What is an SPRS score?
SPRS stands for Supplier Performance Risk System — a DoD database where defense contractors submit their cybersecurity self-assessment scores. When a contracting officer evaluates whether to award you a contract that involves Controlled Unclassified Information (CUI), they look up your SPRS score as part of that review.
The score itself reflects how completely you've implemented the 110 security controls in NIST SP 800-171, the cybersecurity standard that underpins CMMC Level 2. Every defense contractor handling CUI is required to have a current score on file — and under CMMC 2.0, that requirement has teeth.
Why it matters right now: The final DFARS rule took effect November 10, 2025. CMMC requirements are now appearing in DoD solicitations. Contracting officers are checking SPRS scores before contract awards. If your score is missing, stale, or low — you are losing contracts to competitors who've done the work.
Critical warning: Submitting a falsely inflated SPRS score is a federal False Claims Act violation. Civil penalties can reach three times the contract value. The DoJ recovered nearly $7 billion in False Claims Act settlements in 2025, with cybersecurity compliance explicitly named as an enforcement priority. Submit your actual score — then fix the gaps.
How the SPRS score is calculated
The methodology is straightforward. You start at 110 points — one for each of the 110 NIST SP 800-171 controls. For every control that is not fully implemented, you subtract the point value assigned to that control by the DoD Assessment Methodology. Point values range from 1 to 5.
Minimum: −203 (no controls implemented)
POA&M eligibility threshold: 88
A score of 110 means every control is fully implemented. A score of 88 means you have gaps totaling 22 points — the threshold below which CMMC 2.0 no longer allows you to conditionally proceed with a Plan of Action and Milestones. A negative score means significant fundamental controls are missing.
The point values aren't published in a single public table, but the DoD Assessment Methodology document (available at acq.osd.mil) specifies them. Controls weighted at 5 points are considered high-risk — missing one of those hurts your score significantly more than missing a 1-point control.
NIST SP 800-171 domains and their weight
The 110 controls are organized across 14 domains. The domains with the most controls — and the highest cumulative point exposure — are where most organizations have the biggest gaps and the most room to improve quickly.
| Domain | Controls | Max Points at Risk | Common Gap? |
|---|---|---|---|
| Access Control (AC) | 22 controls | ~40 pts | Very common |
| Configuration Management (CM) | 9 controls | ~25 pts | Very common |
| System & Communications Protection (SC) | 16 controls | ~22 pts | Common |
| Audit & Accountability (AU) | 9 controls | ~18 pts | Common |
| Incident Response (IR) | 3 controls | ~15 pts | Very common |
| Risk Assessment (RA) | 3 controls | ~12 pts | Common |
| System & Information Integrity (SI) | 7 controls | ~12 pts | Moderate |
| Identification & Authentication (IA) | 11 controls | ~12 pts | Common |
| Media Protection (MP) | 9 controls | ~10 pts | Moderate |
| Security Assessment (CA) | 4 controls | ~10 pts | Very common |
| Personnel Security (PS) | 2 controls | ~4 pts | Low |
| Physical Protection (PE) | 6 controls | ~6 pts | Low |
| Awareness & Training (AT) | 3 controls | ~4 pts | Moderate |
| Maintenance (MA) | 6 controls | ~6 pts | Low |
What your score actually means
SPRS score ranges — what they mean for your contracts
Where most companies actually stand
The industry average SPRS score across the Defense Industrial Base is approximately 60 — well below the 88 threshold needed for POA&M eligibility, and 50 points below the maximum. Only about 1% of DIB organizations consider themselves fully prepared for CMMC assessments.
This isn't a fringe problem. Most defense contractors have been operating on the honor system under self-attestation for years, with no external verification of their scores. CMMC changes that — C3PAO assessors will now verify that your submitted score matches your actual control implementation.
The gap between submitted scores and reality is where enforcement risk lives. Organizations that submitted inflated scores under self-attestation and haven't updated them are now exposed. A C3PAO assessment that finds your actual score is 40 points below what you submitted — filed months before a contract award — is exactly the kind of discrepancy the DoJ's False Claims Act enforcement is targeting.
Highest-value quick wins by domain
If you need to move your score quickly, focus on the controls with the highest point values first. These give you the most score improvement per unit of effort.
Multi-Factor Authentication
5 pts (IA-3.1)Require MFA for all privileged and non-privileged accounts accessing CUI systems. Most organizations have MFA for some accounts — the gap is usually non-privileged users or remote access scenarios.
Low effortSystem Baseline Configuration
5 pts (CM-2)Establish and document baseline configurations for all systems that process CUI. This is often missing entirely — not because the configurations don't exist, but because they've never been formally documented.
Low effortIncident Response Plan
5 pts (IR-2)Establish an operational incident response capability — a documented plan, trained personnel, and a tested process. Many small contractors have no formal IR plan at all, making this a high-value gap to close.
Low effortEncryption of CUI at Rest
5 pts (SC-28)Implement FIPS-validated cryptographic mechanisms to protect CUI stored on systems and devices. Disk encryption is the most common implementation — BitLocker on Windows, FileVault on Mac. Must be FIPS 140-2 validated.
Low effortConfiguration Change Control
5 pts (CM-3)Establish a formal change control process for changes to CUI systems — change requests, impact analysis, approval, implementation, and documentation. Usually exists informally; formalizing and documenting it is the gap.
Low effortSecurity Assessment
5 pts (CA-2)Conduct periodic assessments of your security controls to verify they're operating effectively. This is required annually under CMMC and is the basis for your SPRS self-assessment. Without a documented process, this is an automatic deduction.
