Short answer: Your SPRS score (Supplier Performance Risk System) is a single number — between -203 and +110 — that DoD uses to gauge your NIST 800-171 posture. You start at 110 and subtract a weighted point value (1, 3, or 5) for every control you have not fully implemented. The score lives in the Supplier Performance Risk System portal and is required by DFARS 252.204-7019 before award on most CUI contracts. Negative scores are normal early on; primes use the number to triage risk, not to disqualify.
What SPRS actually is
SPRS is a DoD-run portal at sprs.csd.disa.mil that stores supplier risk data, including your self-assessed NIST 800-171 score. DFARS 252.204-7019 requires that score to be no more than three years old at time of award. Primes can pull your score before issuing a subcontract — and most now do.
How the score is calculated
Start at 110. For every one of the 110 controls in NIST 800-171 r2 that you have not fully implemented, subtract its DoD-assigned weight from the scoring template:
- 5 points — high-impact controls (multi-factor auth, FIPS-validated crypto, audit logging)
- 3 points — moderate-impact (configuration management, vulnerability scanning)
- 1 point — lower-impact controls
A handful of controls have partial credit (3 of 5, 1 of 5) if you have a partial implementation. The maximum possible deduction sums to 313, so the floor is -203.
What a negative score actually means
It means you have meaningful gaps — but it does not automatically lose you the contract. A small shop honestly self-scoring before any remediation often lands between -80 and -120. What matters is the trajectory and the POA&M (Plan of Action & Milestones) attached to it. Primes worry far more about contractors who post a +110 with no evidence than about a -90 with a credible 6-month plan.
How to post your score
- Complete a self-assessment against all 110 controls using the official DoD scoring template.
- Request a SPRS account (your CAGE code holder does this through PIEE).
- Enter the summary-level score, the date assessed, the assessment scope, and the projected score-of-record date (when you expect to hit 110).
- Keep the underlying SSP and POA&M on file — DoD or a prime can request them.
How to improve it fast
The 5-point controls give you the biggest score lift per dollar spent. In rough priority: enforce MFA on all privileged and remote access, deploy FIPS 140-validated encryption for CUI at rest and in transit, centralize audit logging with at least 90 days retention, and document a configuration baseline for every system in scope.
Frequently asked questions
- Is a positive SPRS score required to win a contract?
- Not in most cases today. DFARS 252.204-7019 only requires that a score has been submitted within the last three years. Once CMMC 2.0 is fully phased in (DFARS 252.204-7021), Level 2 contracts will require a certified +110 from a C3PAO.
- How often do I need to update my SPRS score?
- DoD requires the score be less than three years old at time of award, but you should re-score whenever you remediate a major gap or change your system boundary.
- Can a prime see my detailed control gaps?
- No — only the summary score, scope, and assessed date are visible. Your SSP and POA&M remain with you unless a prime contractually requires them.
- What's the difference between SPRS score and CMMC certification?
- SPRS is a self-assessment number. CMMC Level 2 certification is a third-party C3PAO assessment of the same 110 controls. SPRS is required today; certification is required as DFARS 7021 rolls into your contracts.
- NIST 800-171: All 110 Controls in Plain EnglishControls · 12 min read
- How to Write a CMMC POA&M That a C3PAO Will AcceptPOA&M · 8 min read
- System Security Plan (SSP) Template for Small Defense ContractorsSSP · 11 min read
- CMMC Level 1 vs Level 2: Which Do You Actually Need?CMMC Basics · 7 min read