1. Home
  3. Guides
  5. SPRS Score Calculator
📊 SPRS Scoring

SPRS Score Calculator: How DoD Scores Defense Contractors

The Supplier Performance Risk System assigns every defense contractor a cybersecurity score from -203 to +110. Here's exactly how it's calculated, what each range means for contract eligibility, and how to submit your score.

📅 Updated May 2026 ⏱ 12 min read 📋 110 controls covered

What Is the SPRS Score?

The Supplier Performance Risk System (SPRS) is a DoD platform that stores contractor performance and risk data — including your self-assessed cybersecurity score based on NIST SP 800-171. Every defense contractor handling Controlled Unclassified Information (CUI) must calculate and submit this score. [VERIFIED] DFARS 252.204-7019, sprs.csd.disa.mil

The score ranges from -203 (all controls failing) to +110 (all controls met). The starting point is 110 — the number of controls in NIST SP 800-171 Rev 2. Every unimplemented control subtracts a weighted point value from that baseline.

⚠️ Legal obligation — not optional. DFARS clause 252.204-7019 requires contractors to have a current SPRS score on file before receiving DoD contracts that involve CUI. Contracts issued after November 2020 include this requirement. Submitting a knowingly inaccurate score can trigger False Claims Act liability.

Why DoD Uses SPRS Scores

Before SPRS scoring was mandated, DoD had no systematic way to assess cybersecurity risk across its contractor base. Contracting officers received bids from companies with vastly different security postures — with no visibility into which vendors were leaving CUI exposed. [AI-GENERATED] context

SPRS scores change that. Your score is visible to every contracting officer running a DoD solicitation. A low score doesn't automatically disqualify you, but it does:

SPRS Scoring Methodology

The scoring methodology is defined in the NIST SP 800-171 DoD Assessment Methodology, published by the Office of the Under Secretary of Defense for Acquisition and Sustainment. [VERIFIED] Source: DoD CIO, NIST SP 800-171A

The Point System

110 controls. Maximum score: 110. Starting score: 110. For each control that is Not Met, you subtract its assigned point value. The total deduction is what separates your score from 110.

Control Family ID Range # Controls Max Point Deduction
Access Control (AC)3.1.1–3.1.222220
Awareness & Training (AT)3.2.1–3.2.333
Audit & Accountability (AU)3.3.1–3.3.998
Configuration Management (CM)3.4.1–3.4.9911
Identification & Authentication (IA)3.5.1–3.5.111111
Incident Response (IR)3.6.1–3.6.336
Maintenance (MA)3.7.1–3.7.666
Media Protection (MP)3.8.1–3.8.998
Personnel Security (PS)3.9.1–3.9.222
Physical Protection (PE)3.10.1–3.10.664
Risk Assessment (RA)3.11.1–3.11.333
Security Assessment (CA)3.12.1–3.12.445
System & Communications (SC)3.13.1–3.13.161620
System & Info Integrity (SI)3.14.1–3.14.7710
ℹ️ Partial implementation = Not Met. If a control is implemented for some systems but not all in scope, it counts as Not Met. There is no partial credit. The DoD Assessment Methodology is binary: Met or Not Met. [VERIFIED] NIST SP 800-171 DoD Assessment Methodology v1.2.1

Score Range Interpretation

-203 to 0
Critical Risk
Majority of controls unmet. High probability of CUI exposure. Most contracting officers will flag for review or exclude.
1 to 70
High Risk
Significant gaps remain. Competitive disadvantage in source selection. May trigger enhanced oversight requirements.
71 to 88
Moderate Risk
Major control families met, some gaps remain. Generally acceptable for current contracts; watch for CMMC requirements.
89 to 105
Low Risk
Strong posture. Minor gaps with documented remediation. Competitive position in most DoD solicitations.
106 to 110
Excellent
Near or full compliance. Strongest competitive position. Ready for CMMC Level 2 assessment engagement.

SPRS Score Estimator

Check off the controls your organization has fully implemented. The estimator calculates your estimated SPRS score in real time across all 14 control families. [AI-GENERATED] point weighting based on DoD Assessment Methodology — for planning purposes only; verify with qualified assessor before submitting to SPRS.

🧮 SPRS Score Estimator

Check each control your organization has fully implemented. Partial = Not Met.

