If you're a defense contractor or subcontractor handling Controlled Unclassified Information (CUI), your SPRS score is the single most important number in your business. The Supplier Performance Risk System (SPRS) score determines whether you can bid on Department of Defense contracts, and with the CMMC Phase 2 deadline of November 10, 2026 approaching, every defense contractor needs to know exactly where they stand.
This guide walks you through the complete SPRS score calculation process step by step — the weighted point system, the formula, the control-by-control breakdown, how to interpret your results, and how to submit your score through the SPRS portal. Whether you're calculating your score for the first time or trying to improve an existing one, this is the definitive resource.
What's in This Guide
- What Is an SPRS Score?
- Why Your SPRS Score Matters for DoD Contracts
- SPRS Score Range: -203 to 110
- The SPRS Score Calculation Formula
- Weighted Point Values: 5, 3, and 1-Point Controls
- Special Controls with Partial Credit
- Step-by-Step: Calculate Your Score
- Real-World Scoring Examples
- How to Submit Your Score to SPRS
- How to Improve Your SPRS Score
- SPRS Scores and CMMC 2.0 Certification
- Calculate Your Score with DynamoDefense
1. What Is an SPRS Score?
The SPRS score (formally called the "NIST SP 800-171 DoD Assessment Summary Level Score") is a numerical representation of how well your organization implements the 110 security controls defined in NIST Special Publication 800-171. It is calculated using the DoD Assessment Methodology (DoDAM), Version 1.2.1, published by the Office of the Secretary of Defense.
The score is submitted through the Supplier Performance Risk System (SPRS) portal, maintained by the Defense Information Systems Agency (DISA). Contracting officers review your SPRS score before awarding contracts that involve CUI — making it a gatekeeper for DoD business.
Key Takeaway
Your SPRS score is not a pass/fail — it's a spectrum from -203 to 110. But contracting officers can see your score, and a low or missing score can disqualify you from contract award under DFARS 252.204-7019 and 252.204-7020.
2. Why Your SPRS Score Matters for DoD Contracts
Since November 30, 2020, the DFARS clauses 252.204-7019 and 252.204-7020 have required defense contractors to perform a Basic self-assessment and submit their SPRS score. These clauses can appear in any Request for Proposal (RFP) or contract that involves CUI processing. Without a current SPRS score on file, you cannot be considered for contract award.
Your SPRS score also serves as the foundation for CMMC Level 2 certification. While CMMC requires all 110 controls to be fully implemented (or covered by a Plan of Action & Milestones), your SPRS score gives assessors a quantitative baseline of your cybersecurity posture before the formal assessment begins.
The assessment must be refreshed at least every three years, and the score must reflect your current System Security Plan (SSP). If your SSP changes significantly, you should recalculate and resubmit your score.
3. SPRS Score Range: -203 to 110
The SPRS score range spans from a minimum of -203 to a maximum of 110. A perfect score of 110 means your organization has implemented all 110 NIST SP 800-171 security controls. The minimum score of -203 occurs when no controls are implemented at all — every weighted subtractor is deducted from the starting score of 110.
| Score Range | What It Means | Contract Impact |
|---|---|---|
| 110 | Perfect compliance — all 110 controls implemented | Strongest competitive position |
| 88 – 109 | Strong posture with minor gaps | Well-positioned for CMMC Level 2 |
| 50 – 87 | Moderate gaps — several controls missing | Needs POA&M with remediation plan |
| 1 – 49 | Significant gaps — many controls unimplemented | High risk of losing contract eligibility |
| 0 or below | Critical — most controls not implemented | Likely disqualified from CUI contracts |
| -203 | No controls implemented at all | Cannot hold CUI contracts |
4. The SPRS Score Calculation Formula
The SPRS score calculation is straightforward in concept: you start with a perfect score of 110 and subtract points for every security control your organization has not implemented. The formula is:
SPRS Score = 110 − Σ (weighted subtractors for unimplemented controls)
Each of the 110 controls in NIST SP 800-171 is assigned a weighted subtractor value of either 5, 3, or 1 point. The weight reflects the severity of the security impact if that control is not implemented. Controls that could lead to exploitation of the network carry the highest weight (5 points), while controls with a limited or indirect effect carry the lowest (1 point).
The key insight is that not all controls are equal. Missing a single 5-point control has the same impact as missing five 1-point controls. This means your remediation strategy should prioritize high-weight controls first for maximum score improvement.
