Resource Guide — Compliance Metrics

SPRS Score Explained: What It Is, How It's Calculated, and What Yours Should Be

Your SPRS score is the number that tells the DoD — and your prime contractors — how compliant you are with NIST 800-171. A perfect score is 110. The average small contractor is sitting around 47. Here's everything you need to know about what it means and how to improve it.

What SPRS Is and Why It Matters

SPRS stands for Supplier Performance Risk System. It's a DoD database that tracks contractor performance data — past performance, quality ratings, delivery records, and since 2020, cybersecurity compliance scores under NIST 800-171.

Your SPRS score is your publicly visible cybersecurity grade. Contracting officers check it. Prime contractors check it. Before awarding you a subcontract, a sophisticated prime will look up your company in SPRS and see your score. A score of 47 next to a competitor's score of 95 is a hard thing to explain away in a competitive bid situation.

But SPRS matters for more than just perception. Under DFARS 252.204-7012, contractors with DoD contracts that involve CUI are required to post a current NIST 800-171 assessment score to SPRS. If you haven't done this, you're out of compliance with a clause that's likely already in your contract.

SPRS is the DoD's real-time window into your cybersecurity posture. You're responsible for keeping it accurate. Posting a score you can't back up with an SSP is riskier than posting a lower honest score — especially now that DOJ is actively pursuing False Claims Act cases.

How Your SPRS Score Is Calculated

The calculation methodology comes from NIST 800-171A and the DoD's scoring methodology document. Here's how it works:

  1. Start at 110 — Every contractor starts with a perfect score
  2. Go through each of the 110 controls — Evaluate whether you've fully implemented it, partially implemented it, or haven't implemented it at all
  3. Subtract points for each unmet control — Each control has an assigned weight (1 to 5 points), and you subtract that weight if the control isn't fully met
  4. Your final score — Whatever remains after all deductions

Not all controls are equal. Some missing controls cost 1 point. Others cost 3, 4, or 5 points. The heavier-weight controls tend to be the ones that matter most from a security standpoint — multi-factor authentication, incident response, protecting CUI at rest and in transit.

A Simplified Scoring Example

Example: 20-Person Defense Manufacturer Starting Assessment
Starting score
All 110 controls assumed met
110
No multi-factor authentication on remote access
3.5.3 — Weight: 3
−3
No formal incident response plan
3.6.1 — Weight: 5
−5
CUI not encrypted at rest
3.13.10 — Weight: 3
−3
No system audit logging
3.3.1 — Weight: 3
−3
No vulnerability scanning process
3.11.2 — Weight: 3
−3
No formal user training program
3.2.1, 3.2.2 — Weight: 2+2
−4
Missing physical access controls for server room
3.10.1 — Weight: 1
−1
Resulting SPRS Score
88

That example company is in relatively good shape — 88 is well above the industry average. A company with more significant gaps would have a lower score. The full weighting table has 110 rows, and the cumulative effect of missing controls can drop your score dramatically.

What Score Ranges Mean

Here's a practical interpretation of where different score ranges put you:

100–110
Ready for assessment

You've implemented almost all controls. A few minor gaps remain but nothing that would block certification. You're likely ready to schedule a C3PAO assessment now.

70–99
Good progress, some work to do

You've implemented most of the foundational controls. Gaps exist in some areas but you have a realistic path to certification with 3–9 months of focused remediation.

40–69
Industry average — behind schedule

This is where most self-assessed small contractors land. Significant gaps exist. You need 9–18 months of dedicated work to reach certification readiness. Start now.

Below 40
Critical gaps — contract risk

Fundamental security controls are missing. Primes and contracting officers will notice this score. You're at risk of losing contract opportunities. Immediate action required.

What Prime Contractors See When They Look You Up

When a prime or contracting officer looks up your company in SPRS, here's what's visible:

  • Your current NIST 800-171 assessment score
  • The date the score was last submitted
  • Whether your SAM.gov registration is active
  • Historical score data if you've updated your score over time

What they can't see is your SSP, which specific controls you're missing, or your Plan of Action. But the number alone tells a story. A score that hasn't been updated in two years suggests you filed it once and forgot about it. A score that recently jumped from 45 to 108 might raise eyebrows about whether the improvement is real.

More sophisticated primes — especially large defense primes who have their own compliance teams — are increasingly sending supplier questionnaires that ask for your SPRS score, the date of your last assessment, whether you have an SSP, and whether you've had any reportable incidents. The score is the opening question, not the final one.

Not sure what your actual score should be?

Our free readiness check helps you estimate your honest NIST 800-171 score before you file anything with SPRS — and gives you a roadmap for improving it.

