How SPRS Scoring Works: Point Values, Deductions, and the 88-Point Threshold

Your SPRS score is the single number that determines whether your organization can bid on DoD contracts requiring CMMC Level 2. It ranges from -203 to +110, and every defense contractor must calculate and submit it to the DISA SPRS portal. But most guides explain the scoring as “start at 110 and subtract points” without showing how the math actually works for real organizations.

This guide walks through the complete SPRS scoring methodology with worked examples — including which controls cost 5 points, why the 88-point threshold matters, and how to calculate your score accurately before submitting it.

How SPRS Scoring Works: The Basics

The Supplier Performance Risk System (SPRS) score measures your implementation of the 110 security requirements in NIST SP 800-171 Rev 2. The calculation is straightforward but unforgiving:

SPRS Score Formula $$SPRS = 110 - \sum(\text{point value of each unimplemented control})$$

Start at 110. For every control you have not fully implemented, subtract its assigned point value (1, 3, or 5). The result is your SPRS score.

There is no partial credit. A control is either fully implemented with demonstrable evidence, or it is not implemented and the full point value is deducted. “We have a policy but haven’t enforced it technically” counts as not implemented.

The Three Point Value Tiers

Each of the 110 controls is assigned a point value based on its security impact per the DoD NIST SP 800-171 Assessment Methodology:

5-Point Controls (47 controls)

These represent the most significant security risks — controls where failure creates direct CUI exfiltration paths or system exploitation opportunities. Examples:

3.1.1 — Authorized Access Control: Limiting system access to authorized users, processes, and devices
3.1.2 — Transaction and Function Control: Restricting users to only the transactions their role requires
3.1.3 — CUI Flow Control: Controlling how CUI moves between systems and networks
3.5.3 — Multifactor Authentication: MFA for all network access to privileged and non-privileged accounts
3.13.8 — CUI on Mobile Devices: Prohibiting unencrypted CUI on mobile devices

3-Point Controls (6 controls)

These carry specific, confined security impacts. Fewer in number, but each represents a targeted vulnerability:

3.1.5 — Least Privilege: Employing minimum necessary access, especially for privileged accounts
3.1.6 — Non-Privileged Account Use: Using non-privileged accounts for non-security functions

1-Point Controls (57 controls)

These have limited or indirect security impact. Individually small, but 57 of them add up to 57 possible points. These are also the only controls eligible for POA&M (Plan of Action & Milestones) deferral under conditional certification.

SPRS Scoring: A Worked Example

Consider a small defense contractor with 45 employees. After an honest assessment, they find these gaps:

Worked Example: Calculating SPRS Score

Starting score: 110

5-point control gaps (8 controls):

3.1.1 — No formal authorized user list maintained (-5)
3.1.3 — No documented CUI data flow controls (-5)
3.5.3 — MFA not implemented on VPN access (-5)
3.13.1 — No boundary protection between CUI and general network (-5)
3.13.8 — CUI accessible on unencrypted mobile devices (-5)
3.13.11 — Email encryption not FIPS 140-2 validated (-5)
3.3.1 — No system audit logging enabled (-5)
3.4.1 — No configuration baselines established (-5)

Subtotal 5-point deductions: 8 × 5 = 40 points

3-point control gaps (2 controls):

3.1.5 — All users have admin access (-3)
3.1.6 — Admins use privileged accounts for daily work (-3)

Subtotal 3-point deductions: 2 × 3 = 6 points

1-point control gaps (12 controls):

Various documentation and training gaps (-12)

Subtotal 1-point deductions: 12 × 1 = 12 points

Total deductions: 40 + 6 + 12 = 58 points

SPRS Score: 110 - 58 = 52

A score of 52 is below the 88-point threshold for conditional certification. This organization cannot receive CMMC certification in its current state, even with POA&Ms for all 1-point gaps. They need to close at least the 5-point and 3-point gaps first.

The 88-Point Threshold: Why It Matters

The number 88 is the most important threshold in SPRS scoring. Here is what it means:

Score of 110 — full certification, no conditions
Score of 88 to 109 — eligible for conditional certification, but only if every remaining gap is a 1-point control. You receive a POA&M with 180 days to close all items.
Score below 88 — no certification possible, even conditional. Full remediation required before scheduling a C3PAO assessment.

POA&M Restrictions POA&Ms are only allowed for 1-point controls. If your score is 85 because you have three unimplemented 5-point controls and 12 unimplemented 1-point controls, you cannot get conditional certification — even though the 1-point controls alone would put you above 88. The 3-point and 5-point controls must be fully implemented before assessment.

Score Distribution by Control Domain

Understanding where points concentrate helps you prioritize remediation. Here is the SPRS point exposure across all 14 control families:

Access Control (AC) carries the highest exposure at 58 points across 22 controls. An organization with no access control infrastructure could lose more than half the total score from this domain alone. System and Communications Protection (SC) follows at 42 points across 16 controls — this is where encryption, network boundary, and session management requirements live.

Common Scoring Mistakes

The three most frequent errors in SPRS self-assessment:

Claiming Implementation Without Evidence

If you cannot produce documentation, configuration screenshots, or log samples proving a control is implemented, it is not implemented for scoring purposes. A C3PAO uses three assessment methods — Examine (documentation), Interview (personnel), and Test (verify behavior). Passing one method does not mean passing all three.

Confusing Policy With Implementation

Having a written password policy does not mean your systems enforce password complexity requirements. Having an incident response plan does not mean you have tested it. Assessors verify technical enforcement, not just policy documents. Professional gap assessments consistently find 40 to 70 deficiencies in organizations with 15 to 125 employees, largely because organizations conflate policy with implementation.

Rating “Partially Implemented” as Implemented

There is no partial credit in SPRS scoring. If MFA is required on all network access points and you have it on VPN but not on email, the control is not implemented. The full 5 points are deducted.

From Score to Action: Remediation Sequencing

Once you know your score, remediation priority follows a clear sequence:

5-point controls first — these have the highest per-control impact on your score and represent the most significant security risks
3-point controls next — with only 6 controls in this tier, addressing them is high ROI
1-point controls last — these can potentially be deferred via POA&M if your score reaches 88 without them

Within each tier, address dependency chains first. For example, network segmentation (SC domain) often needs to be in place before you can properly implement many Access Control requirements. FIPS-validated encryption needs to be deployed before you can satisfy several System and Communications Protection controls.

Use a CMMC readiness assessment to identify your specific gaps and their point values, then build your remediation roadmap around the sequence above.

Timeline Context With CMMC Phase 2 beginning November 2026, contractors with scores below 88 need to start remediation immediately. Fewer than 600 certified C3PAO assessors serve approximately 80,000 defense contractors — assessment scheduling lead times are 2 to 4 months and growing.

This content is educational and does not constitute legal, audit, or compliance advice. It does not calculate or submit your SPRS score to the DISA SPRS portal. Consult a Registered Practitioner Organization (RPO) or Certified Third-Party Assessment Organization (C3PAO) for formal assessment guidance.