If your contracts include DFARS 252.204-7019 or 7020, you're required to post an SPRS score to the DoD's Supplier Performance Risk System. The score must reflect an actual self-assessment against all 110 NIST SP 800-171 controls — not an estimate, not a guess, and not a score inflated to look better than reality. Here's the exact calculation method and how to make the most of your assessment effort.
The SPRS Score Formula
You start with a perfect score of 110 — the assumption being that all controls are met — and then subtract points for every control you haven't fully implemented. The more controls left unmet, and the higher their point values, the lower your score.
How Point Values Work
Each of the 110 NIST SP 800-171 controls is assigned a point value of 1, 3, or 5 based on security impact. The total weight of all controls sums to 313 points — meaning failing all of them would give you 110 − 313 = -203.
The distribution across control families:
| Family | Controls | Where the 5-pt controls live |
|---|---|---|
| Access Control (AC) | 22 controls | 5-pt: MFA, session lock, remote access encryption, least privilege enforcement |
| Identification & Auth (IA) | 11 controls | 5-pt: MFA for privileged accounts, password complexity, authenticator management |
| System & Comms Protection (SC) | 16 controls | 5-pt: CUI encryption in transit, network segmentation, FIPS-validated crypto |
| Incident Response (IR) | 3 controls | 5-pt: Incident response capability, testing, and reporting |
| Audit & Accountability (AU) | 9 controls | 3-pt: Event logging, log review, log protection |
| Configuration Management (CM) | 9 controls | 3-pt: Baseline configs, change control, software execution policies |
| Risk Assessment (RA) | 3 controls | 3-pt: Risk assessment cadence, vulnerability scanning, remediation |
| System & Info Integrity (SI) | 7 controls | 3-pt: Malware protection, patching, security alerts |
| Awareness & Training (AT) | 3 controls | 1-pt: All three AT controls |
| Personnel Security (PS) | 2 controls | 1-pt: Screening and termination |
| Physical Protection (PE) | 6 controls | 1-pt: Physical access, visitor logs, monitoring |
| Media Protection (MP) | 9 controls | 1-pt / 3-pt: Mixed; sanitization and transport carry more weight |
| Maintenance (MA) | 6 controls | 1-pt: Maintenance records and remote maintenance controls |
| Security Assessment (CA) | 4 controls | 3-pt: SSP, assessment, and POA&M management |
What Score You Actually Need
There is no mandated minimum SPRS score. You're required to submit your actual score — whatever it is. But that doesn't mean all scores are equivalent in the real world:
- Score below 0: A significant red flag for contracting officers and primes. At this level, more than 110 points of controls are unmet, suggesting fundamental gaps in basic security hygiene. Expect scrutiny at contract renewal.
- Score of 0–70: Common for contractors who are partway through remediation. Not disqualifying, but primes increasingly use this range as a supply chain risk indicator.
- Score of 70–88: Reasonable progress. Still enough unmet controls to require a substantial POA&M at a C3PAO assessment.
- Score of 88+: Generally considered the threshold for entering a C3PAO assessment with a manageable POA&M. Under current CMMC rules, you can proceed to certification with some open POA&M items — but they must be closed within 180 days.
- Score of 110: All controls fully met. No POA&M required. Achievable, but rare for first-time assessments at small contractors.
How to Improve Your Score Fastest
If your current score is lower than you want it to be, the strategy is simple: implement the highest-point controls first. A single 5-point control implemented correctly moves your score by 5 points. Five 1-point controls implemented correctly moves it by the same amount — with five times the work.
Start with the 5-point controls in AC and IA
Multi-factor authentication is the highest-leverage single action in CMMC. It directly satisfies multiple 5-point controls in both Access Control and Identification & Authentication, and it's implementable in a day on most Microsoft 365 or Google Workspace setups. If MFA isn't turned on for all accounts with access to CUI, that's your first priority.
Address encryption in SC next
Encryption of CUI in transit — using FIPS-validated cryptography — is another cluster of 5-point controls in System and Communications Protection. In practice this means ensuring all file sharing and email handling of CUI uses TLS 1.2+, and that any at-rest storage of CUI uses AES-256 or equivalent. Most cloud platforms do this by default; the issue is often documentation rather than technical implementation.
Don't neglect the 3-point clusters
Audit logging, configuration management, and risk assessment each contain multiple 3-point controls that are often under-addressed at small contractors. A functional log review process and a documented system baseline can add 15–20 points to your score with moderate effort.
CMMC Map calculates your SPRS score in real time
As you work through all 110 controls, your live score updates automatically. SPRS Express gives you a fast-track score estimate — and the full assessment shows exactly which controls are dragging it down and which to fix first.
Start Free Trial →How to Submit Your SPRS Score
Once your self-assessment is complete, submitting to SPRS requires a few steps:
- Register in SAM.gov — your organization must have an active SAM registration to access the SPRS portal. Most contractors with active DoD contracts already have this.
- Log into SPRS at sprs.apps.mil using your SAM-linked credentials.
- Navigate to "Assessments" and create a new NIST SP 800-171 DoD Assessment.
- Enter your score, assessment date, and plan of action summary. If you have a POA&M, you'll also enter an expected completion date for open items.
- Submit and retain your evidence. The SPRS portal accepts the score; the underlying evidence (SSP, assessment records, POA&M) should be retained internally — a C3PAO assessor or contracting officer can request it.
CMMC Map generates a formatted SPRS submission summary as part of your document package, so you have the data pre-organized before you open the portal.
The Difference Between Your SPRS Score and Your CMMC Status
Your SPRS score is your self-assessed cybersecurity posture under NIST 800-171. Your CMMC Level 2 certification is issued by a C3PAO after a formal third-party assessment. They're related but distinct:
- SPRS score = required now, self-assessed, submitted to the DoD portal
- CMMC Level 2 certification = required by November 2026 for applicable contracts, assessed by a certified third-party organization
Your SPRS score will likely differ from the score your C3PAO assigns — because self-assessments tend to be more generous than third-party assessments. The gap between self-assessed and C3PAO-assessed scores is a known pattern in the DIB. Assuming your C3PAO will see a lower score than your self-assessment is a useful conservative posture when planning your readiness timeline.