5. Weighted Point Values: 5, 3, and 1-Point Controls
The DoD Assessment Methodology assigns each control to one of three weight categories. Understanding these categories is essential for calculating your score accurately and prioritizing your compliance efforts.
5-Point Controls (42 controls — 210 possible points)
These are the highest-impact controls. If not implemented, they "would allow for exploitation of the network and its information." This category includes the 17 basic safeguards required of all federal contractors under FAR 52.204-21, plus 25 additional derived security requirements.
5-POINT BASIC SECURITY REQUIREMENTS (23 controls)
3.1.1, 3.1.2, 3.2.1, 3.2.2, 3.3.1, 3.4.1, 3.4.2, 3.5.1, 3.5.2, 3.6.1, 3.6.2, 3.7.2, 3.8.3, 3.9.2, 3.10.1, 3.10.2, 3.12.1, 3.12.3, 3.13.1, 3.13.2, 3.14.1, 3.14.2, 3.14.3
5-POINT DERIVED SECURITY REQUIREMENTS (19 controls)
3.1.12, 3.1.13, 3.1.16, 3.1.17, 3.1.18, 3.3.5, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.5.10, 3.7.5, 3.8.7, 3.11.2, 3.13.5, 3.13.6, 3.13.15, 3.14.4, 3.14.6
3-Point Controls (14 controls — 42 possible points)
These controls, if not implemented, "have a specific and confined effect on the security of the network and its data." They represent moderate-risk gaps.
3-POINT BASIC SECURITY REQUIREMENTS (7 controls)
3.3.2, 3.7.1, 3.8.1, 3.8.2, 3.9.1, 3.11.1, 3.12.2
3-POINT DERIVED SECURITY REQUIREMENTS (7 controls)
3.1.5, 3.1.19, 3.7.4, 3.8.8, 3.13.8, 3.14.5, 3.14.7
1-Point Controls (54 controls — 54 possible points)
All remaining derived security requirements fall into this category. If not implemented, they have a "limited or indirect effect on the security of the network and its data." While individually low-impact, missing many of these adds up quickly.
| Weight | # of Controls | Max Deduction | Impact Level |
|---|---|---|---|
| 5 points | 42 controls | 210 points | Critical — enables network exploitation |
| 3 points | 14 controls | 42 points | Moderate — confined security effect |
| 1 point | 54 controls | 54 points | Low — limited or indirect effect |
| Total | 110 controls | 306+ points | Min score: 110 − 313 = -203 |
Note: The total maximum deduction exceeds 306 because two special controls (3.5.3 and 3.13.11) can be scored at either 5 or 3 points depending on the level of non-compliance, bringing the theoretical maximum deduction to 313 and the minimum possible score to -203.
6. Special Controls with Partial Credit
Two controls in the NIST 800-171 framework have a unique scoring mechanism — they can be scored at either 5 or 3 points depending on the degree of non-compliance. These are the only controls that offer partial credit.
| Control | Requirement | -5 Points If... | -3 Points If... |
|---|---|---|---|
| 3.5.3 | Multi-Factor Authentication (MFA) | MFA not implemented for any users | MFA implemented only for remote and privileged users |
| 3.13.11 | FIPS-Validated Cryptography | No encryption employed | Encryption used but not FIPS-validated |
This means implementing MFA for at least your remote and privileged users saves you 2 points compared to having no MFA at all. Similarly, using encryption (even non-FIPS-validated) is better than no encryption — a practical consideration for small businesses working toward full compliance.
7. Step-by-Step: Calculate Your Score
Here is the exact process to calculate your SPRS score, following the DoD Assessment Methodology:
Verify you have a System Security Plan (SSP)
Control 3.12.4 requires an SSP. Without one, no assessment can be conducted. If you don't have an SSP, your score is effectively zero — the DoDAM states that 'it is not possible to conduct the assessment if the information is not available.'
Start with a score of 110
This is your baseline — a perfect score assuming all controls are implemented.
Evaluate each of the 110 controls
For each control in NIST SP 800-171, determine whether your organization has fully implemented it. This is a Yes/No evaluation at the basic level.
Subtract the weighted value for each unimplemented control
For every control marked 'No' (not implemented), subtract its weighted value (5, 3, or 1) from your running total.
