Your SPRS score is a self-calculated number from -203 to 110 that tells the Department of Defense how completely you have implemented the 110 NIST 800-171 security controls. You start at 110, subtract a weighted value (1, 3, or 5 points) for every control you have not fully implemented, and submit the result to the SPRS portal through PIEE. There is no partial credit — a control either counts or it does not.
This guide walks through the SPRS scoring methodology end-to-end: what an SPRS score is, why it matters for contracts, how the math works, a worked example for a 15-person machine shop, what counts as a good score, how to improve, and exactly how to submit through PIEE. It is written for non-technical owners and operators — not for cybersecurity professionals.
Get your SPRS score estimate in 3 minutesWhat Is an SPRS Score?
The SPRS score is a self-assessment number — ranging from -203 to 110 — that measures how thoroughly a contractor has implemented the 110 security controls in NIST Special Publication 800-171. It is calculated by the contractor, not the government, and submitted to the Supplier Performance Risk System through the Procurement Integrated Enterprise Environment (PIEE). Every DoD contracting officer can see it during source selection.
SPRS stands for Supplier Performance Risk System. It is the Department of Defense's database for tracking contractor risk indicators, including cybersecurity posture. Under DFARS clause 252.204-7019, any contractor handling Controlled Unclassified Information (CUI) is required to have a current NIST 800-171 self-assessment on file in SPRS before being eligible for award. Under 252.204-7020, prime contractors must verify that their subcontractors also have current scores on file.
The score itself is not a grade given to you by the government. It is something you calculate yourself, against your own environment, using the official DoD Assessment Methodology for NIST SP 800-171. The methodology is publicly published — the government's expectation is that you read it, run the math honestly, and submit a truthful result.
That last word matters. A truthful low score is a compliance posture problem you can fix. A false high score is a False Claims Act problem you may not be able to.
For background on how SPRS scoring connects to the broader CMMC program, see our complete guide to CMMC Level 2 compliance.
Why Your SPRS Score Matters
Your SPRS score affects whether you win contracts. Contracting officers see it during source selection, prime contractors check it before issuing subcontract awards, and CMMC Level 2 certification is built directly on top of it. A missing or outdated score can disqualify your bid; an inflated one can trigger False Claims Act liability. For most DoD contractors handling CUI, the SPRS score is the single most visible signal of cybersecurity maturity.
A few specific reasons the number matters more than most contractors realize:
- Source selection visibility. Every DoD contracting officer can pull your SPRS score from the system. Many use it as a tiebreaker or a risk gate during source selection, even when it is not formally weighted in the solicitation.
- Prime contractor flow-down. Under DFARS 252.204-7020, prime contractors must verify subcontractor SPRS scores before flowing CUI down the supply chain. A weak or missing score can cost you a subcontract that would otherwise be yours.
- CMMC Level 2 foundation. CMMC Level 2 is built on the same 110 NIST 800-171 controls. The minimum SPRS score for CMMC Level 2 Conditional certification is 88. Below 88 results in "No CMMC Status" — meaning you cannot achieve even conditional certification when an assessment is conducted.
- False Claims Act exposure. The Department of Justice has stated that materially false cybersecurity self-attestations made to win contracts can trigger False Claims Act liability, with treble damages and per-claim civil fines. Several enforcement actions are already underway against contractors who submitted inflated SPRS scores.
- Three-year refresh requirement. Assessments must be updated at least every three years, or sooner when your security posture changes materially. A stale score is treated like no score in many source-selection contexts.
The takeaway is simple. The score is not a paperwork artifact — it is a competitive signal, a legal commitment, and the foundation for everything that comes next in CMMC.
The SPRS Scoring Methodology Explained
The SPRS scoring methodology is published by the Department of Defense as the NIST SP 800-171 DoD Assessment Methodology. It is publicly available and approximately as simple as compliance math ever gets:
- You start with a perfect score of 110.
- For every one of the 110 NIST 800-171 controls that is Not Fully Implemented, you subtract the control's weighted point value.
- There is no partial credit. A control is either Met (no deduction) or Not Met (full deduction).
- The minimum possible score is -203 — what you get if every control is Not Met and every weighted deduction stacks up.
