Free CMMC Readiness Tool

SPRS Score Calculator

Assess your organization's NIST SP 800-171 Rev 2 compliance posture. Check the 110 security controls you've implemented to calculate your Supplier Performance Risk System (SPRS) score — required for all DoD contractors.

110
Fully Compliant
-203 0 30 70 110
0 / 110 controls implemented
110
Weight 5 — Critical
Weight 3 — Important
Weight 1 — Baseline

Get Expert CMMC Compliance Help

Your SPRS score is just the starting point. Our CMMC-certified consultants can help you close gaps and achieve full compliance. Schedule a free assessment today.

We respect your privacy. No spam, ever. Privacy Policy

Frequently Asked Questions

What is an SPRS score and why does it matter for DoD contractors?

The Supplier Performance Risk System (SPRS) score is a numerical value ranging from -203 to +110 that quantifies how well a defense contractor has implemented the 110 security controls from NIST SP 800-171 Rev 2. Since November 2020, all DoD contractors handling Controlled Unclassified Information (CUI) must submit their SPRS score to the DoD's SPRS portal. A score of 110 means full compliance, while lower scores indicate gaps. Contracting officers can view these scores when evaluating bids, making it a critical competitive factor for winning DoD contracts.

How is the SPRS score calculated?

The SPRS score starts at 110 (the maximum). For each of the 110 NIST SP 800-171 security controls that is NOT fully implemented, you subtract a weighted value: 5 points for critical controls (like multi-factor authentication and encryption), 3 points for important controls (like audit logging and access enforcement), and 1 point for baseline controls (like policy documentation). Your final score is 110 minus the total penalty points. The minimum possible score is -203 if no controls are implemented.

What SPRS score do I need for CMMC Level 2 certification?

CMMC Level 2 requires full implementation of all 110 NIST SP 800-171 Rev 2 controls, which corresponds to an SPRS score of 110. While you can submit a Plan of Action and Milestones (POA&M) for some controls to receive interim authorization, the CMMC final rule limits POA&Ms to controls with weights of 1 or 3 only — all weight-5 critical controls must be fully implemented. Organizations should aim for a minimum score of 88 (with a solid POA&M) to begin the certification process, with a clear timeline to reach 110.

How often should I recalculate and update my SPRS score?

DFARS clause 252.204-7019 requires contractors to keep their SPRS assessment current. You should recalculate your score whenever you implement new controls, make significant changes to your IT environment, or at least annually as part of your ongoing compliance program. The DoD expects your submitted score to accurately reflect your current security posture. Working with a CMMC Registered Practitioner or Certified Third-Party Assessor Organization (C3PAO) can help ensure accuracy.