Skip to content
Ready for your next security review? Take the Industrial Security Check
Talk to an Advisor
Talk to an Advisor

Understanding SPRS Scores: What DoD Contractors Need to Know

Contractors sitting at a table with a laptop reviewing printed papers with numbers on them
Listen: Understanding SPRS Scores: What DoD Contractors Need to Know
8:08

Executive Brief

Your Supplier Performance Risk System (SPRS) score plays a key role in winning and retaining contracts with the Department of Defense (DoD). If you're a contractor handling Controlled Unclassified Information (CUI), your score isn't just a formality, it can directly affect your eligibility.

  • The SPRS score reflects how fully your organization has implemented the 110 security controls required by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.
  • A low score can disqualify you from contracts or flag your organization as high-risk to prime contractors.
  • To calculate and submit a valid score, you need a current System Security Plan (SSP) and documented Plans of Action and Milestones (POA&Ms).
  • Most contractors do not start with a perfect 110. However, improving your score strategically over time is both expected and necessary.

Dig deeper below to learn what steps you should take to keep your business competitive and compliant.

What Is an SPRS Score?

The SPRS score is a numerical representation of how well your organization aligns with NIST SP 800-171, which outlines cybersecurity requirements for protecting CUI in nonfederal systems.

At a high level, the score is based on implementation of 110 security controls. However, it’s important to understand that each of those controls is made up of one or more assessment objectives (320 in total). These objectives are the real measuring stick for whether a control is fully, partially, or not implemented.

Each control is assigned a point value, and missing a control reduces your score according to its weight. Controls associated with foundational requirements such as multi-factor authentication, audit logging, or access control carry higher point values. Missing those can have a more significant impact on your score.

  • Maximum possible score: 110
  • Typical starting score: Around 25
  • Certification benchmark: A score of 88 may qualify for conditional certification at CMMC Level 2, but only if all 3- to 5-point controls are fully implemented and documented.

Your SPRS score isn’t just a checkbox. It reflects your real ability to protect sensitive government data and serves as an indicator of how ready you are for a third-party Cybersecurity Maturity Model Certification (CMMC) assessment.

ISI Insight: Many contractors' first instinct is to hold back negative scores or only submit once they reach 110. But the DoD expects most organizations to start below perfect. Submitting a lower score with ongoing updates as remediation progresses builds a record of transparency and demonstrates that your organization is actively working toward compliance.

Why SPRS Scores Matter

  • Snapshot of your posture. Your SPRS score gives the DoD and prime contractors a quick view into how well your organization can protect sensitive data.
  • Supply chain risk signal. Primes use this number to evaluate whether subcontractors are secure enough to handle CUI and support national defense operations.
  • Still relevant alongside CMMC. As CMMC becomes the enforcement standard, SPRS scores remain a key indicator for interim risk and contract readiness.
  • Accuracy matters. A high score without substance can do more harm than good. Your score must be backed by a current SSP, documented implementation, artifacts of evidence, and any applicable POA&Ms.
  • False reporting is fraud. Inflating your SPRS score is not just a compliance risk, it can lead to cyber or procurement fraud claims under the False Claims Act. There have already been 7-figure settlements tied to inaccurate submissions.
  • It’s a trust signal. Your SPRS score tells the DoD and your industry partners how seriously you take cybersecurity. Keep it honest, keep it current, and use it to chart your path to full CMMC.

How to Calculate and Submit Your Score

  1. Perform a gap assessment against all 110 NIST SP 800-171 controls.
  2. Identify controls not fully implemented and document remediation steps in a POA&M.
  3. Complete or update your SSP that outlines how your current environment meets each requirement.
  4. Use the DoD scoring methodology to calculate your current score. Benchmark against NIST 800-171a Rev2.
  5. Submit your score to the Supplier Performance Risk System via the Procurement Integrated Enterprise Environment portal.

You must also provide:

  • The date of your assessment
  • POA&M Completion Date
  • Point of contact for follow-up

SPRS submissions must be updated at least every 3 years—or sooner if your security posture changes.

What Does Your SPRS Score Say About Your Posture?

DoD has made it clear: the only truly acceptable SPRS score in the long term is 110, which reflects full implementation of all NIST SP 800-171 controls.

But most contractors are still in the process of getting there. In the meantime, your SPRS score is a key indicator of your current security posture and your commitment to remediation.

Importantly, SPRS scores can range from 110 all the way down to -203, depending on how many controls are not fully implemented and which high-weighted ones are missing.

Here’s how your score may be interpreted:

  • 110: You’ve implemented all 110 controls. This is the gold standard and the score that will be expected once certification is enforced.
  • 88 to 109: Indicates progress but may require POA&Ms and clear evidence of control implementation. Acceptable in some cases but still subject to scrutiny.
  • Below 88: Indicates gaps that will concern prime contractors and disqualify you from certain CUI-related opportunities.
  • Below 0: Yes, SPRS scores can even be negative. This typically reflects missing core controls like multi-factor authentication, audit logging, or access control. These gaps need immediate attention.

Your SPRS score is not just a number. It reflects how well your organization can protect sensitive data and how serious you are about compliance. Even if you're not at 110 yet, your path to improvement and how well you document it matters just as much.

How to Improve Your Score

  • Close critical gaps first. Controls tied to access control, auditing, and authentication have high point values.
  • Maintain and update your SSP. This is the backbone of your SPRS submission.
  • Track remediation progress. Use POA&Ms to show commitment to full implementation.
  • Align with CMMC goals. A strong SPRS score helps pave the way to future certification.
  • Determine internal capabilities. NIST SP 800-171 is specific to protecting CUI. Make sure your IT team has the expertise needed or bring in expert help.

Improving your SPRS score is not a one-time effort. Treat it as part of your broader cybersecurity program.

FAQs

How often do I need to update my SPRS score?

At minimum, every 3 years. However, you should update it any time your SSP changes controls are newly implemented, or your contract requires a refreshed submission.

Can I submit a perfect score if I have POA&Ms?

No. If controls are not fully implemented, you must deduct points. POA&Ms show intent, but they do not replace actual implementation.

Does a low SPRS score mean I can’t get contracts?

As of Q4 2025, yes. You will be required to submit an explanation, show a path to remediation, or risk losing out to competitors with stronger scores.

INTERNAL LINKS:

Related Posts