Each control carries one of three weighted values — 1, 3, or 5 points — based on its security impact. A failed multi-factor authentication control costs five times more than a failed system-use-notification control. This is by design: the methodology pushes contractors to prioritize controls with the highest security value, not just the easiest ones to close.
| Weight | Security Impact | Approx. Controls | Examples |
|---|---|---|---|
| 5 points | High — critical security functions | ~24 controls | Multi-factor authentication, encrypted CUI transmission, incident response, audit logging |
| 3 points | Medium — significant security impact | ~58 controls | Access control policies, security training, media protection, physical access |
| 1 point | Low — supporting security posture | ~28 controls | System use notifications, session timeouts, information system backup |
A few practical implications fall out of this design.
First, not all gaps cost the same. Failing a single 5-point control hurts your score as much as failing five separate 1-point controls. When you are deciding what to fix first, weight matters as much as effort.
Second, "we're working on it" is Not Met. The methodology is binary. A control halfway implemented receives the full deduction. The remediation belongs in your Plan of Action and Milestones (POA&M), not in your score.
Third, the floor is genuinely negative. A small contractor who has never done formal compliance work — no SSP, no MFA, no audit logging, no incident response — can easily land below zero on a first honest assessment. That is not unusual and it is not a disaster. It is a starting point.
The NIST SP 800-171 DoD Assessment Methodology is published by the Office of the Under Secretary of Defense (Acquisition and Sustainment). Download it from the Defense Pricing and Contracting (DPC) website. It contains the authoritative point values for all 110 controls — and it is what your assessor will use, so it is what you should use too.
Step-by-Step: How to Calculate Your SPRS Score
Calculating the score is mechanical once you have the inputs. The actual work is in the inputs themselves — an honest assessment of where you stand against every one of the 110 controls. The process below is the one the methodology assumes.
Step 1 — Get the official documents
Download two documents before you do anything else:
- NIST SP 800-171 Revision 2 — the 110 security requirements themselves. Available from csrc.nist.gov. (Note: NIST 800-171 Revision 3 is the newer standard with 97 controls, but SPRS scoring is currently still based on Revision 2's 110 controls. Use Revision 2 for the SPRS calculation.)
- DoD Assessment Methodology — the document that assigns the 1, 3, or 5-point weight to each of the 110 controls. Available from the Defense Pricing and Contracting (DPC) website.
You cannot do a defensible SPRS calculation without both documents. The first tells you what to assess; the second tells you how to score it.
Step 2 — Develop your System Security Plan (SSP)
Your System Security Plan documents how your organization meets each of the 110 requirements: which systems are in scope, where CUI lives, who has access, what controls you have implemented, and your Organization-Defined Parameters (log retention periods, password complexity, account review frequency, and so on).
The DoD Assessment Methodology is explicit on this point: the assessment is built around reviewing the SSP. An assessment performed without an SSP is incomplete. The methodology actually calls out the case where no SSP exists — the result is a finding that the assessment could not be completed due to incomplete information. In practical terms, no SSP means no valid score.
If you do not yet have an SSP, write one before you submit a score. A draft SSP based on what you actually do today is better than no SSP at all.
Step 3 — Assess each control honestly
Go through all 110 controls, one at a time, against your real environment. For each one, ask a single question: is this control fully implemented across every system in scope, every user, every endpoint?
- If yes → Met. No deduction.
- If no → Not Met. Deduct the full weighted value (1, 3, or 5).
There is no "mostly" and no "we're rolling it out." MFA enforced on email but not on the file server is Not Met for the relevant authentication controls. Audit logging configured on the firewall but not on workstations is Not Met. The methodology is unforgiving on this point by design, because partial implementation is what attackers exploit.
Document your reasoning as you go. For every Not Met finding, note what is missing and why. That documentation becomes the seed of your POA&M and the basis of your assessor walkthrough later.
Step 4 — Do the math
The math itself is mechanical:
- Start at 110.
- For each Not Met control, subtract its weighted value (1, 3, or 5).
- Sum the deductions.
- Score = 110 − total deductions.
If the total deductions exceed 313, your score lands below the -203 floor (which is what would happen if every control failed). In practice, real contractors land between -50 and 110 — the math floor exists, but very few organizations are close to it.
Step 5 — Create a POA&M for every gap
A Plan of Action and Milestones (POA&M) documents every Not Met control, the gap, the remediation approach, the owner, the target date, and the estimated cost. POA&M items still reduce your score — having a plan does not give you the points back — but a credible POA&M signals to contracting officers that you have a path to compliance.
A low score without a POA&M reads as ignorance or indifference. A low score with a credible POA&M reads as work in progress. Both are visible to contracting officers; only one is survivable in source selection.