Access Control (AC) — 22 controls
Up to 20 pts
Identification & Authentication (IA) — 11 controls
Up to 11 pts
System & Communications Protection (SC) — 16 controls
Up to 20 pts
System & Information Integrity (SI) — 7 controls
Up to 10 pts
Configuration Management (CM) — 9 controls
Up to 11 pts
Audit & Accountability (AU) — 9 controls
Up to 8 pts
Incident Response (IR) — 3 controls
Up to 6 pts
Remaining Families: AT, MA, MP, PS, PE, RA, CA — 32 controls
Up to 28 pts
Your Estimated SPRS Score
110
Controls Met: 0
Points Achieved: 110 / 110
-203 (Minimum) +110 (Maximum)
Get a verified SPRS gap analysis Run the full CMMC readiness assessment to see which controls are your highest-risk gaps and what it takes to remediate them.
Run Full Assessment →

Step-by-Step SPRS Self-Assessment

A self-assessment is not a paper exercise — it requires evidence collection, system inventory, and honest scoring. Organizations that inflate scores face legal risk. Here's how to do it right. [AI-GENERATED] walkthrough framework

  1. Define Your Assessment Scope (CUI Boundary)

    Identify every system component that processes, stores, or transmits CUI. This includes workstations, servers, cloud environments, email systems, and shared drives. Systems outside the CUI boundary are excluded. A narrower, well-defined boundary is easier to secure and cheaper to assess — but it must be accurate.

  2. Document Your System Security Plan (SSP)

    Your SSP describes your system architecture, the CUI environment, the 110 controls, and how each is implemented. The SSP is required documentation — not optional background material. Assessors (and auditors) will request it. An outdated or incomplete SSP is itself a finding.

  3. Score Each Control: Met or Not Met

    For each of the 110 controls, determine whether it is fully implemented across all in-scope systems. Partial implementation = Not Met. "We're working on it" = Not Met. Document the evidence for each Met control. For each Not Met control, record the gap in your POA&M with a target date.

  4. Calculate Your Score

    Start at 110. Subtract the DoD Assessment Methodology point value for each Not Met control. Use the estimator above or the official DoD Assessment Methodology spreadsheet. Your final number is your SPRS submission score.

  5. Submit via PIEE/SPRS Portal

    Log in to the Procurement Integrated Enterprise Environment (PIEE) at piee.eb.mil. Navigate to the SPRS module. Enter your score, assessment date, assessment scope description, and number of open POA&M items. Your score becomes immediately visible to DoD contracting officers.

⚠️ False Claims Act risk. Submitting an inflated SPRS score that you know doesn't reflect your actual security posture is a federal False Claims Act violation. DoD has pursued FCA cases against contractors who certified compliance they didn't have. Accuracy over optics — always. [VERIFIED] DOJ FCA guidance; DFARS 252.204-7019 certification language

How to Submit to the SPRS Portal

SPRS scores are submitted through PIEE (Procurement Integrated Enterprise Environment), not directly through the SPRS website. Here's the submission path: [VERIFIED] sprs.csd.disa.mil, piee.eb.mil

Step Action Details
1 Register on PIEE Go to piee.eb.mil. Request access to the SPRS module. Requires a government-verified account.
2 Navigate to SPRS Under "My Applications" select SPRS. First-time users may need supervisor approval.
3 Enter your CAGE Code Your score is tied to your CAGE code. Verify it matches your active SAM.gov registration.
4 Submit assessment data Enter: score, assessment date, assessment scope description, number of open POA&M items, system name/identifier.
5 Verify submission Confirm the score appears in your SPRS record. Contracting officers can see it immediately.

Highest-Impact Controls to Improve Your Score

Not all 110 controls are equal. Some have 3-5x the point value of others. If you're remediation-planning, start with the highest-weight controls. [AI-GENERATED] priority ranking

Control ID Description Pts Priority Reason
3.6.1 Incident Response capability 3 High weight + commonly missing for small contractors
3.5.3 Multi-factor authentication 2 High DoD scrutiny; commonly incomplete
3.13.1 Monitor communications at external boundaries 2 Requires firewall logging + monitoring program
3.13.5 Implement DMZ / subnetworks for public systems 2 Architecture requirement — can't be patched quickly
3.13.8 Encryption in transit for CUI 2 TLS 1.2+ required across all in-scope systems
3.13.10 Cryptographic key management 2 Often overlooked; keys stored insecurely in many environments
3.14.1 Identify and correct system flaws (patching) 2 Documented patch management program required
3.14.2 Malicious code protection 2 AV/EDR required on all in-scope endpoints
3.14.4 Update malicious code protection mechanisms 2 Auto-update or documented manual update process required
3.4.1 Baseline configurations 2 Documented, maintained baseline per system type

