SPRS Score Calculator: Estimate Your NIST 800-171 Score Before Submitting to DISA

Your prime contractor just asked for your SPRS score. The number reports to the DoD, gates contract eligibility, and runs from -203 to +110 — but the methodology for calculating it lives across NIST SP 800-171 Rev 2, the DoD Assessment Methodology, and a per-control point table that nobody publishes in one place. This guide walks the SPRS score calculator method for a representative small defense contractor, so you can estimate your score before submitting to the DISA SPRS portal.

The output of this calculation is an estimate, not a submission. Your senior official has to sign and submit the affirmation through the official portal at piee.eb.mil — and false affirmations carry False Claims Act exposure. Use this to plan, not to file.

Educational starting point This walkthrough is an educational reference, not legal, audit, or compliance advice. Estimated scores are not a substitute for a formal CMMC readiness assessment by a C3PAO or RPO. Your SPRS score must be calculated and submitted by your organization — this guide does not submit SPRS scores.

How the SPRS Score Calculator Maps to NIST 800-171

Every defense contractor handling CUI starts at 110 — the score for fully implementing all 110 NIST 800-171 Rev 2 controls. From there you subtract the point value of every control that is not fully implemented:

SPRS Score Formula $$\text{SPRS} = 110 - \sum_{i=1}^{n} P_i$$

where $P_i$ is the point value (1, 3, or 5) of each unimplemented control.

Three rules drive the arithmetic:

No partial credit. A control is either fully implemented or fully deducted. Partial implementation = full deduction.
Point values are fixed per control. The DoD Assessment Methodology assigns 1, 3, or 5 to each of the 110 based on security impact — you do not pick.
The score floor is -203. If you have implemented none of the 110, the cumulative deduction reaches the published minimum.

The 88-point threshold is the practical pass line: at or above 88, you can carry remaining 1-point controls as POA&M items for up to 180 days. Below 88, you cannot get conditional certification — the gap has to be closed before reassessment.

Worked Example: A 60-Person Defense Subcontractor

Consider a hypothetical 60-employee aerospace subcontractor that handles technical drawings (CUI) for a prime. They have done some basic security work but never run a formal gap assessment. After walking the 14 control families honestly, they identify 18 unmet controls. Below is the calculation.

Step 1: Tally Unmet Controls by Point Value

Sort the gaps into 1, 3, and 5-point buckets per the DoD Assessment Methodology:

Family	Unmet Control (illustrative)	Points
AC	Remote access not routed through managed access points	5
AC	Wireless access not cryptographically protected (non-FIPS)	5
AC	CUI not controlled on publicly accessible systems	5
IA	MFA not enforced for non-privileged CUI access	5
SC	FIPS-validated cryptography not used for CUI at rest	5
SC	No boundary protection at the CUI enclave perimeter	5
AU	Audit records not correlated across components	5
SI	System monitoring not implemented	5
AC	Separation of duties for privileged accounts	3
AU	No protection of audit information from unauthorized modification	3
CM	No software allowlisting	3
IA	Password complexity not enforced per policy	3
MP	Removable media use not controlled	3
RA	Vulnerability scanning not performed on schedule	3
AT	Annual security awareness refresher not completed	1
PE	Visitor escort log gaps	1
IR	IR plan not tested in the past year	1
MA	Off-site equipment sanitization not documented	1

This produces 8 five-point gaps, 6 three-point gaps, and 4 one-point gaps.

Step 2: Compute the Point Deductions

Worked Example

Sum the deductions:

$$D_{\text{5pt}} = 8 \times 5 = 40$$ $$D_{\text{3pt}} = 6 \times 3 = 18$$ $$D_{\text{1pt}} = 4 \times 1 = 4$$ $$D_{\text{total}} = 40 + 18 + 4 = 62$$

Apply to the starting score:

$$\text{SPRS} = 110 - 62 = 48$$

An estimated SPRS score of 48 sits well below the 88 threshold. This contractor cannot pursue conditional certification — they must remediate before submitting a final score for assessment purposes.

Step 3: Sanity Check the Result

The score of 48 is in line with what professional gap assessments report for small manufacturers (15–125 employees) at the start of their CMMC journey: typically 40–70 deficiencies out of 110 controls. The numbers we used — 18 unmet controls weighted toward 5-pointers in AC, IA, and SC — reflect the most common failure pattern documented in gap-assessment data.

Where the Arithmetic Trips People Up

Misreading Partial Implementation as Full Credit

The most common scoring error is claiming full credit for a partially implemented control. Example: MFA is enabled for the VPN but not for cloud admin consoles or the file server hosting CUI. That is not "implemented" — it is a 5-point gap on IA.L2-3.5.3. The DoD methodology gives no partial credit. If you cannot evidence the control across every system in scope, deduct the full point value.

Counting Compensating Controls Without Documentation

If you cannot meet a control directly but have an alternative measure that achieves the security objective, the alternative must be documented in your SSP and accepted by the assessor. Undocumented compensating controls do not earn credit. The fix is to write them up, not to assume they count.

Forgetting the 5-Point Items Cannot Be POA&M’d

If our example contractor closed all 1-point gaps and left the 5- and 3-point items for later, their math would be:

POA&M-Eligible Subset $$\text{SPRS}_{\text{after 1-pt fix}} = 110 - (40 + 18) = 52$$

Still below 88, and the remaining 5-point controls cannot be deferred. The remediation sequence has to lead with the 5-point items, regardless of how easy the 1-point items look.

Mixing Rev 2 and Rev 3 Controls

NIST SP 800-171 Rev 3 was published in May 2024 with 97 consolidated requirements and 422 assessment objectives. DoD has not authorized Rev 3 for CMMC scoring — per class deviation, all SPRS submissions and C3PAO assessments use Rev 2. If you use a tool that mixes Rev 2 and Rev 3 controls, the resulting score will not match the methodology DoD applies. Stay on Rev 2 until DoD formally transitions.

Estimating Your Own Score

The full calculation requires answering a yes/no for each of the 110 Rev 2 controls. The work is:

Define the CUI boundary. Controls only score against systems in scope. Out-of-scope systems are not deducted. If you are unsure of scope, see CUI vs FCI and which CMMC level applies.
Walk each control family. Use the DoD CMMC Assessment Guide for Level 2 as the reference. For each requirement, mark Implemented, Partially Implemented, Not Implemented, or N/A.
Apply point values to non-implementations. Partial Implemented = Not Implemented for scoring purposes.
Sum and subtract from 110. Compare against the 88 threshold.

Our CMMC readiness assessment walks through the 110 controls family by family with evidence-focused questions, computes the estimated SPRS score, and breaks down the gap distribution by point value. The output is structured the same way an assessor structures findings — so you can prioritize remediation by impact, not by what looks easiest. For the conceptual mechanics behind point values and the 88 threshold, see our companion piece on how SPRS scoring works.

What the Score Does Not Tell You

The SPRS calculation is an arithmetic check on control implementation. It does not tell you whether your evidence will hold up under a C3PAO Test phase, whether your CUI boundary diagram matches reality, or whether your staff can articulate the controls during the Interview phase. Self-assessed scores often diverge 20–30% from the same organization’s C3PAO-assessed score, because Test catches what self-attestation cannot. Treat the estimate as a planning floor, not a certification preview.