For CMMC Level 2 Conditional certification, POA&M items have hard time limits: controls must move from Not Met to Met within 180 days of the conditional certification. The clock starts at certification, not at submission.
Step 6 — Submit to SPRS via PIEE
Once you have a score and an SSP, submit through the PIEE portal. The full submission flow is covered later in this article. Important: the assessment date in SPRS is the date you completed the assessment — not the date you entered it into the portal. A senior company official (owner, executive, or other authorized individual) must affirm the submission.
The free 20-minute assessment walks you through every NIST 800-171 control in plain English, weights the answers automatically, and produces an estimated SPRS score range — before you provide an email.
A Worked Example: Smith Manufacturing
Numbers are easier to internalize when they belong to someone. Below is a realistic worked example for a small contractor that has never done a formal NIST 800-171 assessment.
The company. Smith Manufacturing is a 15-person machine shop that does precision parts for a Tier-1 defense prime. Their contract includes DFARS 252.204-7012 — meaning they handle CUI (technical drawings) — but they have never run a formal compliance assessment.
Their current environment. Local server, twelve Windows workstations, Microsoft 365 Business Standard, a managed firewall, and antivirus on every endpoint. No formal security policies. No incident response plan. No documented security awareness training. No audit logging beyond Windows defaults. Some shared admin passwords on legacy systems. A locked server room. The IT manager handles everything cybersecurity-related as one of many hats.
Walking through example controls.
- AC.L2-3.1.1 (Authorized Access Control) — Every user has their own login. Met. No deduction.
- IA.L2-3.5.3 (Multi-Factor Authentication) — MFA is not enabled anywhere. Not Met. −5 points.
- AU.L2-3.3.1 (System Auditing) — No centralized audit logging configured. Not Met. −5 points.
- IR.L2-3.6.1 (Incident Handling) — No incident response plan exists. Not Met. −5 points.
- AT.L2-3.2.1 (Security Awareness Training) — No security training program has ever run. Not Met. −3 points.
- SC.L2-3.13.11 (CUI Encryption in Transit) — Email runs through Microsoft 365 with TLS enforced. Met. No deduction.
- PE.L2-3.10.1 (Physical Access) — Server room is locked, only the IT manager has a key. Met. No deduction.
- MP.L2-3.8.1 (Media Protection) — No media protection policy. Not Met. −3 points.
The full tally. When Smith works through all 110 controls honestly, they end up with 47 controls Not Met, broken down as roughly nine 5-point controls (−45), fifteen 3-point controls (−45), and twenty-three 1-point controls (−23). The arithmetic is messy in practice but the result is the same shape every time.
Total deductions: 45 + 45 + 23 = −113.
Wait — that produces a score below zero. Let's check: 110 − 113 = −3.
That is a typical finding for a small contractor on a first honest assessment with no prior compliance work. The high-impact gaps — MFA, audit logging, incident response, training, media protection, SSP — drag the score below the starting line because the 5-point and 3-point deductions accumulate quickly. A score in this range is not a disaster. It is what "no prior compliance work" actually looks like in numbers, and it tells Smith exactly where to start: close the 5-point gaps first.
What this means for Smith. They have approximately six months until Phase 2 CMMC enforcement (November 2026). With focused effort on MFA, centralized logging, an incident response plan, and a written SSP, Smith can realistically move from -3 into the 50–70 range within ninety days, and from there toward the 88 threshold for CMMC Level 2 Conditional certification within six to nine months. The work is real, but the path is well-trodden.
What Is a Good SPRS Score?
A score of 110 is the only score the DoD considers truly acceptable long-term. An 88 is the minimum threshold for CMMC Level 2 Conditional certification. Below 88, you receive No CMMC Status. Most small contractors land between 30 and 70 on a first honest assessment, and reaching 88 is achievable inside six to twelve months of focused work for most environments.
| Score Range | What It Means | CMMC Implication |
|---|---|---|
| 110 | Perfect — all 110 controls fully implemented | Full CMMC Level 2 certification eligible |
| 88–109 | Strong — most controls met, minor gaps remain | CMMC Level 2 Conditional possible; gaps must close via POA&M within 180 days |
| 50–87 | Moderate — significant gaps, foundation exists | Not eligible for Level 2 certification yet. Substantial remediation required. |
| 0–49 | Weak — major gaps across multiple control families | Extensive remediation required. Prioritize 5-point controls first. |
| Below 0 | Critical — more weighted controls failed than passed | Start with the basics: SSP, MFA, audit logging, access controls. Consider outside help. |
A few nuances worth understanding.