SPRS Score vs. CMMC Certification

These two requirements are related but distinct — and both may apply to your contracts simultaneously. [AI-GENERATED] comparison framework

SPRS Score CMMC Level 2 Certification
What it is Self-assessed score (-203 to +110) Third-party verified certification
Who verifies it Nobody (self-attested) Authorized C3PAO
Required now? Yes — DFARS 252.204-7019 Phasing in 2025–2026 per contract
Renewal Annual self-assessment Every 3 years
Framework NIST SP 800-171 (110 controls) NIST SP 800-171 + CMMC practices
Where it lives SPRS via PIEE portal CMMC Marketplace (Cyber AB)
Legal risk if wrong False Claims Act Contract default; False Claims Act

The path forward: a strong SPRS score today positions you for CMMC certification. Most of the remediation work is shared between the two frameworks. Organizations preparing for CMMC assessments typically see their SPRS score improve in parallel as gaps are closed.

Frequently Asked Questions

What is an SPRS score and why does it matter?
An SPRS score is a self-assessed number from -203 to +110 representing how fully your organization has implemented NIST SP 800-171 Rev 2 controls for protecting Controlled Unclassified Information. It matters because it is visible to every DoD contracting officer on every solicitation your company bids on. A low score signals elevated risk and can hurt you in source selection evaluations. [VERIFIED] DFARS 252.204-7019
What SPRS score do you need to win DoD contracts?
There is no hard minimum — contracting officers have discretion. In practice, scores below 70 draw scrutiny, scores below 0 have been used to disqualify offerors on competitive procurements, and primes evaluating subcontractors typically want to see scores above 88. The CMMC phased rollout makes the pressure for higher scores stronger in 2026 and beyond. [AI-GENERATED] guidance based on DFARS/procurement community reporting
How often do you need to update your SPRS score?
DFARS 252.204-7019 requires an annual self-assessment. You must also update your score when there are significant changes to your covered systems, after a cybersecurity incident affects your CUI environment, or when you complete POA&M remediation items that change your score. Stale scores (over 12 months old) are a red flag during contract audits. [VERIFIED] DFARS 252.204-7019(b), DFARS 252.204-7020
Can a third party submit your SPRS score?
The score submission is your organization's attestation — it must be submitted by an authorized representative of your company through PIEE. A consultant or RPO can help you conduct the assessment and calculate the score, but the final submission and its accuracy is your legal responsibility. The attestation language in PIEE creates legal liability if the score is knowingly inaccurate. [AI-GENERATED]
What happens if your SPRS score is inflated?
Submitting a knowingly inaccurate SPRS score can constitute a false statement under the False Claims Act (31 U.S.C. § 3729). DoD's DCSA has the right to conduct DIBCAC assessments to verify self-attested scores. An inflated score discovered during contract performance has resulted in cure notices, contract termination, and in high-profile cases, DOJ enforcement action. [VERIFIED] DOJ FCA cases 2021–2024; DFARS 252.204-7020 government audit rights
Is a score of 110 required for CMMC Level 2?
Not exactly. CMMC Level 2 requires that all 110 NIST SP 800-171 practices are met at the time of assessment. A score of 110 in SPRS means you self-attested full implementation — but a C3PAO assessment may find discrepancies. In practice, organizations entering CMMC assessment with SPRS scores below 88 typically discover significant additional gaps. A SPRS score of 110 is not a guarantee of passing a CMMC assessment, but it's the floor you should be targeting before you engage a C3PAO. [AI-GENERATED]

Sources & Verification

  1. DFARS 252.204-7019 — Notice of NIST SP 800-171 DoD Assessment Requirements. Mandates SPRS score submission. acquisition.gov [VERIFIED]
  2. DFARS 252.204-7020 — NIST SP 800-171 DoD Assessments. Government right to conduct assessments of contractor systems. acquisition.gov [VERIFIED]
  3. NIST SP 800-171 Rev 2 — 110 security requirements for protecting CUI. NIST.gov [VERIFIED]
  4. NIST SP 800-171A / DoD Assessment Methodology — Official point values for each of the 110 controls. DoD CIO CMMC Resources [VERIFIED]
  5. SPRS Portal — sprs.csd.disa.mil — where scores are accessed by contracting officers. Submission via PIEE at piee.eb.mil. [VERIFIED]
  6. Score range interpretations and priority rankings — Synthesized from CMMC community reporting, C3PAO assessment summaries, and DoD acquisition guidance. [AI-GENERATED] — verify with qualified assessor.