CMMCDocs.comThe Supplier Performance Risk System (SPRS) is where defense contractors submit their NIST SP 800-171 self-assessment scores. Your SPRS score is a number between -203 and 110, representing how many of the 110 security requirements you have implemented. But the scoring is not as simple as counting controls — the DoD Assessment Methodology assigns different point values to different requirements.
How Scoring Works
Every one of the 110 NIST SP 800-171 Rev 2 requirements starts with a value of 1, 3, or 5 points. If you have fully implemented the requirement, you get the points. If you have not implemented it, those points are subtracted from your maximum score of 110. The result is your SPRS score.
The point values are based on the security impact of each requirement. Controls that address fundamental security principles — like multi-factor authentication (IA.L2-3.5.3, 5 points), incident response (IR.L2-3.6.1, 5 points), and system access controls (AC.L2-3.1.1, 5 points) — carry the highest weight. Lower-impact controls like media marking (MP.L2-3.8.4, 1 point) carry less weight.
Calculating Your Score
Start with 110. For each requirement you have NOT implemented, subtract its point value. Requirements on a POA&M are considered not implemented for scoring purposes unless you have completed the remediation. A contractor who has implemented all but a few low-impact controls might score 105. A contractor missing several high-impact controls could score well below zero.
For example, if you are missing 3 five-point requirements and 2 three-point requirements, your score would be: 110 - (3 x 5) - (2 x 3) = 110 - 15 - 6 = 89.
Common Mistakes
Inflated scores: The most common mistake is claiming implementation when the control is only partially implemented. If you have a policy document but no evidence that the policy is being followed, the requirement is not implemented. Do not give yourself credit for paper-only compliance.
Ignoring the methodology: Some contractors simply count the number of controls they have implemented out of 110 and submit that number. This is wrong. The weighted scoring can produce scores below zero if you are missing high-value requirements.
Not updating: Your SPRS score must be updated annually at minimum, and whenever your score changes. If you implement new controls or discover new gaps, update the score.
What Score Do You Need?
There is no official passing score under the current DFARS requirement — you must submit an honest score regardless of how low it is. However, prime contractors are increasingly using SPRS scores to evaluate subcontractors, and scores below 70 raise red flags. Under CMMC, you will need to meet all 110 requirements (with limited POA&M allowances) to achieve Level 2 certification. Start now.