Take the Free Readiness Check →

The Highest-Weight Controls — Where to Focus First

If you need to improve your score, not all controls are worth equal attention. These are the families and individual controls that carry the most weight in the NIST scoring methodology:

Control Family Controls Max Score Impact Priority
Incident Response (3.6) 3 controls −13 if all unmet High
Access Control (3.1) 22 controls −29 if all unmet High
System & Comm. Protection (3.13) 16 controls −25 if all unmet High
Identification & Auth. (3.5) 11 controls −20 if all unmet High
Configuration Management (3.4) 9 controls −13 if all unmet Med
Audit & Accountability (3.3) 9 controls −13 if all unmet Med
Risk Assessment (3.11) 3 controls −9 if all unmet Med
Media Protection (3.8) 9 controls −8 if all unmet Lower

If you have limited time and resources, fix Incident Response, Access Control, and Identification & Authentication first. These three families alone account for over half the maximum possible score impact.

How to Improve Your Score

Improving your SPRS score means implementing more controls — not gaming the scoring. Here's a practical approach:

Step 1: Get an Honest Baseline

Before you can improve your score, you need to know your actual current score — not the one you filed when you were optimistic. Go through each of the 110 controls honestly and document your current implementation status. Use NIST 800-171A, which provides the assessment procedures for each control.

Step 2: Fix the High-Weight Gaps First

Look at which unmet controls are costing you the most points. Multi-factor authentication for remote access (3.5.3, weight 3) is a relatively quick technical fix that has significant score impact. Incident response plan (3.6.1, weight 5) is mostly documentation — it doesn't require technical implementation, just a written plan that your organization actually uses.

Step 3: Build Your Documentation in Parallel

For each control you implement, build the documentation and evidence at the same time. Screenshots of configuration settings, policy documents, training records. This evidence is what a C3PAO assessor will want to see. Doing remediation without documentation is doing the work twice.

Step 4: Update Your SPRS Score Honestly

As you implement controls and your posture genuinely improves, update your SPRS score. The score should reflect your current state, not your aspirational state. Posting a higher score than you can demonstrate is a False Claims Act risk — post what's true.

Build the documentation that backs your score

MyCMMC's Assessment-Ready Package includes your SSP and evidence guide — the documentation that proves your controls to a C3PAO and backs up your SPRS score.

See What's Included →

SPRS Score and CMMC Assessment Readiness

Your SPRS score and your CMMC assessment readiness are closely related but not identical. Here's how they connect:

A high SPRS score (90+) suggests you've implemented most of the 110 controls. That's a strong indicator that you're ready for a C3PAO assessment — though the score alone doesn't guarantee it. C3PAOs verify implementation with evidence, not just your self-assessment.

A low SPRS score tells you exactly which areas need work before your C3PAO assessment. In fact, working toward an accurate, high SPRS score is essentially the same work as preparing for CMMC — it forces you to go through all 110 controls systematically.

After your CMMC Level 2 assessment passes, your C3PAO uploads the results to eMASS. This feeds into SPRS as a verified certification, distinct from your self-reported score. Your SPRS record will show both your self-assessment score and your certified C3PAO assessment result.

Frequently Asked Questions

Go to sprs.pm.dla.mil and log in with your company's credentials. If your company has never submitted a score, you won't have one on file. You can also ask a prime contractor to look up your company — primes routinely use SPRS to vet their supply chain. If you're not sure whether you have a score on file, assume you don't and submit one as part of your CMMC prep.

Yes. The NIST 800-171 scoring methodology starts at 110 and subtracts points for each unmet control weighted by severity. If you have enough gaps — especially in high-weight areas like multi-factor authentication or incident response — your score can go negative. Scores as low as -203 are mathematically possible if every control is unmet. Negative scores are rare but they do happen.

They see your numerical score, the date it was last updated, and your SAM.gov registration status. They can see whether your score has changed over time. What they can't see is your SSP or which specific controls you're missing — just the aggregate score. But a low or negative score will raise questions, and sophisticated primes are increasingly asking subs to self-disclose their readiness status.

Yes. Your SPRS score still exists after CMMC certification and is still visible to primes and contracting officers. After your C3PAO assessment, your certified score is uploaded to eMASS and reflected in SPRS, but you're still responsible for updating it when your posture changes between assessments. Think of the SPRS score as your ongoing compliance indicator and the C3PAO assessment as the formal certification.

Your SPRS score is a self-reported numerical assessment of how well you meet NIST 800-171. It's updated by you whenever your compliance posture changes. CMMC certification is a formal third-party verification — a C3PAO assesses your controls and issues a certification valid for three years. You need both: an accurate SPRS score to satisfy current DFARS requirements, and CMMC certification to bid on contracts that include the DFARS 252.204-7021 clause.

Get your score where it needs to be.

Start with our free readiness check — 2 minutes to understand your current posture and your fastest path to a higher score.

Start Free Readiness Check →

No commitment. See your results right away.

Or see pricing & packages →

Related Articles

Resource Guide
CMMC vs NIST 800-171: What's the Difference?
Resource Guide
What Happens If You Fail Your CMMC Assessment?
Cost Guide
CMMC Certification Cost: What Small Contractors Actually Pay