SPRS Score Explained: How to Calculate and Improve Your Score
If you're a defense contractor handling Controlled Unclassified Information (CUI), your SPRS score determines whether you can compete for DoD contracts. It's the single number that summarizes your NIST SP 800-171 compliance posture, and it must be submitted to the Supplier Performance Risk System (SPRS) before contract award.
Most contractors get it wrong. Not because the math is hard, but because the weighting isn't intuitive. This guide explains exactly how the score works, what constitutes a good score, and which controls to prioritize for maximum point recovery.
What is the SPRS score?
The SPRS score is a single number between -203 and 110 that represents your organization's self-assessed implementation status against the 110 security practices in NIST SP 800-171 Rev 2. It's submitted to the DoD's Supplier Performance Risk System and is visible to contracting officers making award decisions.
Key facts about the SPRS score:
- Range: -203 (nothing implemented) to 110 (everything fully implemented)
- Submission requirement: Must be submitted before contract award for any contract containing DFARS 252.204-7012
- Basis: The DoD Assessment Methodology, which assigns weighted point values to each of the 110 practices
- Update cadence: Must be updated when your compliance posture materially changes
- Visibility: Contracting officers can see your score and use it as an evaluation factor
How the score is calculated
The SPRS score starts at 110. For each practice that is not fully implemented, you subtract a weighted point value. The point values are not equal — some controls are worth 5 points, others are worth 1 or 3. The weighting reflects the DoD's assessment of each control's importance to CUI protection.
SPRS Score = 110 - SUM(point values of unimplemented practices)
Here's the critical nuance: a practice is either implemented (no deduction) or not implemented (full deduction). There's no partial credit. If you've implemented 80% of a control, you still lose the full point value. The only exception is if the unimplemented portion is documented in your POA&M with a credible remediation plan.
Point values by domain
Not all domains carry equal weight. Here are the approximate point totals by domain:
| Domain | Practices | Max Points at Risk | Avg per Practice |
|---|---|---|---|
| Access Control (AC) | 22 | 58 | 2.6 |
| System & Comms Protection (SC) | 16 | 40 | 2.5 |
| Identification & Authentication (IA) | 11 | 29 | 2.6 |
| Audit & Accountability (AU) | 9 | 25 | 2.8 |
| Configuration Management (CM) | 9 | 16 | 1.8 |
| Media Protection (MP) | 9 | 12 | 1.3 |
| System & Info Integrity (SI) | 7 | 14 | 2.0 |
| Physical Protection (PE) | 6 | 8 | 1.3 |
| Maintenance (MA) | 6 | 8 | 1.3 |
| Security Assessment (CA) | 4 | 8 | 2.0 |
| Risk Assessment (RA) | 3 | 8 | 2.7 |
| Incident Response (IR) | 3 | 5 | 1.7 |
| Awareness & Training (AT) | 3 | 3 | 1.0 |
| Personnel Security (PS) | 2 | 2 | 1.0 |
Notice that Access Control alone accounts for over 50 points. If your IAM is weak, your score is underwater before you look at anything else.
What is a "good" SPRS score?
There's no official passing score, but here's the practical reality:
- 110: Perfect score. All 110 practices fully implemented. This is the target for organizations preparing for CMMC Level 2 certification.
- 80-109: Strong posture. Minor gaps documented in POA&M with clear remediation timelines. Competitive for most contracts.
- 50-79: Moderate gaps. You'll win some contracts but lose others to higher-scoring competitors. Assessors will scrutinize your POA&M.
- Below 50: Significant gaps. Many contracting officers will pass. You need a remediation plan before pursuing new CUI contracts.
- Negative scores: Major compliance deficiencies. Requires substantial investment before competing for CUI-handling contracts.
How to improve your score: prioritize by points
The most efficient path to a higher score is to prioritize controls by their point value. Here are the highest-value practices to implement first:
5-point practices (implement these first)
- AC.L2-3.1.1 — Limit system access to authorized users
- AC.L2-3.1.2 — Limit system access to authorized functions
- AC.L2-3.1.12 — Monitor and control remote access sessions
- IA.L2-3.5.3 — Use multi-factor authentication
- SC.L2-3.13.1 — Monitor, control, and protect communications at system boundaries
- SC.L2-3.13.8 — Implement cryptographic mechanisms for CUI in transit
- AU.L2-3.3.1 — Create and retain audit records
3-point practices (implement next)
- AC.L2-3.1.3 — Control CUI flow
- AC.L2-3.1.5 — Employ least privilege
- IA.L2-3.5.1 — Identify system users and processes
- SC.L2-3.13.11 — Employ FIPS-validated cryptography for CUI at rest
- SI.L2-3.14.1 — Identify, report, and correct system flaws in a timely manner
- RA.L2-3.11.2 — Scan for vulnerabilities periodically and when new vulnerabilities are identified
Implementing just the 5-point and 3-point practices covers roughly 60% of the total score. This is where you get the most bang for your compliance investment.
Common SPRS mistakes
- Confusing percentage with score. "We're 80% compliant" doesn't mean your SPRS score is 88. If the 20% you're missing are all 5-point controls, your score could be below 50.
- Overcounting partial implementations. If MFA is deployed for admins but not for all remote access users, you don't get credit for IA.L2-3.5.3. Full implementation or full deduction.
- Forgetting the POA&M. Unimplemented controls without POA&M entries signal to assessors that you haven't acknowledged the gap. Always document what you haven't implemented yet.
- Stale scores. If you submitted your score 18 months ago and your infrastructure has changed, the score is unreliable. Update it whenever your compliance posture changes materially.
- Using the wrong methodology. Some vendors show a percentage-complete or their own scoring system. The SPRS score must follow the DoD Assessment Methodology weighting exactly.
Calculate your score now
We built an interactive tool that implements the exact DoD Assessment Methodology weighting. Walk through each of the 110 practices, mark your implementation status, and get your weighted SPRS score in real time.
Try the SPRS Simulator
Calculate your SPRS score →If you want to go deeper, pair the SPRS Simulator with our Readiness Quiz to get a full picture of your assessment preparation status — not just the number, but what you need to do about it.