SPRS Scores Explained: How to Calculate, Submit, and Improve Yours

Before a C3PAO ever schedules your CMMC assessment — often before a prime will move you past the vendor-risk questionnaire — one number speaks for your security posture: your SPRS score. It is checked by contracting officers, requested by primes, and increasingly treated as a gating item for defense work. Yet it is a self-reported number with an unusual scale (yes, it really does run from -203 to +110) and a scoring method that surprises most contractors the first time they run it honestly.

This guide covers what SPRS is, who must have a score in it, how the scoring methodology works, how to calculate and submit yours, and — the part most contractors care about — how to raise it.

What Is SPRS?

SPRS — the Supplier Performance Risk System — is the Department of Defense's authoritative database for supplier risk information. Contracting officers use it to review a vendor's record before award. For cybersecurity purposes, it is the system of record for two things that matter to you: your NIST SP 800-171 self-assessment score, and — as the program rolls out — your CMMC assessment status, which is also posted to SPRS.

The score is the headline. It is a single number summarizing how fully you have implemented the 110 security requirements of NIST 800-171 — the standard that protects Controlled Unclassified Information on contractor systems.

Who Needs a Score in SPRS

The requirement flows from a trio of DFARS clauses. DFARS 252.204-7012 obligates you to safeguard covered defense information and report cyber incidents to DoD within 72 hours. DFARS 252.204-7019 and 7020 add the accountability layer: to be considered for award of contracts carrying these clauses, you must have a current NIST 800-171 self-assessment — generally no more than three years old — posted in SPRS, and you must allow the government to verify it.

In practice, that means nearly every contractor and subcontractor handling CUI on DoD work needs a current score on file. Primes flow the requirement down, and many now ask for your score during supplier onboarding — before you ever see a solicitation.

How the Scoring Methodology Works

The score comes from the DoD's NIST SP 800-171 Assessment Methodology, and the arithmetic is simple but unforgiving:

  • Start at 110 — one point of credit for each requirement, fully implemented.
  • Subtract a weighted penalty for every requirement not fully implemented. Most requirements cost 1 point, but the ones DoD considers most consequential cost 3 or 5 points each.
  • The floor is -203, the ceiling +110. Because penalties are weighted, an organization with little implemented can go deeply negative — the worst possible score is -203.

Two features of the methodology trip people up. First, partially implemented means not implemented — with a couple of defined exceptions that earn graduated deductions (multifactor authentication and encryption are the notable cases, where partial deployment reduces but does not eliminate the penalty). Second, "implemented" means implemented and demonstrable: if you could not show it to an assessor, you should not be crediting it to yourself.

A perfect 110 requires every requirement in place. It is achievable — our client RPS Defense scored a perfect 110/110 on its C3PAO-conducted CMMC Level 2 assessment with A-LIGN — but most first honest self-assessments land far lower, and negative first scores are common across the industry. That is not a crisis; it is a baseline to work from.

How to Calculate Your Score

  1. Start with your System Security Plan. The methodology presumes an SSP exists — an assessment cannot be completed without one. It defines the scope you are scoring.
  2. Assess each of the 110 requirements against the methodology's criteria, honestly: implemented, not implemented, or — where the methodology allows — partially credited.
  3. Tally the deductions using the official point values to produce your score.
  4. Document the gaps in a POA&M with dates — you will need a projected date for reaching full implementation when you submit.
  5. Record the metadata: assessment date, scope, and the SSP name and version the score applies to.

The most common self-scoring failure is optimism: crediting controls that are half-deployed, undocumented, or delegated to an IT provider no one has verified. Score yourself the way a stranger with audit experience would.

How to Submit Your Score

Self-assessment scores are entered into SPRS through PIEE, the Procurement Integrated Enterprise Environment. In outline: register for a PIEE account with the appropriate SPRS cyber-reporting role for your company's CAGE code, then enter the assessment — score, assessment date, scope, SSP name, and the planned date for reaching the full 110. Resubmit whenever your posture changes materially: an improving score on file is a story worth telling, and a stale one raises questions.

How to Improve Your Score

Raising an 800-171 score is a prioritization exercise:

  • Take the highest-weight items first. A handful of 5-point requirements — multifactor authentication and FIPS-validated encryption among the best known — carry the largest single deductions. Closing a few of them can move a score by double digits.
  • Shrink the scope the score applies to. Every requirement must be implemented everywhere in scope. Consolidating CUI into a secure enclave means fewer systems to bring into line — often the fastest structural path from a weak score to a strong one.
  • Convert "done but unprovable" into "done." Many contractors run real controls with no documentation behind them. Policies, configuration records, and evidence turn silent good practice into scoreable implementation.
  • Verify what your providers actually do. Requirements delegated to an MSP or cloud vendor still count against you if nobody can demonstrate them. Get the shared-responsibility picture in writing.

One caution, stated plainly: your SPRS score is a representation to the federal government, and misstating it carries real legal exposure, including under the False Claims Act. Accuracy is not a formality — and an honest low score with a credible plan is a far stronger position than an inflated high one.

SPRS and CMMC: How They Fit Together

The self-assessment score and CMMC certification are related but distinct. The SPRS score is your self-reported 800-171 posture under DFARS 7019 and 7020 — it exists today, contract by contract. CMMC 2.0 adds verification: Level 1 and a small subset of Level 2 contracts use annual self-assessments with affirmations, while most Level 2 contracts require a triennial C3PAO assessment — and those CMMC results are recorded in SPRS as well.

The practical takeaway: the work that fixes your SPRS score is the same work a C3PAO will eventually verify. There is one program to build, not two. If your score needs to climb before CMMC arrives in your contracts, our CMMC Level 2 compliance services turn the gap list into a plan.

How Essendis Helps

A CMMC readiness assessment from Essendis scores your environment against all 110 requirements and produces a SPRS number you can submit with confidence — plus a remediation roadmap prioritized by score impact. Our consultants are former Big Four auditors; our engineers build the environments that close the gaps; and the combination produced a perfect 110/110 A-LIGN (C3PAO) assessment for our client RPS Defense. Connect with an expert to find out where your score really stands.

Talk to a Cloud Cybersecurity Expert

Thank you for contacting Essendis. Our team is reviewing your submission and will be in touch shortly. 
We look forward to assisting with your cybersecurity and cloud computing needs. 

Continue Exploring Essendis’ Offerings

Return to Essendis
Oops! Something went wrong while submitting the form.