88 is a gate, not a goal. For CMMC Level 2 Conditional certification, you need a score of at least 88 and a credible POA&M closing the remaining gaps within 180 days. Below 88 results in "No CMMC Status" — meaning the assessor cannot even issue a Conditional. The cliff at 88 is genuinely sharp.
88 is increasingly not enough to win bids. Some prime contractors are now reading SPRS scores below 95 as "not ready," even when the score is technically above the 88 conditional floor. The market is moving faster than the regulatory floor.
Below zero is more common than you might think. A small contractor with no prior compliance investment routinely lands in the -30 to +20 range on a first honest assessment, because high-impact 5-point controls (MFA, encryption, audit logging, incident response) are exactly the controls small shops most often skip. A negative score is a starting point, not a verdict.
How to Improve Your SPRS Score
The fastest way to raise an SPRS score is to fix high-weight controls first. Closing a single 5-point control adds 5 points to your score; closing five separate 1-point controls also adds 5 points but typically takes much more total effort. The prioritization framework below is the one most experienced consultants use, and it produces the steepest score curve per dollar spent.
The priority order:
- 5-point controls first. Multi-factor authentication, audit logging, incident response, encrypted CUI transmission, configuration management baselines, vulnerability management. Each closed gap adds 5 points.
- 3-point controls next. Security awareness training, access control policies, media protection, physical access controls, personnel screening, security planning.
- 1-point controls last. System use notifications, session timeouts, backup verification, supporting administrative controls.
- Controls that satisfy multiple families. Implementing MFA touches Access Control, Identification and Authentication, and indirectly Audit and Accountability. A single well-designed control change can close multiple gaps.
Common high-impact improvements small contractors can typically make within ninety days:
- Implement MFA everywhere CUI is touched. Most contractors gain back at least 5 points immediately. Microsoft 365 Business Premium includes MFA at no incremental cost.
- Stand up centralized audit logging. Microsoft Sentinel, Azure Log Analytics, or a managed SIEM solves the bulk of the audit family. +5 points.
- Write and tabletop-test an incident response plan. A four-page plan plus one tabletop exercise satisfies the core IR controls. +5 points.
- Create or update the System Security Plan. Required for a valid assessment in the first place. Without it, your score has no defensible basis.
- Roll out a security awareness training program. Annual training plus role-based training for privileged users. +3 points.
- Write the missing policies. Access control, media protection, personnel security, configuration management. Templates from Project Spectrum and APEX Accelerators are a reasonable starting point. +3 each.
For a deeper look at what each of these changes typically costs, see our CMMC compliance cost breakdown.
Run the full 110-control gap assessmentHow to Submit Your Score to SPRS via PIEE
Submission happens entirely through the Procurement Integrated Enterprise Environment (PIEE) portal at piee.eb.mil. The flow has a handful of steps and one administrative bottleneck — getting the right role provisioned — that most first-time submitters underestimate.
The full process:
- Go to piee.eb.mil. Click "New User" if you have never registered.
- Register an account. Choose "Vendor" as your user type. Accept the terms. Choose your authentication method — Common Access Card (CAC) if you have one, or User ID/Password if not. Provide your CAGE code during registration.
- Request the SPRS Cyber Vendor User role. Inside PIEE, navigate to your profile and request the "SPRS Cyber Vendor User" role. This is the role required to enter NIST 800-171 assessment scores. Without it, you can log in but you cannot submit.
- Wait for approval. Your role request is reviewed by your organization's Contractor Account Administrator (CAM) and the SPRS program office. Approval typically takes several business days. If your organization does not yet have a CAM, you will be prompted to designate one.
- Log in to PIEE. Once approved, log in and select the SPRS tile from your dashboard.
- Open the NIST SP 800-171 Assessment module. Inside SPRS, select "NIST SP 800-171 Assessment" from the menu.
- Add a new assessment. Click "Add New Assessment" to begin a fresh submission.
- Enter the required fields. Provide:
- CAGE code (or codes if multiple are in scope)
- Assessment date — the date you completed the assessment, not the submission date
- Score — your calculated SPRS value from -203 to 110
- Assessment scope — the systems and locations covered
- System Security Plan information — name, version, and date of the SSP this score is based on
- POA&M completion date — the target date by which all open POA&M items will be closed
- Confidence level — basic, medium, or high (most self-assessments are "basic")
- Have a senior official affirm the submission. Owner, executive, or other authorized individual signs off. The affirmation is what makes the submission legally binding under DFARS 252.204-7019.
