SPRS score, what the number means and how to move it

Defense supply chain primes are asking for SPRS scores with increasing frequency. The question on a 2026 quote sheet, vendor questionnaire or supplier portal is usually some variant of: “What is your current Supplier Performance Risk System assessment score for NIST SP 800-171?” The right answer is a number from -203 to 110, the assessment date and the scope. The wrong answer is “what is SPRS?” or “we are working on it.”

This post covers what the score is, how it is calculated, why most sub-contractors come in negative the first time and how to sequence the remediation work so the number climbs.

What SPRS is, briefly

The Supplier Performance Risk System is a DoD-operated database that aggregates a range of supplier-performance data points for use in source selection. As of 2020, when DFARS 252.204-7019 and 7020 took effect, SPRS includes self-assessed (or third-party assessed) scores against NIST SP 800-171.

Three DFARS clauses combine to produce the obligation:

• DFARS 252.204-7012 requires that contractors handling Covered Defense Information implement NIST 800-171.
• DFARS 252.204-7019 requires the contractor to have submitted a current NIST 800-171 score in SPRS before contract award.
• DFARS 252.204-7020 requires that the contractor cooperate with government assessments and flow the requirements down to applicable subcontractors.

The score itself is the contractor’s self-attestation against the DoD Assessment Methodology, a scoring rubric the DoD published alongside 800-171.

How the score is calculated

The methodology is straightforward to describe and rigorous to apply correctly.

• Start at 110 points (one point per control in NIST 800-171 Rev. 2 or Rev. 3).
• For each control that is not fully implemented, deduct points based on the control’s weight: 1, 3 or 5.
• The maximum possible score is 110 (every control implemented).
• The minimum possible score is -203 (every control unimplemented, accounting for weighting).

Weighting reflects what the DoD considers most likely to enable a breach. The 5-point deductions concentrate in Access Control, Identification and Authentication, Audit and Accountability and System and Communications Protection. The 3-point deductions are spread across Configuration Management, Risk Assessment, Security Assessment and Incident Response. The 1-point deductions are the lighter administrative and documentation items.

Two important nuances:

• Partial implementation is not partial credit in the basic methodology. A control is either fully implemented (no deduction) or not (full deduction). Controls in progress sit on the POA&M and contribute to the deduction until completed.
• Some controls are conditional. If a control does not apply to the environment (no remote access at all, no wireless, no portable storage), it can be marked Not Applicable with documented rationale and no deduction is taken.

The score is calculated against the documented system boundary, not the entire enterprise. A firm with 110 endpoints where only 10 touch CUI scores against the 10-endpoint enclave if the boundary is genuinely segmented. The boundary decision belongs in the System Security Plan with a network diagram and access matrix.

Why most sub-contractors come in negative

Firms that did not build the environment with NIST 800-171 in mind almost always score negative on a first honest assessment. Common patterns:

• No centralized audit log retention with documented review cadence: -5 (AU family).
• MFA missing on at least one in-scope account category: -5 (IA family).
• No documented System Security Plan: -3 (CA family).
• No periodic risk assessment with documented scope and findings: -3 (RA family).
• No documented incident response plan with a tested tabletop: -3 (IR family).
• No baseline configuration documentation and software inventory: -3 (CM family).

That is -22 from six common gaps. Add the typical 8-12 smaller gaps in policy documentation, training records, access reviews and physical safeguards and the firm lands somewhere between -30 and -90 on initial assessment. Negative is common. Negative is not disqualifying.

What matters: the number is honest, the POA&M is defensible and the trajectory is positive.

Registration and submission, the operational part

The administrative path to a submitted score:

• The company must have a SAM.gov registration with active CAGE code.
• The company must register in PIEE (Procurement Integrated Enterprise Environment) and request the SPRS application.
• The PIEE Contractor Administrator role can request the appropriate SPRS roles for the assessing personnel.
• The score itself is submitted through the SPRS module with the assessment date, score, scope description, system security plan identifier and the plan-of-action completion date.

The submission is a self-attestation made under federal law. False statements carry False Claims Act exposure. The accuracy of the score and the supporting documentation matters. Round numbers up to look better than reality is a category of mistake that creates real liability if a prime audit or DoD assessment surfaces the gap.

How to move the number, in priority order

The fastest score climb comes from working the 5-point and 3-point control families first. A defensible 120-day arc for a firm starting around -50:

Days 1-30, Access Control and Identification. Enforce MFA across all in-scope accounts using FIDO2 or authenticator-app factors. SMS is not acceptable. Implement role-based access with documented minimum-necessary rationale. Eliminate shared accounts. Document the access control policy. Score impact: typically +10 to +20.

Days 30-60, Audit and System Protection. Deploy centralized log aggregation or SIEM. Set retention to at least the 800-171 expectation (typically 90 days searchable, 1+ year archive). Establish a documented log review cadence with named reviewer. Implement boundary protection at the CUI enclave perimeter. Score impact: typically +8 to +15.

Days 60-90, Documentation Layer. Complete the System Security Plan. Document the risk assessment with current threat model and findings. Write the incident response plan and execute a documented tabletop. Stand up the configuration management baseline with software inventory. Score impact: typically +10 to +15.

Days 90-120, Long-tail controls and POA&M closure. Close the lighter 1-point items in Awareness and Training, Personnel Security, Physical Protection and Media Protection. Refresh the POA&M with closed items and any new gaps surfaced during implementation. Re-assess and re-submit the SPRS score.

A firm starting at -50 with executive sponsorship and a competent IT partner can typically reach +50 to +80 in 120 days. Reaching the maximum 110 usually requires the additional documentation discipline and ongoing operational cadence that takes the full first year to stabilize.

A note on CMMC scope

CMMC is the DoD assessment program built on NIST 800-171. CMMC Level 2 (the level most relevant to firms handling CUI) requires either self-assessment or third-party assessment by a C3PAO depending on the contract.

Atticus Rowan applies NIST 800-171 as a control reference, builds and documents the control environment and produces the readiness package primes and assessors review. We do not perform CMMC certification assessments. When a client needs formal CMMC L2 third-party assessment, we coordinate with a certified C3PAO. The SPRS score work above is upstream of CMMC and produces the documentation that makes a CMMC assessment go cleanly.

Where this fits in a longer program

The SPRS score is the visible output of a NIST 800-171 program. The program itself is the substantive work. Our NIST 800-171 Readiness Guide walks the full 110-control framework. Our POA&M anatomy post covers the supporting plan-of-action document the SPRS submission references.

If your firm has a flow-down requirement and an open question about its current SPRS score (or has never registered), schedule a discovery call. We can scope the gap assessment, the boundary decision and the 120-day arc to a defensible positive number.