What is SPRS? How Defense Contractors Are Scored on Cybersecurity

Every defense contractor subject to DFARS 252.204-7012 has a cybersecurity score on file with the Department of Defense. It's called an SPRS score. Contracting officers can see it, primes can pull it, and if you don't have one, or if yours is inaccurate, then it's affecting your ability to win and keep DoD business right now.

This page explains what the SPRS score is, how it's calculated, what a good score looks like, and what the score actually signals to the people evaluating your company.

What is SPRS?

SPRS stands for Supplier Performance Risk System, which is a DoD platform that aggregates supplier performance data across multiple dimensions like delivery performance, quality, and cybersecurity. The cybersecurity piece is what most people mean when they talk about an "SPRS score" in the context of CMMC and NIST 800-171, and it's what we’re going to focus on here.

Your SPRS cybersecurity score is a numerical representation of how well your organization has implemented the 110 security requirements outlined in NIST Special Publication 800-171. This score is self-assessed: you evaluate your own compliance, calculate the score using the DoD's official methodology, and submit it to the SPRS portal. But just because you self-assess doesn’t mean there's any freedom to fudge the data; as with all aspects of compliance, everything must be documented and truthful.

DFARS 252.204-7019 requires an SPRS score submission for any contractor subject to DFARS 252.204-7012. Think of it as your company's public cybersecurity report card. Anyone with DoD acquisition access can look it up, so you want to make sure it shows your business in the best light and proves that your cybersecurity is able to withstand any threat that may come its way.

How the SPRS Score Is Calculated

The scoring methodology is defined in the DoD Assessment Methodology for NIST SP 800-171. Here's how it works:

You start at 110 points, which is a perfect score representing full implementation of all 110 NIST 800-171 requirements. For every requirement that is not fully implemented, points are deducted based on the requirement's assigned weight. The lowest possible score is -203, which means that none of the 110 controls are implemented.

Requirements are weighted based on their security impact:

On the other end of the spectrum, a score of 110 means every requirement is fully implemented. Because of the weighted scoring system, a score of 0 means the point deductions happen to net to zero, but it does not mean baseline compliance. A negative score means significant gaps across multiple high-weight requirements. The average score RADICL sees when we conduct initial gap assessments on new DIB clients is well below 50.

What RADICL Sees in the Field

The gap between what contractors submit to SPRS and what a genuine assessment reveals can often be significant. We regularly see organizations who don't yet have a score, or who haven't re-assessed to update their score in a long time. It's important to periodically self-assess as your situation and procedures change, so that you're always aware and accurate in your standing.

Having a gap isn't just a compliance problem, it's False Claims Act (FCA) exposure. An inflated SPRS score is a false attestation to the federal government, and there are real examples of businesses being prosecuted for huge sums of money as a result.

What a Good SPRS Score Looks Like

There's no universal passing grade for SPRS. The score doesn't work like a typical school test where 70 is passing, but there are thresholds that matter in practice.

110: Perfect score

All 110 NIST 800-171 requirements are fully implemented. This is the target for CMMC Level 2 certification. Very few contractors achieve this without a structured compliance program and ongoing investment in security operations.

88 and above: Strong posture

A score in this range signals that the foundational and high-weight requirements are fully implemented. You may have gaps in lower-weight supporting controls, but your security posture is genuinely solid. This is a realistic near-term target for a contractor with a managed security program. This is generally the lowest accepted score for CMMC compliance.

Positive score (1–87): Work in progress

This is a positive score with meaningful gaps. You have controls in place but some real deficiencies. A credible, active POA&M that shows a remediation path is essential at this score range, and it gives you a roadmap for how to close your remaining gaps. For new DoD contracts, contracting officers and primes will look at both the score and whether you have a plan to improve it.

Zero or negative: Significant risk

A score at or below zero signals that foundational controls (MFA, audit logging, system boundary protection, malware defense, etc.) are not fully implemented. This range creates contract eligibility risk and could have serious revenue impacts on your organization.

No score submitted: High risk

Having no submitted score shows that you have not fulfilled DFARS reporting requirements, either because you don't know you're required to submit one, or that your compliance posture is too poor to report honestly. Either way, it flags your company as a risk in the supply chain.

Ready to improve your score? Let's talk.

What the Score Signals to Contracting Officers and Primes

Contracting officers use SPRS as a risk indicator during source selection. A low score doesn't automatically disqualify you (there's no formal threshold written into most contracts), but it creates a conversation and a perception problem.

When a prime is evaluating subcontractors and one has an SPRS score of 89 and another has a score of -47, that difference matters. The score makes comparisons easier, and when all other things are equal then a lower score could be the reason you're passed on for new contracts.

