The DoD uses your SPRS score to measure your cybersecurity compliance. Your prime contractor can see it. Contracting officers check it. A missing or low score costs you contracts.
Your SPRS score is the number the Department of Defense uses to measure your cybersecurity compliance. It ranges from -203 to +110. A score of 110 means you've fully implemented all 110 NIST SP 800-171 controls. Most defense contractors score between -100 and +50. Your prime contractor can see your score. The DoD can see your score. If your score is low — or missing — it signals risk and can cost you contracts. Here's what you need to know about SPRS, how it's calculated, and how to improve it.
SPRS stands for Supplier Performance Risk System — a DoD-managed database that tracks the cybersecurity posture of defense contractors. Your SPRS score is the numeric output of your self-assessment against the 110 security requirements in NIST SP 800-171 Rev 2. ✓ Verified
Under DFARS 252.204-7019 (effective November 2020), any defense contractor that handles Controlled Unclassified Information (CUI) must conduct a self-assessment, calculate their score, and upload it to the SPRS portal. A current, on-file SPRS score is required for contract award above the micro-purchase threshold ($10,000).
Think of SPRS as your cybersecurity credit score for DoD work. The number is visible to contracting officers, prime contractors reviewing your teaming application, and DoD auditors. A high score signals low risk. A low score — or a missing score — signals the opposite.
Source: DFARS 252.204-7019; NIST SP 800-171 Rev 2 (csrc.nist.gov) ✓ Verified
CMMC Level 2 certification directly maps to your SPRS score. CMMC Level 2 requires full implementation of all 110 NIST SP 800-171 controls — the same controls your SPRS score measures. A company that achieves Level 2 certification has, by definition, earned a score of 110. ✓ Verified
Here's the practical connection:
Your SPRS score is the best indicator of how far you are from CMMC Level 2 readiness. If you score 70 today, you have approximately 40 points of gap work ahead of you.
Source: DFARS 252.204-7021; CMMC Rule (32 CFR Part 170) ✓ Verified
Your SPRS score starts at +110 — maximum points, fully compliant. For every NIST SP 800-171 control you have not fully implemented, points are deducted. Point deductions range from 1 to 5 points per control based on the control's criticality. ✓ Verified
The scoring methodology is defined in the NIST SP 800-171A assessment guide and the DoD Assessment Methodology. The 110 controls are grouped into 14 families:
| Control Family | Controls | Max Deduction |
|---|---|---|
| 3.1 — Access Control | 22 | High |
| 3.2 — Awareness & Training | 3 | Moderate |
| 3.3 — Audit & Accountability | 9 | Moderate |
| 3.4 — Configuration Management | 9 | Moderate |
| 3.5 — Identification & Authentication | 11 | High |
| 3.6 — Incident Response | 3 | Moderate |
| 3.7 — Maintenance | 6 | Low–Moderate |
| 3.8 — Media Protection | 9 | Moderate |
| 3.9 — Personnel Security | 2 | Low |
| 3.10 — Physical Protection | 6 | Low–Moderate |
| 3.11 — Risk Assessment | 3 | Moderate |
| 3.12 — Security Assessment | 4 | Moderate |
| 3.13 — System & Communications Protection | 16 | High |
| 3.14 — System & Information Integrity | 7 | High |
Source: NIST SP 800-171 Rev 2 Table 1; DoD Assessment Methodology v1.2.1 ✓ Verified
Controls in the Access Control (3.1), Identification & Authentication (3.5), System & Communications Protection (3.13), and System Integrity (3.14) families carry the heaviest deductions. Missing MFA alone (control 3.5.3) can deduct 5 points. Missing encryption controls can deduct 5 points each.
The maximum score is +110. There is no official "passing" floor — but here's what the ranges mean in practice: ~ Estimate
SPRS Score Range: -203 to +110
Starts at +110, decreases with each unimplemented control
Industry estimate based on DoD assessment reports and industry surveys. Official DoD aggregate data not publicly published. ~ Estimate
You submit and view your SPRS score through two official DoD portals: ✓ Verified
The primary portal for submitting and updating your NIST SP 800-171 self-assessment score. You'll need a CAC/PIV card or a PIEE user account. Your CAGE code and active SAM.gov registration are required before submission.
Open PIEE Portal → piee.eb.mil ↗What your submission must include:
Your score is visible to DoD contracting officers and prime contractors immediately after submission. There is no approval delay — it goes live the moment you submit.
Updating your score: You can resubmit as often as needed. When you implement new controls and your score improves, submit an updated assessment. Your submission history is retained. ✓ Verified
Source: DFARS 252.204-7019; piee.eb.mil portal documentation
Answer 5 quick yes/no questions to get an estimated score range. This is a rough indicator — not a substitute for a full NIST SP 800-171 self-assessment.
5 questions · ~1 minute · Instant estimate
Prioritized by point impact — tackle these in order for the fastest score improvement.
Missing MFA on privileged accounts and remote access violates control 3.5.3, one of the highest-weight deductions. Enable MFA across all CUI-touching systems first.
NIST Section 3.1 has 22 controls. Least-privilege access, role definitions, and user access reviews alone can add 20+ points to a baseline score.
Controls 3.13.8 (in transit) and 3.13.10 (at rest) require encryption. Use TLS 1.2+ and AES-256. These are frequently unimplemented and carry heavy deductions.
Section 3.3 (Audit and Accountability) has 9 requirements. Enable audit logging on all systems touching CUI. Configure minimum 90-day retention and establish log review procedures.
Controls 3.8.9 and 3.13.16 require encrypted backup copies stored separately from production. Test restoration quarterly. Document results.
Control 3.12.4 requires an SSP documenting your CUI scope, system boundaries, and control implementation status. An SSP is required for SPRS submission and CMMC assessment.
Control 3.6.1 requires a documented IR capability. A written plan with roles, escalation paths, and DoD reporting procedures (72-hour notification) satisfies this requirement.
Control 3.2.1 requires documented annual training for all users who handle CUI. Annual training programs with documented completion records satisfy this requirement quickly.
Section 3.4 (Configuration Management) has 9 requirements. Apply CIS benchmarks to your OS, applications, and network devices. Patch critical vulnerabilities within 30 days.
Section 3.11 has 3 requirements including vulnerability scanning and risk assessment. A documented periodic risk assessment process satisfies all three and adds points without major infrastructure changes.
Point impact estimates are relative rankings based on control weight assignments in DoD Assessment Methodology v1.2.1. ~ Estimate ⚑ Seek Expert Advice for contract-specific remediation priorities.