Published April 17, 2026 — A step-by-step guide to the SPRS scoring methodology, from the weighted scale to submission.
Your SPRS score is the single number that tells the Department of Defense how well you have implemented the 110 NIST SP 800-171 controls. It ranges from -203 (nothing implemented) to 110 (everything fully in place), and it is already a requirement under DFARS 252.204-7012. With CMMC adding verification on top, understanding exactly how the score works — and how to calculate it correctly — is critical.
This guide walks you through the scoring methodology step by step, explains the weighting system, highlights common mistakes that cost contractors points, and shows you how to submit your score.
SPRS stands for Supplier Performance Risk System. It is a DoD web application maintained by the Defense Logistics Agency (DLA) that stores supplier risk data, including cybersecurity assessment scores. Since November 2020, all contractors handling CUI must have a current NIST SP 800-171 self-assessment score posted in SPRS.
The SPRS score specifically measures your implementation status of the 110 NIST SP 800-171 Rev 2 security requirements. It is not a pass/fail — it is a numerical score that contracting officers use to evaluate cybersecurity risk when awarding contracts.
Important: Your SPRS score must reflect your current security posture, not your planned state. Misrepresenting your score is a violation of the False Claims Act and can result in contract termination, financial penalties, and debarment from future government contracting.
The scoring methodology works as follows:
The total possible deductions across all 110 controls sum to 313 points. This is greater than 110 because many controls carry weights of 3 or 5 points. The math: 110 starting score minus 313 maximum deductions equals -203.
Not all controls are weighted equally. The DoD assessment methodology (NIST SP 800-171A) assigns each control a weight of 1, 3, or 5 based on its security importance:
| Weight | Count | Total Points | Significance |
|---|---|---|---|
| 5 points | ~33 controls | ~165 points | Most critical — core security functions, CUI protection, access control foundations |
| 3 points | ~36 controls | ~108 points | Important — supporting security functions, monitoring, maintenance |
| 1 point | ~41 controls | ~41 points | Foundational — procedural controls, documentation, awareness |
This weighting means that failing to implement a 5-point control hurts five times more than missing a 1-point control. Prioritizing high-weight controls gives you the most score improvement per dollar spent on remediation.
These are some of the controls weighted at 5 points — the ones that matter most to your score:
Failing to implement MFA alone (IA.L2-3.5.3) deducts 5 points. Lacking encryption for CUI in transit (SC.L2-3.13.8) deducts another 5. Missing just a handful of 5-point controls can drop your score by 25 to 40 points.
Start with the complete NIST SP 800-171 Rev 2 control list, organized by the 14 control families. Each control has a unique identifier and a DoD-assigned weight. Use a tracking tool (not a spreadsheet — see common mistakes below) to organize this systematically.
For each control, determine its implementation status. The assessment methodology uses these categories:
Critical point: There is no partial credit in SPRS scoring. A control is either fully implemented (0 deduction) or not (full deduction). This is one of the most misunderstood aspects of the methodology.
Add up the weighted values of all controls that are Not Implemented or Partially Implemented. For example:
Subtract your total deductions from 110:
110 - 59 = 51
In this example, your SPRS score would be 51. This means you have implemented the majority of controls but still have significant gaps, especially in high-weight areas.
Record the following for your submission:
The submission process involves these steps:
If you do not have PKI/CAC access, your Facility Security Officer (FSO) or contracting officer representative can submit on your behalf. Some managed security service providers also assist with submission.
If a control says "employ multi-factor authentication for all network access" and you only have MFA on your VPN but not on email or cloud services, that control is Not Met. Partially implemented controls are scored as Not Implemented.
Several controls in the Access Control (AC) family sound similar but have distinct requirements. AC.L2-3.1.1 (limit system access to authorized users) is different from AC.L2-3.1.2 (limit to authorized transactions and functions). Each must be independently assessed and documented.
Some contractors remediate easy 1-point controls first to check boxes. Strategically, you should prioritize 5-point controls because they provide the most score improvement. Implementing five 5-point controls gains 25 points; implementing five 1-point controls gains only 5.
Spreadsheets do not track history, lack audit trails, and make it easy to accidentally overwrite previous assessments. When assessors ask about your score trend over time, you need documentation that shows when each control status changed. A purpose-built compliance tracker solves this.
Having a written encryption policy does not mean you have implemented encryption. Assessors verify operational implementation, not just documentation. Score based on what is actually running in your environment, not what your policy says should be running.
If you migrate to a new cloud provider, deploy new systems, or change your network architecture, previously met controls may now have gaps. Reassess after any significant infrastructure change.
| Score Range | Interpretation | Typical Action |
|---|---|---|
| 110 | Full compliance | Ready for C3PAO assessment; maintain current state |
| 80–109 | Strong posture with minor gaps | Close remaining gaps; may proceed with assessment if POA&M items are limited |
| 50–79 | Moderate compliance | Significant remediation needed; prioritize 5-point controls first |
| 0–49 | Major gaps | Extensive remediation required; focus on foundational controls (AC, IA, SC) |
| Below 0 | Minimal implementation | Consider engaging a consultant; comprehensive overhaul needed |
Manually tracking 110 controls with weighted values is error-prone and time-consuming. NormSuite CMMC Tracker automates the entire process:
Try it free: Assess up to 20 controls and see your real-time SPRS score with the free tier. Create your free account to start calculating.
A perfect score is 110, meaning all controls are fully implemented. For CMMC Level 2 certification, you ultimately need a score of 110 or a score above the contract-specified minimum with an approved POA&M for remaining gaps. Most small contractors start between -50 and 50 before remediation.
Update your score whenever there is a material change in your security posture. At minimum, review and resubmit annually. After significant infrastructure changes, new gap discoveries, or security incidents, update within 30 days. Your SPRS score must always reflect your current state.
The lowest possible score is -203. This occurs when none of the 110 controls are implemented. Each unimplemented control deducts its weighted value (1, 3, or 5 points) from the starting score of 110. The total maximum deduction is 313 points: 110 - 313 = -203.
Yes. You can submit a Plan of Action & Milestones for controls not yet fully implemented. Your SPRS score should reflect your current state (not your planned state), and the POA&M documents your remediation plan. For C3PAO assessments under CMMC, all POA&M items must be closed within 180 days.