More importantly, the score is becoming a de facto pre-qualification signal as CMMC enforcement accelerates. Primes are increasingly checking supplier SPRS scores before engaging subcontractors, because if a sub causes a breach, then the prime also bears reputational and contractual consequences. A credible SPRS score tells a prime that you're a safe supply chain partner. A missing or low score tells them the opposite, and they won't take a risk that they could easily avoid.

Beyond contracting officers and primes, your SPRS score is on file with the federal government. If a cyber incident occurs and DoD investigators are examining your compliance history, your SPRS submission is part of the record. A score that claimed 95 when your actual posture was closer to 20 is evidence that can support an FCA case.

How to Calculate and Submit Your SPRS Score

The official scoring process uses the DoD Assessment Methodology document, which maps each of the 110 NIST 800-171 requirements to its point weight. Here's the process:

1. Assess each of the 110 requirements as Met, Not Met, or Not Applicable against your actual environment. Not your policies, your actual implemented controls as they are right now.
2. For each Not Met requirement, deduct the assigned weighted point value from 110.
3. Document your assessment in a System Security Plan (SSP) and Plan of Action & Milestones (POA&M) for any gaps.
4. Log into the SPRS portal at sprs.csd.disa.mil using your Common Access Card (CAC) or Public Key Infrastructure (PKI) certificate.
5. Submit your score with the assessment date, scope, and your company's CAGE code.

The score you submit should reflect your posture as of the assessment date. When you remediate gaps and close POA&M items, reassess and resubmit an updated score. DFARS requires you to have a current, accurate score on file — not a historical one that no longer reflects your environment.

How often should you update your SPRS score?

There's no mandated resubmission interval in the clause itself, but the requirement is that your score be current and accurate. In practice, this means reassessing and resubmitting whenever you make significant changes to your environment, close material POA&M items, or discover that your current score no longer reflects reality. Many compliance programs build in annual reassessment as a minimum cadence. RADICL's platform recalculates your score automatically as you close findings.

CMMC Third-Party Assessor Organization, SPRS, CMMC, and the Bigger Picture

SPRS is where you are today while CMMC is where you're headed.

Your SPRS score is a self-reported snapshot of your NIST 800-171 compliance. CMMC Level 2 certification is an independently-verified assessment (by a Certified Third-Party Assessor Organization, or C3PAO) of that same compliance. They measure the same thing (your implementation of the 110 NIST 800-171 requirements) but with very different levels of accountability.

Building toward a genuine SPRS score of 110 is the same work as building toward CMMC Level 2 certification. The difference is that CMMC adds a C3PAO assessor who independently verifies your score rather than anyone just taking your word for it.

If it hasn't been made clear yet, compliance is something that you have to plan for, and if you ignore or rush it then it can have serious impacts on your company, your bottom line, and your future business. Organizations that have invested in honest SPRS compliance find CMMC assessments far less disruptive than those who have been papering over gaps.

Ready to get a perfect SPRS score with help from the experts?

Frequently Asked Questions

Is a higher SPRS score always better?

An accurate SPRS score is always better than an inaccurate one, regardless of the number. A score of 45 that honestly reflects your current posture (and backed by a credible POA&M) is legally and contractually safer than a score of 95 that you can't defend under scrutiny. Honesty in your SPRS submission is the foundation everything else is built on.

Can a contracting officer reject our bid because of a low SPRS score?

There's no formal SPRS score threshold in most contracts that automatically disqualifies a low score, but contracting officers have discretion in source selection, and a very low or negative score is a legitimate risk factor they can weigh. As CMMC enforcement matures, low SPRS scores will increasingly be disqualifying in practice even if not written as a hard cutoff in the solicitation.

What's the difference between SPRS and CMMC?

SPRS is your self-reported cybersecurity score; you assess yourself and submit the number. CMMC is independent verification of that same compliance by a third-party assessor. Both measure your implementation of NIST 800-171, but CMMC adds external accountability. Think of SPRS as your homework and CMMC as the test.

What happens if our SPRS score was inflated by a previous compliance consultant?

This is a real situation we sometimes encounter. If your current score doesn't reflect your actual posture, the right move is to conduct an honest reassessment, submit a corrected score, and document the correction. Continuing to submit an inflated score extends your FCA exposure. Most DoJ enforcement actions focus on contractors who knew their attestations were false and continued submitting them. Correcting the record proactively is the right legal and ethical move.

Do we need a CAC to submit to SPRS?

Yes. SPRS portal access requires a Common Access Card (CAC) or Public Key Infrastructure (PKI) certificate. If your company doesn't have someone with portal access, this is a setup step you need to address before you can submit. Your CMMC compliance partner or RPO can guide you through the process.