD-approved identity credential (such as a CAC card or ECA certificate) and your organization's CAGE code. The submission includes your assessment date, the score value, the scope of systems covered, and identification of whether the assessment was a basic self-assessment, a medium assessment by a government assessor, or a high assessment conducted by DCMA. Your contracting officer and the DoD can then view your submitted score during the procurement evaluation process.
Is the SPRS score required for CMMC certification?
Yes. The SPRS score and the Cybersecurity Maturity Model Certification (CMMC) are directly connected. CMMC Level 1 requires a self-assessment of 17 basic safeguarding practices from FAR 52.204-21. CMMC Level 2 requires full implementation of all 110 NIST SP 800-171 controls — the same controls measured by your SPRS score. Your SPRS score effectively serves as a progress indicator toward CMMC readiness. Organizations pursuing CMMC Level 2 certification will undergo a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO), which evaluates the same security requirements reflected in your SPRS submission. A strong SPRS score with documented evidence and a closed-out POA&M is the clearest path to CMMC certification.
What happens if you submit an inaccurate SPRS score?
Submitting a false or inflated SPRS score carries serious legal and financial consequences. Under the False Claims Act, contractors who misrepresent their cybersecurity compliance to the government can face civil penalties, triple damages, and potential criminal prosecution. The Department of Justice has established the Civil Cyber-Fraud Initiative specifically to pursue contractors who knowingly misrepresent their cybersecurity posture. Beyond legal liability, an inaccurate score exposes your organization to contract termination, suspension, and debarment from all future government contracting. This is why it is critical to conduct an honest, thorough assessment — and to work with qualified professionals who can help you document your compliance accurately.