SPRS Scores: How to Calculate and Report Yours
Your SPRS score is the number that tells the DoD how much of NIST 800-171 you have actually implemented. It runs from -203 to +110, it's visible to every contracting officer evaluating your bid, and a stale or missing one can cost you an award. Here is how to calculate it, and how to report it correctly.
What the SPRS score is
SPRS is the Supplier Performance Risk System, and your score there is the summary of a NIST SP 800-171 DoD Assessment. If you handle CUI on a DoD contract, DFARS 252.204-7019 requires a current assessment (no more than three years old) on file before you can be awarded the work.
The score is a single number from -203 to +110. A 110 means every one of the 110 NIST 800-171 controls is fully implemented. Anything lower means gaps. Contracting officers can see it. So can primes vetting subcontractors. It is, in effect, your cybersecurity first impression.
How the scoring works
You start at 110 and subtract. Every control you have not fully implemented deducts its assigned weight of 1, 3, or 5 points, based on how much damage the gap could do. The most operationally critical controls, the ones that would let an attacker into your network, carry the 5-point weight. Narrower gaps carry 3. Everything else is 1.
Two rules catch people out. First, for all but two controls there is no partial credit: a requirement is Met or Not Met, and one that's 80% done still costs the full deduction. The two exceptions are multifactor authentication (3.5.3) and FIPS-validated cryptography (3.13.11), which deduct 5 points if absent or 3 if only partly in place. Second, the score can go negative. The deductions add up to more than 110, so a firm that has implemented little lands well below zero. The floor is -203.
How to calculate yours
Four steps.
Start with your SSP. You cannot produce a score without a System Security Plan. It describes every in-scope system and how each control is met. No SSP, no assessment.
Assess all 110 controls, honestly. Score each against the objectives in NIST SP 800-171A (there are 320 of them), and mark a control Met only if you can evidence it today. Planned, funded, or in progress does not count.
Subtract. Total the weights of every Not Met control and take them off 110. That is your score.
Build a POA&M. For every gap, document what you will do and when you will reach 110. You need that target date to report.
How to report it in SPRS
Reporting runs through PIEE, the Procurement Integrated Enterprise Environment, which is how you reach SPRS. You will need a CAGE code tied to your SSP.
The entry itself is short, because DoD wants the aggregate, not the detail. You submit the version of NIST 800-171 you assessed against, the date of the assessment, the CAGE code or codes covered, a brief description of your SSP architecture if you run more than one plan, the summary score, and the date you expect to reach 110. You do not submit the control-by-control breakdown, and you do not upload the SSP.
One distinction matters. A Basic Assessment, the self-assessment most firms do, is yours to enter. Medium and High Assessments are conducted by the government (DCMA's DIBCAC) and posted by them. Once your score is in, keep it current: it is valid for three years, with an annual affirmation.
Score honestly: the number is a legal statement
Submitting a score to SPRS is an affirmative declaration to the government. Knowingly reporting one you cannot support is a false statement, and it carries False Claims Act exposure. That is not theoretical. MORSE Corp settled a False Claims Act case for $4.6 million after reporting a score it could not substantiate.
So score to what you can evidence, keep the documentation behind every "Met," and remember the trade-off: a lower, honest number with a credible POA&M beats an inflated one that collapses the moment someone checks.
How to raise it
Because the weights are uneven, a few fixes move the number the most. Start with the 5-point controls: multifactor authentication on privileged and remote access, FIPS-validated encryption for CUI, and network boundary protection. Closing a handful of high-value gaps does more for your score than clearing a dozen 1-point ones, and it shuts the doors an attacker would try first.
Key Takeaways
Your SPRS score summarizes a NIST 800-171 DoD Assessment. DFARS 252.204-7019 requires a current one (three years or newer) before award.
It runs from -203 to +110. Start at 110 and subtract 1, 3, or 5 points per unmet control; the most critical carry 5.
No partial credit, except for multifactor authentication (3.5.3) and FIPS cryptography (3.13.11). Score only what you can evidence today.
Report through PIEE with your CAGE code, assessment date, aggregate score, and 110-target date; the aggregate only, never the detail.
The score is a legal declaration. False scores carry False Claims Act liability; one contractor settled for $4.6 million. Score honestly.
FAQ
What is a good SPRS score? A perfect score is 110. There is no universal minimum — contracting officers have discretion — but 88 is the threshold for CMMC conditional status, and primes vetting subcontractors often want to see 88 or higher. Negative scores draw scrutiny and have been used to disqualify offerors on competitive procurements.
Can my SPRS score be negative? Yes. The floor is -203. Because the weighted deductions across the 110 controls add up to more than 110, a company that has implemented little will land below zero. A negative score signals significant gaps, not automatic disqualification, but it puts you at a disadvantage.
How do I submit my SPRS score? Through PIEE, the Procurement Integrated Enterprise Environment, using a CAGE code tied to your System Security Plan. You enter the aggregate score, the NIST version assessed, the assessment date, your SSP architecture (if you have more than one plan), and the date you expect to reach 110. You submit the summary only, not the control-by-control results.
How often do I have to update my SPRS score? A score is valid for three years, and you affirm it annually. Update it whenever your security posture changes materially — for better or worse — so the number on file reflects reality at award and option time.
Is the SPRS score the same as a CMMC score? They use the same 110 controls and the same scoring methodology. During the CMMC rollout, the SPRS self-assessment (required by DFARS 252.204-7019 and -7020) and CMMC (required by 252.204-7021) run in parallel; meeting one does not retire the other.
Getting your SPRS score right once is the easy part. Keeping it right is the job. The methodology, the deadlines, and the clauses that reference your score all keep moving, and a number that was accurate last year can quietly cost you an award this one. Federal Cyber Brief tracks what's being bought, who can bid, and what's changing across federal IT and cyber contracting, and sends the parts that matter to your inbox each week. No noise. No filler.
Sources
DFARS 252.204-7019 and 252.204-7020 (acquisition.gov). Requirement for a current (≤3-year) NIST SP 800-171 DoD Assessment in SPRS before award; the exact submission fields — NIST version, assessing organization, CAGE code(s), SSP architecture description, summary-level score, and the date a score of 110 is expected; Basic (self) vs Medium/High (Government-posted) assessments.
NIST SP 800-171 DoD Assessment Methodology (Office of the Under Secretary of Defense for Acquisition & Sustainment). The weighted 1/3/5-point deductions from a 110 base; the -203 to +110 range; the graduated scoring for multifactor authentication (3.5.3) and FIPS-validated cryptography (3.13.11); no partial credit otherwise.
NIST SP 800-171A Revision 2. The 320 assessment objectives behind the 110 controls.
32 CFR § 170.24 (eCFR). The CMMC Scoring Methodology, which mirrors the DoD Assessment Methodology weighting.
U.S. Department of Justice — MORSE Corp False Claims Act settlement ($4.6M). Illustrative enforcement action for a misrepresented cybersecurity/SPRS score.