Handle the two special controls
For controls 3.5.3 (MFA) and 3.13.11 (FIPS crypto), determine the degree of non-compliance and subtract either 5 or 3 points accordingly.
Record your final score
The resulting number is your SPRS score. Document it along with your SSP name, CAGE code, assessment date, and the date you plan to achieve a score of 110.
Skip the Spreadsheet — Use the DynamoDefense SPRS Simulator
DynamoDefense calculates your SPRS score automatically as you track your 110 controls. The what-if simulator lets you see exactly how implementing specific controls will change your score before you commit resources. Try it free →
8. Real-World Scoring Examples
Let's walk through three realistic scenarios to illustrate how the SPRS score calculation works in practice.
Example A: Well-Prepared Small Manufacturer
A 50-person defense parts manufacturer has implemented most controls but is missing 5 controls: two 5-point controls (no wireless access restrictions, no session lock), one 3-point control (incomplete audit review), and two 1-point controls (missing DNS filtering, incomplete account management procedures).
Starting score: 110
5-point controls missing (2): -10
3-point controls missing (1): -3
1-point controls missing (2): -2
Final SPRS Score: 95
This contractor is in strong shape. A score of 95 with a clear POA&M for the remaining 5 controls positions them well for CMMC Level 2 assessment.
Example B: Typical Small Business Starting Compliance
A 20-person machine shop has basic IT security but hasn't formally addressed NIST 800-171. They're missing 30 controls: eight 5-point controls, four 3-point controls, and eighteen 1-point controls.
Starting score: 110
5-point controls missing (8): -40
3-point controls missing (4): -12
1-point controls missing (18): -18
Final SPRS Score: 40
A score of 40 signals significant work ahead, but it's recoverable. By prioritizing the eight 5-point controls first, this contractor could jump to a score of 80 — a 40-point improvement from just 8 controls.
Example C: Contractor with No Formal Cybersecurity Program
A subcontractor with 10 employees has no SSP, no formal security policies, and relies on consumer-grade IT. They're missing 85 of the 110 controls, including 35 of the 42 five-point controls.
Starting score: 110
5-point controls missing (35): -175
3-point controls missing (12): -36
1-point controls missing (38): -38
Final SPRS Score: -139
A negative score is common for contractors who haven't started compliance work. The good news: even this contractor can reach a positive score within 6-9 months by systematically addressing the highest-weight controls first.
9. How to Submit Your Score to SPRS
Once you've calculated your SPRS score, you need to submit it through the official SPRS portal. Here's the process:
Register on PIEE
Create an account on the DoD's Procurement Integrated Enterprise Environment (PIEE) at piee.eb.mil. You'll need your organization's CAGE code.
Request the SPRS Cyber Vendor User role
Important: request the 'SPRS Cyber Vendor User' role specifically — not the generic 'Contractor/Vendor' role. Your Electronic Business Point of Contact (EB POC) listed in SAM.gov must authorize this.
Access SPRS and navigate to Cyber Reports
Once approved, log into SPRS and select 'Cyber Reports (NIST)' from the left-hand menu.
Enter your assessment details
Submit your CAGE code, SSP name, assessment date, total score, brief architecture description, and the date you expect to achieve a score of 110.
Keep it current
Your assessment must be less than 3 years old. Resubmit whenever your SSP changes significantly or when your assessment expires.
Required Submission Fields
When submitting to SPRS, you must provide: (1) System Security Plan name, (2) CAGE code(s) covered, (3) Brief system architecture description, (4) Assessment date, (5) Total SPRS score, and (6) Date you plan to achieve a score of 110. Missing any of these will result in an incomplete submission.
10. How to Improve Your SPRS Score
Improving your SPRS score is about strategic prioritization. Here's the most efficient approach:
Priority 1: Tackle 5-Point Controls First
Each 5-point control you implement recovers 5 points from your score. If you're missing 10 of these controls, implementing them all adds 50 points to your score. Common quick wins include implementing account lockout policies (3.1.8 → but this is 1pt), enabling session lock (3.1.10 → 1pt), and establishing an incident response plan (3.6.1 → 5pt).
Priority 2: Address the Two Special Controls
If you haven't implemented MFA (3.5.3) or FIPS-validated encryption (3.13.11), even partial implementation saves points. Deploying MFA for remote and privileged users saves 2 points compared to no MFA. Using any encryption (even non-FIPS) saves 2 points compared to no encryption.