- Submit. The score is now visible to DoD contracting officers and to any prime contractor with appropriate permissions.
A few practical notes that save time.
The assessment date field trips up nearly every first-time submitter. SPRS asks for the date you finished the assessment, even if you are entering the number days or weeks later. Backdating to the actual completion date is correct; entering today's date when the assessment was last quarter is not.
Submit under the right CAGE code. If your company has multiple CAGE codes — one per location, one per business unit — the assessment scope and CAGE code must line up. A score submitted under the wrong CAGE will not flow correctly into contract source selection.
You do not upload the SSP itself to SPRS. SPRS records the SSP name, version, and date. The full SSP stays in your records and is shown to the assessor during a C3PAO engagement.
Email fallback exists. If your organization cannot create a PIEE account — usually because of CAGE code issues — you can submit your score and supporting information via encrypted email to webptsmh@navy.mil. This is a manual path and slower than the portal, but it exists.
Assessments must be refreshed at least every three years. Material changes to your environment, scope, or control posture should trigger a fresh assessment sooner. A stale score is treated like no score in many source-selection contexts.
Common SPRS Mistakes to Avoid
A small number of mistakes account for most failed or challenged SPRS submissions. They are easy to avoid once you know what they look like.
Inflating your score. The most consequential mistake. Submitting a 95 when your honest assessment is 47 is not a paperwork shortcut — it is a False Claims Act exposure. The Department of Justice has stated that materially false cybersecurity self-attestations made to win or maintain contracts can trigger FCA liability, with treble damages and per-claim civil fines. The lower number is always safer than the higher one.
Claiming partial credit. The methodology is binary. "We're 80 percent of the way there" on a control equals Not Met for scoring purposes. Partial implementation belongs in your POA&M, not in your score.
Submitting without an SSP. SPRS will let you enter a number, but the methodology assumes the assessment was performed against a System Security Plan. An assessment without an SSP is incomplete and can be challenged during a C3PAO engagement or by a contracting officer.
Using outdated information. Your SPRS score is supposed to reflect your current security posture. If you implemented MFA last month, your score should rise. If you decommissioned the audit logging system, your score should fall. A score from three years ago that has not been refreshed is a stale score, and many contracting officers treat stale scores like missing scores.
Confusing the assessment date with the submission date. The assessment date is when you completed the work. The submission date is when you entered it into PIEE. The two are rarely the same and SPRS specifically asks for the former.
Submitting under the wrong CAGE code. Multi-CAGE organizations regularly submit scores under a parent CAGE when the contract scope ties to a subsidiary CAGE. The fix is straightforward — match the CAGE to the assessment scope — but it requires deliberate attention before the senior official signs the affirmation.
Not maintaining a POA&M. A low score without a Plan of Action and Milestones reads as "we have no path forward." A low score with a credible POA&M reads as "work in progress." The presence of a POA&M does not raise your score, but it changes the meaning of the score to anyone reading it.
The CMMCGap assessment produces an estimated SPRS score range based on your responses. It is designed to help you understand where you stand and what to prioritize — not to be uploaded directly to SPRS without independent review. Your official SPRS submission should be backed by a System Security Plan, control-by-control evidence, and a senior official's affirmation. Treat the CMMCGap output as a high-quality directional estimate, not a certified assessment.
Frequently Asked Questions
Where to go from here
The honest first step in CMMC compliance is knowing your SPRS score. Not estimating it, not guessing it, not assuming it is fine because nothing has gone wrong yet — actually calculating it against the 110 NIST 800-171 controls, with a System Security Plan behind the number and a POA&M for the gaps.
You can do that work the long way — printing the methodology, building a spreadsheet, walking through each of the 110 controls — or you can run a self-serve assessment that does the structuring for you. Either way, the cheapest and fastest path is to start with the gap, not the spend.
The free CMMCGap Quick Scan gives you an estimated SPRS score range in three minutes from seven targeted questions. The free full assessment covers all 110 NIST 800-171 controls in about twenty minutes and produces a more detailed estimate with prioritized gaps. Both are no credit card, no sales call, no consultants — and both run before you provide an email.
The free 7-question Quick Scan produces an estimated SPRS score range and your top gaps. Run it before you talk to a consultant — and again after you have made changes.