SPRS score explained: how it works and how to improve it

The short answer

Your SPRS score is the single number the Department of Defense actually checks to evaluate your NIST SP 800-171 compliance. It is calculated by starting at 110 and subtracting weighted points for every control you do not meet. The score can range from negative 203 (a contractor meeting zero controls) to positive 110 (a perfect score). You are required to submit it to the DoD SPRS system, and your prime contractor or contracting officer can pull it any time.

What SPRS actually stands for

SPRS is the Supplier Performance Risk System, a DoD database at sprs.csd.disa.mil. The "score" people talk about is technically your NIST SP 800-171 assessment score, recorded in SPRS. The DoD uses it to gauge how seriously a contractor takes cybersecurity before awarding contracts that handle Controlled Unclassified Information.

How SPRS is calculated

The math is deliberately simple. Per the DoD Assessment Methodology:

1. You start at a perfect score of 110.
2. For every one of the 110 NIST 800-171 Rev 2 controls you do not meet, you subtract its point weight.
3. The result is your score.

Controls do not all carry the same weight. Each is rated 1, 3, or 5 points, reflecting how critical the missing control is to the overall security posture.

The point weights

Weight	What it means	How many controls
5 points	Critical. Missing this control is a serious security gap.	40 controls
3 points	Significant. A real risk if missing, but not catastrophic on its own.	13 controls
1 point	Material. Smaller controls that are still expected.	57 controls

If you meet zero controls of 5 point weight, you lose 200 points. If you meet zero of all 110 controls, you lose 313 points and end up at 110 minus 313, which is the negative 203 floor.

What "met" vs "partial" vs "not met" means for scoring

Each control is recorded in one of four states:

• Met (implemented): Documented, in place, and you can show evidence. Zero point deduction.
• Not met (not implemented): Missing entirely. Full point deduction.
• Partial: Some elements in place but not all. For most controls this counts as not met for the official score. The exception is the two special tiered controls below.
• Not applicable: The control genuinely cannot apply to your environment (such as wireless controls when you operate no wireless). Counted as met for scoring, but you must have a written justification a C3PAO will read.

The two special partial deduction controls

Two controls are weighted slightly differently when partially implemented, because partial coverage of either is verifiable and valuable:

• 3.5.3 Multi factor authentication. Full deduction is 5 points. Partial (MFA on privileged and remote access only, not all users) deducts 3 points.
• 3.13.11 FIPS validated cryptography. Full deduction is 5 points. Partial (cryptography in use but mostly not FIPS validated) deducts 3 points.

Every other control treats partial as full deduction for the official SPRS submission.

What is a good SPRS score?

• 110: Perfect. All 110 controls met. Almost no contractor lands here without a major remediation push.
• 88 and up: Passing range. Most CMMC ready contractors aim for this band.
• 55 to 87: Material gaps, but in striking distance. Closing 5 or 10 specific controls usually moves you into the passing band.
• 0 to 54: Significant work needed. A typical starting place for contractors who have done little CMMC prep.
• Below 0: Score is negative. Common for small contractors at the beginning, especially without MFA, audit logging, or formal access control.

How to improve your SPRS score

1. Fix the 5 point controls first. They move the score fastest. The highest leverage 5 pointers are usually MFA, audit logging, configuration baselines, vulnerability scanning, and incident response.
2. Get FIPS validated crypto in place. Microsoft 365 Government and Government Community Cloud High are common paths to FIPS validated encryption without a full re architecture.
3. Write the policies you already operate. Several controls are about documenting what you do, not changing what you do.
4. Close the easy 1 pointers in bulk. Once the 5 pointers are done, sweep the 1 point controls. They add up.
5. Re submit your score quarterly. You can update SPRS as you close gaps. Showing a climbing score over time is a positive signal to primes.

Compliance software shortens this loop because the score updates as you answer questions and close gaps. Software vs consultant comparison.

Where and how to submit your score

You submit your NIST 800-171 assessment score directly through the SPRS module at sprs.csd.disa.mil. You need a SAM.gov registration and a PIEE account to access it. The submission captures the score itself, the assessment date, the scope, and the system security plan version. You can update it as often as you like as your environment changes. Primes and contracting officers can pull current scores at any time.

Common scoring mistakes

• Marking controls "met" without evidence. A C3PAO will ask for the artifact. If you do not have one, the control is partial at best.
• Counting Not Applicable for scoring without written justification. N/A counts as met only if you can defend it in writing.
• Treating partial as met. For all but the two special tiered controls, partial is a full deduction on the official submission.
• Never updating SPRS. Many contractors submit once and forget. A stale low score keeps you off bid lists you would now qualify for.

Frequently asked questions