Medium effortThe math on quick wins: Implementing just the six controls above adds up to 30 points to your SPRS score. A contractor currently sitting at 60 could reach 90 — above the POA&M eligibility threshold — by closing these six gaps alone. That's the difference between being eligible for contract awards and being shut out.
How to systematically improve your score
-
Run an honest self-assessment against all 110 controls Don't estimate — walk through every control in NIST SP 800-171 and document your actual implementation status. Use the DoD Assessment Methodology as your guide. A free gap assessment can give you a baseline quickly.
-
Calculate your current score accurately Apply the point values from the DoD Assessment Methodology to your gaps. This gives you your real score — not your submitted score if those differ. The difference is your False Claims Act exposure if you've already submitted.
-
Sort gaps by point value, highest first Build a prioritized remediation list. Five-point controls move the needle fastest. Work down through 3-point, then 1-point controls. Don't start with the easiest — start with the most valuable.
-
Build your POA&M for controls you can't fix immediately For gaps you can't close right now, document them in a Plan of Action and Milestones. Under CMMC 2.0, you need a minimum score of 88 to use a POA&M, and all gaps must be remediated within 180 days of your C3PAO assessment.
-
Implement fixes, starting with high-value controls Execute your remediation plan. For most organizations, getting from a score of 60 to 88+ requires 2–4 months of focused work. The controls themselves aren't usually technically complex — the gap is documentation, process formalization, and consistent enforcement.
-
Update your SSP and submit your new score to SPRS Once remediation is complete, update your System Security Plan to reflect current control status, then submit your updated score at sprs.eb.mil. Your score updates are timestamped — contracting officers can see when you last assessed and updated.
For the full picture of what CMMC Level 2 certification involves beyond your SPRS score, see our CMMC Level 2 guide. For a detailed breakdown of what the whole process will cost and how long it takes, see how much CMMC costs and how long it takes.
How to submit your score to SPRS
The submission process itself is straightforward, but requires system access that some contractors haven't set up:
- Access: Go to sprs.eb.mil. You'll need a CAC (Common Access Card) or a PIEE account with appropriate roles assigned. If you don't have access, your Contractor Administrator needs to set this up through the PIEE portal.
- What to submit: Your self-assessment score (the number), the date of your assessment, and a summary or reference to your Plan of Action. You should also have your System Security Plan finalized before submitting — assessors may ask for it.
- Timing: Submit as soon as you have an accurate score. Contracting officers can see whether a submission exists. No submission is often treated the same as a very low score during source selection.
- Updates: You can resubmit whenever your score changes. Annual updates are required under CMMC. If you close significant gaps, resubmit promptly — there's no reason to leave an outdated low score on file.
Find out where your score gaps actually are
Run a free gap assessment to identify which NIST 800-171 controls you're missing and how many points they're costing you.
Start Free Assessment →Frequently asked questions
SPRS stands for Supplier Performance Risk System. Your SPRS score reflects how well your organization has implemented the 110 security controls in NIST SP 800-171. It starts at 110 points and decreases for each control not fully implemented, with different controls weighted 1 to 5 points. The score is submitted to the DoD and is visible to contracting officers when evaluating whether you can be awarded a contract.
The maximum score is 110, meaning all 110 NIST SP 800-171 controls are fully implemented. Under CMMC 2.0, a minimum score of 88 is required to be eligible for a Plan of Action and Milestones (POA&M) — meaning you can conditionally proceed with some gaps. Most contracting officers want to see scores of 88 or above. The industry average SPRS score is around 60, which reflects how widespread the readiness gap is.
You start with 110 points — one for each NIST SP 800-171 control. For each control that is not fully implemented, you subtract the point value assigned to that control by the DoD Assessment Methodology. Control values range from 1 to 5 points. The minimum possible score is -203, which would mean zero controls implemented. Partially implemented controls receive partial credit in some assessment methodologies.
There is no hard minimum score required to submit — you must submit whatever your score actually is. However, CMMC 2.0 requires a minimum SPRS score of 88 to be eligible for a conditional certification with a Plan of Action and Milestones. Scores below 88 mean you have high-risk control gaps that must be fully remediated before assessment. Submitting a false or inflated score is a federal False Claims Act violation.
Log into the Supplier Performance Risk System at sprs.eb.mil using your CAC or system credentials. Navigate to the NIST SP 800-171 DoD Assessment section and enter your self-assessment score, the date of the assessment, and your plan of action summary. You must also have a current System Security Plan (SSP) on file. Your score is immediately visible to DoD contracting officers after submission.
Under CMMC 2.0, annual affirmation of your cybersecurity status is required. If your score changes — because you implemented new controls or discovered gaps — you should update your submission. Contracting officers can see the date of your last assessment, so a stale score from several years ago raises red flags. Best practice is to reassess annually and update your SPRS submission accordingly.
Yes — you are legally required to submit your actual score, even if it is negative. The DoD mandates honest self-reporting. A negative score will make you ineligible for most DoD contracts requiring CUI handling, but failing to submit or submitting a falsely inflated score exposes you to False Claims Act liability, which carries civil penalties of up to three times the contract value plus additional fines.
The DoD Assessment Methodology assigns point values of 1, 3, or 5 to each of the 110 controls. The highest-value controls (5 points each) include several Access Control requirements, Configuration Management baseline controls, and Incident Response planning controls. Prioritizing these high-value controls when remediating gives you the fastest score improvement per unit of work.