Priority 3: Create POA&Ms for Remaining Gaps
A Plan of Action & Milestones (POA&M) documents your remediation plan for controls you haven't yet implemented. While a POA&M doesn't change your SPRS score (you still subtract points for unimplemented controls), it demonstrates to contracting officers that you have a concrete plan to reach full compliance. CMMC assessors will also review your POA&Ms.
Track Every Control, Watch Your Score Climb
DynamoDefense tracks all 110 controls with plain-English explanations, automatically calculates your SPRS score, and generates your POA&M document. The what-if simulator shows you exactly which controls to prioritize for maximum score improvement. Start free — no credit card required →
11. SPRS Scores and CMMC 2.0 Certification
Your SPRS score and CMMC certification are closely related but serve different purposes. The SPRS score is a self-assessed numerical measure of your current compliance posture. CMMC Level 2 certification is a third-party verified assessment that confirms you've implemented all 110 NIST 800-171 controls.
| Aspect | SPRS Score | CMMC Level 2 |
|---|---|---|
| Assessment Type | Self-assessment (Basic) | Third-party (C3PAO) |
| Result Format | Numerical score (-203 to 110) | Pass/Fail certification |
| POA&Ms Allowed | Yes — score reflects current state | Limited — must close within 180 days |
| Validity Period | 3 years | 3 years |
| Required By | DFARS 252.204-7019/7020 | DFARS 252.204-7021 (Phase 2+) |
Organizations with SPRS scores of 88 or higher are generally well-positioned for a successful CMMC Level 2 assessment, as they've demonstrated implementation of the most critical security controls. However, CMMC requires all 110 controls to be either implemented or covered by a time-bound POA&M — so even a score of 109 means there's still work to do.
Three Levels of DoD Assessment Confidence
| Level | Who Conducts It | Method |
|---|---|---|
| Basic (Low) | Contractor (self-assessment) | Review of SSP against 110 controls |
| Medium | DCMA DIBCAC (off-site) | Off-site review of SSP to verify Basic score |
| High | DCMA DIBCAC (on-site) | In-depth assessment using NIST 800-171A objectives |
12. Calculate Your Score with DynamoDefense
Calculating your SPRS score manually — tracking 110 controls across a spreadsheet, looking up weighted values, and trying to figure out which controls to prioritize — is exactly the kind of painful process that leads to errors and frustration. That's why we built DynamoDefense.
DynamoDefense is the AI-powered CMMC compliance platform built specifically for small defense contractors. Here's how it handles your SPRS score:
Real-Time SPRS Dashboard
Your score updates automatically as you mark controls implemented. No manual calculation needed.
What-If Simulator
See exactly how implementing specific controls will change your score before you commit resources or budget.
110 Controls in Plain English
Every control explained in language you can understand — not consultant jargon. Winston AI answers your questions 24/7.
Auto-Generated Documents
Your SSP and POA&M are generated from your actual control data — the documents assessors want to see.
Gap Analysis PDF
Export a color-coded report showing all 110 controls as red/yellow/green, formatted for your C3PAO assessor.
Team Collaboration
Invite your IT staff, assign controls to team members, and track progress across your organization.
Stop Guessing. Start Complying. Keep Your Contracts.
Join defense contractors who are taking control of their CMMC compliance with DynamoDefense.
Sources & References
- NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1 — Office of the Secretary of Defense (acq.osd.mil)
- NIST SP 800-171 Rev. 2, Protecting Controlled Unclassified Information — National Institute of Standards and Technology (csrc.nist.gov)
- DFARS 252.204-7019 and 252.204-7020 — Defense Federal Acquisition Regulation Supplement (acquisition.gov)
- SPRS Portal — Defense Information Systems Agency (sprs.csd.disa.mil)
- FutureFeed SPRS Scoring Reference — FutureFeed Support (support.futurefeed.co)
Disclaimer: This article is for informational purposes only and does not constitute legal or professional cybersecurity advice. SPRS scoring is based on the DoD Assessment Methodology Version 1.2.1, which applies to NIST SP 800-171 Revision 2. The DoD has announced no plans to update the DoDAM for Revision 3 at this time. Always consult the official DoD resources and consider engaging a qualified CMMC Registered Practitioner for guidance specific to your organization.