SPRS Score Explained: How to Calculate, Submit, and Improve It
By Fortwise Team
Before any assessor visits and before any contract is awarded, the Department of Defense can look up one number about your cybersecurity: your SPRS score. Since CMMC Phase 1 took effect in November 2025, that number — and the annual affirmation that vouches for it — is a contractual representation with real legal weight. Here's how it works and how to make yours defensible.
What is a SPRS score?
SPRS — the Supplier Performance Risk System — is the DoD database where contractors report the result of their NIST SP 800-171 self-assessment, scored using the DoD Assessment Methodology. The scale runs from a perfect 110 down to –203. Every contractor handling CUI under DFARS 252.204-7012 is required to have a current score on file, and contracting officers check it.
How is the SPRS score calculated?
You start at 110 — one point of credit for each NIST 800-171 requirement — and subtract a weighted penalty for every requirement you haven't fully implemented:
- 5-point deductions — the requirements DoD considers most critical, including multifactor authentication (3.5.3) and FIPS-validated encryption of CUI (3.13.11, partial credit possible).
- 3-point deductions — a middle tier of requirements with significant security impact.
- 1-point deductions — everything else, largely documentation and process requirements.
The weighting is why two contractors with the same number of gaps can have wildly different scores. Miss ten one-pointers and you're at 100; miss ten five-pointers and you're at 60. A handful of unimplemented high-weight controls — MFA, encryption, system boundaries — can put an otherwise solid shop underwater.
What is a good SPRS score?
110 is the goal, because it means full implementation — and it's the posture a C3PAO will eventually test against. Anything below 110 must be paired with plan-of-action dates for the open items. There's no published "passing" threshold for self-assessments, but the number is visible to contracting officers, and under CMMC's conditional-certification rules the meaningful line at assessment time is 80% — with only POA&M-eligible controls allowed to remain open.
Can a wrong SPRS score get you in trouble?
Yes — this is the part contractors underestimate. An SPRS score is a representation to the government, and the Department of Justice's Civil Cyber-Fraud Initiative has pursued False Claims Act cases over misrepresented cybersecurity compliance; in one widely reported 2025 settlement, a contractor paid roughly half a million dollars over claims tied to its cybersecurity representations. CMMC's annual affirmations raise the stakes further: a knowingly inflated score isn't a paperwork error, it's potential fraud. An honest 75 with a credible plan is safer than a fictional 110.
How do you improve your score quickly?
- Knock out the five-pointers first — MFA and encryption projects move the number more than a dozen policy fixes.
- Score against the assessment objectives in NIST 800-171A, not the one-line requirement — "partially implemented" counts as not implemented.
- Document as you fix — an implemented control you can't evidence will not survive a C3PAO's review, whatever your self-score says.
- Resubmit promptly when your posture improves — a stale low score can sit in front of contracting officers for months after you've fixed the gaps.
If you're not confident your current score would survive scrutiny — or you're not sure how it was derived — a readiness assessment rebuilds it control by control, against the same objectives an assessor will use, and gives you a defensible number with the evidence to back it.
