Your SPRS score is the number the DoD sees when it looks at your NIST 800-171 posture. Understanding how it's calculated tells you exactly where you stand — and what each gap is costing you.
What SPRS is
The Supplier Performance Risk System (SPRS) is the DoD database where contractors post their NIST SP 800-171 self-assessment score. Primes and contracting officers use it to gauge a supplier's cybersecurity posture, so a low or missing score can directly affect your eligibility.
How the score is calculated
It uses the DoD Assessment Methodology, and it's subtractive. You start at a perfect 110 and subtract points for each control you haven't fully implemented:
- −5 points for each unmet high-impact control
- −3 points for each unmet moderate control
- −1 point for each unmet lower-impact control
There is generally no partial credit — a control is either met or it isn't. (Two controls, multifactor authentication and FIPS-validated encryption, are the narrow exceptions.) Because the high-value controls carry the most weight, the score can fall as low as −203.
- 110 = all 110 controls fully implemented.
- A conditional CMMC Level 2 can be available at roughly 80%+ implementation, with remaining gaps on a POA&M closed within 180 days.
- High-weight (5-point) controls generally can't ride a POA&M — they must be met before assessment.
How to improve it
The fastest gains come from fixing the 5-point controls first — each one recovers the most ground and removes items that can't be deferred. A gap assessment ranks every shortfall by weight so you spend remediation dollars in the order that moves your score the most. That prioritized roadmap is exactly what we deliver.
What's your number?
Find out in days with a fixed-fee gap assessment and a weighted remediation plan.