SPRS Score Explained: How DoD Measures Your CMMC Readiness

The Supplier Performance Risk System (SPRS) score is a numeric measure of how well your organization implements the 110 security requirements in NIST SP 800-171 Revision 2. The score ranges from -203 (nothing implemented) to +110 (fully compliant).

Every defense contractor that handles Controlled Unclassified Information (CUI) must submit an SPRS score to the Defense Information Systems Agency (DISA) SPRS portal. This score is visible to contracting officers and influences contract award decisions. As CMMC Phase 2 begins in November 2026, the SPRS score becomes the primary gate for contract eligibility.

The score is calculated using the DoD NIST SP 800-171 Assessment Methodology Version 1.2.1. Each of the 110 controls is assigned a point weight: 1, 3, or 5 points. You start at 110 and lose points for every unimplemented control.

Not all controls carry equal weight. The DoD assigns point values based on security impact:

5-point controls represent the most severe risks — controls whose absence could directly enable CUI exfiltration, unauthorized access to controlled systems, or significant exploitation of the contractor’s network. Examples include enforcing MFA on all CUI access, FIPS-validated encryption for CUI in transit, and boundary protection between CUI and non-CUI networks.

3-point controls represent confined but specific security impact. An unimplemented 3-point control creates a vulnerability in a defined area without necessarily enabling full CUI compromise. Examples include audit log review processes, configuration baseline documentation, and controlled maintenance procedures.

1-point controls have limited or indirect security impact. They contribute to overall security hygiene but their absence alone does not create a direct path to CUI exposure. These are the only controls eligible for POA&M treatment (Plan of Action and Milestones).

The total possible deduction is 313 points across all 110 controls. Starting from 110, the minimum possible score is 110 - 313 = -203.

A score of 88 is the critical threshold for CMMC Level 2. At 88 or above, an organization can receive conditional certification with a Plan of Action and Milestones (POA&M) for unmet controls — but only under strict conditions:

• Only 1-point controls can be placed on a POA&M. If you have any unmet 3-point or 5-point control, those must be fully remediated before certification. No exceptions.
• All POA&M items must be closed within 180 days. If remediation is not complete within 6 months, the conditional certification is revoked.
• A score of 110 means full certification with no POA&Ms required.

This means the path from your current score to certification depends on which controls are missing. A score of 85 with three unmet 1-point controls and one unmet 5-point control is worse than a score of 80 with all gaps in 1-point controls. The 5-point control must be fully remediated regardless of overall score.

Your self-assessed SPRS score and a C3PAO assessment score are calculated using the same methodology, but they consistently produce different results. The gap comes from assessment rigor:

Self-assessment relies on your own evaluation of whether each control is implemented. Common overestimation patterns:

• Counting a written policy as an implemented control (the assessor will test whether it’s actually enforced)
• Marking a control as implemented because a tool was purchased (the assessor checks whether it’s configured and active)
• Assuming a control still works because it was set up two years ago (configuration drift is real)

C3PAO assessment uses three methods for each control: Examine (review documentation), Interview (discuss with personnel), and Test (verify the control actually works). A control must pass all applicable methods.

The typical delta between self-assessment and C3PAO assessment for small defense contractors is 20–30 points. An organization that self-assesses at SPRS 100 often lands at 70–80 under C3PAO evaluation. Organizations that self-assess at 110 (perfect) are nearly always overestimating — professional gap assessments of organizations with 15–125 employees typically find 40–70 deficiencies.

If your score is below 88, you need a remediation strategy. Not all controls are equally difficult or expensive to implement:

Quick wins (days to weeks):

• Update password policies to meet complexity and rotation requirements
• Enable audit logging on systems that aren’t currently logging
• Document existing security practices that are happening informally
• Restrict USB ports on CUI systems
• Implement screen lock timeouts

Medium effort (weeks to months):

• Deploy MFA across all CUI access paths
• Create or update the System Security Plan (SSP)
• Establish a vulnerability scanning program
• Build and test an incident response plan
• Implement network segmentation between CUI and non-CUI systems

Major investment (months):

• Migrate to FIPS-validated encryption for CUI at rest and in transit
• Deploy a centralized logging solution (SIEM) with correlation capability
• Implement a comprehensive configuration management program with baselines
• Build the full evidence package (policies, procedures, training records, scan results)

Prioritize 5-point controls first — they must be fully remediated regardless of your overall score. Then address 3-point controls. Use POA&Ms strategically for 1-point controls to reach the 88 threshold while continuing remediation.

Your SPRS score must be submitted to the DISA SPRS portal (https://www.sprs.csd.disa.mil/) by a senior organizational official. The submission includes:

• Your assessment score (-203 to 110)
• Date of the assessment
• The NIST SP 800-171 revision used (currently Rev 2)
• Assessor information (self or C3PAO)
• Any Plan of Action and Milestones with expected completion dates

Important: The senior official who signs the affirmation is personally accountable for its accuracy under the False Claims Act. Inflating your SPRS score is not just a compliance risk — it’s a legal risk. This is why a thorough self-assessment (or professional gap analysis) before submission matters.

Your SPRS score must be current (assessed within the last 3 years for certification purposes) and must be re-submitted after significant changes to your systems or security posture. Annual reassessment is recommended.