Before a C3PAO ever schedules your CMMC assessment — often before a prime will move you past the vendor-risk questionnaire — one number speaks for your security posture: your SPRS score. It is checked by contracting officers, requested by primes, and increasingly treated as a gating item for defense work. Yet it is a self-reported number with an unusual scale (yes, it really does run from -203 to +110) and a scoring method that surprises most contractors the first time they run it honestly.
This guide covers what SPRS is, who must have a score in it, how the scoring methodology works, how to calculate and submit yours, and — the part most contractors care about — how to raise it.
SPRS — the Supplier Performance Risk System — is the Department of Defense's authoritative database for supplier risk information. Contracting officers use it to review a vendor's record before award. For cybersecurity purposes, it is the system of record for two things that matter to you: your NIST SP 800-171 self-assessment score, and — as the program rolls out — your CMMC assessment status, which is also posted to SPRS.
The score is the headline. It is a single number summarizing how fully you have implemented the 110 security requirements of NIST 800-171 — the standard that protects Controlled Unclassified Information on contractor systems.
The requirement flows from a trio of DFARS clauses. DFARS 252.204-7012 obligates you to safeguard covered defense information and report cyber incidents to DoD within 72 hours. DFARS 252.204-7019 and 7020 add the accountability layer: to be considered for award of contracts carrying these clauses, you must have a current NIST 800-171 self-assessment — generally no more than three years old — posted in SPRS, and you must allow the government to verify it.
In practice, that means nearly every contractor and subcontractor handling CUI on DoD work needs a current score on file. Primes flow the requirement down, and many now ask for your score during supplier onboarding — before you ever see a solicitation.
The score comes from the DoD's NIST SP 800-171 Assessment Methodology, and the arithmetic is simple but unforgiving:
Two features of the methodology trip people up. First, partially implemented means not implemented — with a couple of defined exceptions that earn graduated deductions (multifactor authentication and encryption are the notable cases, where partial deployment reduces but does not eliminate the penalty). Second, "implemented" means implemented and demonstrable: if you could not show it to an assessor, you should not be crediting it to yourself.
A perfect 110 requires every requirement in place. It is achievable — our client RPS Defense scored a perfect 110/110 on its C3PAO-conducted CMMC Level 2 assessment with A-LIGN — but most first honest self-assessments land far lower, and negative first scores are common across the industry. That is not a crisis; it is a baseline to work from.
The most common self-scoring failure is optimism: crediting controls that are half-deployed, undocumented, or delegated to an IT provider no one has verified. Score yourself the way a stranger with audit experience would.
Self-assessment scores are entered into SPRS through PIEE, the Procurement Integrated Enterprise Environment. In outline: register for a PIEE account with the appropriate SPRS cyber-reporting role for your company's CAGE code, then enter the assessment — score, assessment date, scope, SSP name, and the planned date for reaching the full 110. Resubmit whenever your posture changes materially: an improving score on file is a story worth telling, and a stale one raises questions.
Raising an 800-171 score is a prioritization exercise:
One caution, stated plainly: your SPRS score is a representation to the federal government, and misstating it carries real legal exposure, including under the False Claims Act. Accuracy is not a formality — and an honest low score with a credible plan is a far stronger position than an inflated high one.
The self-assessment score and CMMC certification are related but distinct. The SPRS score is your self-reported 800-171 posture under DFARS 7019 and 7020 — it exists today, contract by contract. CMMC 2.0 adds verification: Level 1 and a small subset of Level 2 contracts use annual self-assessments with affirmations, while most Level 2 contracts require a triennial C3PAO assessment — and those CMMC results are recorded in SPRS as well.
The practical takeaway: the work that fixes your SPRS score is the same work a C3PAO will eventually verify. There is one program to build, not two. If your score needs to climb before CMMC arrives in your contracts, our CMMC Level 2 compliance services turn the gap list into a plan.
A CMMC readiness assessment from Essendis scores your environment against all 110 requirements and produces a SPRS number you can submit with confidence — plus a remediation roadmap prioritized by score impact. Our consultants are former Big Four auditors; our engineers build the environments that close the gaps; and the combination produced a perfect 110/110 A-LIGN (C3PAO) assessment for our client RPS Defense. Connect with an expert to find out where your score really stands.

