What is a good SPRS score?

There's no formal passing score threshold for an SPRS submission — you're required to submit your score regardless of what it is. However, primes and contracting officers increasingly use SPRS scores to evaluate supply chain risk. A score below 0 is a significant red flag. A score of 70+ indicates reasonable security posture. A score of 88+ (meeting 88 of 110 controls) is generally required to pass a CMMC Level 2 assessment with POA&Ms.

Is my SPRS score public?

Your SPRS score is visible to DoD contracting officers and authorized primes through the SPRS portal. It is not publicly available to anyone with internet access, but it can be seen by the organizations evaluating your contracts. Submitting an inaccurate or inflated score creates False Claims Act liability.

How do I improve my SPRS score?

Improve your SPRS score by implementing the unmet controls that carry the highest point values — particularly the 5-point controls in Access Control (3.1), Identification & Authentication (3.5), and System & Communications Protection (3.13). Each implemented control increases your score by its assigned value. CMMC Map calculates your SPRS score automatically as you complete your assessment and shows which controls give you the most points per effort.

What Is an SPRS Score — and Why It Matters Before November 2026

Q: What is an SPRS score?

An SPRS score (Supplier Performance Risk System score) is a numerical representation of your cybersecurity posture under NIST SP 800-171. It ranges from -203 to 110 points, calculated by adding up the point values of the controls you've implemented and subtracting point values for controls you haven't met. A perfect score is 110 (all controls met). The score must be submitted to the DoD's SPRS portal under DFARS 252.204-7019 and 7020.

Most small defense contractors have heard of CMMC — but the SPRS score requirement often catches them off guard. Here's the thing: your SPRS score isn't a future CMMC requirement. It's required right now. If your contract includes DFARS 252.204-7019 or 7020, you were supposed to submit an SPRS score already. Many contractors haven't, and that's a problem.

What Is an SPRS Score?

SPRS stands for Supplier Performance Risk System — a DoD portal that consolidates supplier performance data used in contract evaluations. Your SPRS score specifically refers to your self-assessed cybersecurity score under NIST SP 800-171.

The score range:

-203

Minimum (all controls unmet)

Starting point (no assessment)

110

Perfect (all controls met)

The score is calculated by assigning each of the 110 NIST 800-171 controls a point value (1, 3, or 5 points based on importance), starting from 110, and subtracting points for each unmet control. Every unmet control reduces your score; implementing all 110 gives you a perfect 110.

Why It Matters Right Now

Under DFARS 252.204-7019, contractors with applicable contracts are required to conduct a NIST SP 800-171 self-assessment and upload the score to the SPRS portal before contract award. This isn't a pilot program or a future requirement — it's been in effect since November 2020.

⚠️ False Claims Act risk: Submitting an inaccurate SPRS score — either by inflating your compliance status or not submitting at all when required — creates False Claims Act exposure. Several contractors have already faced enforcement actions for DFARS cybersecurity misrepresentation. Your score must reflect your actual control implementation.

Beyond legal compliance, your SPRS score has practical consequences:

Primes are checking. Increasingly, prime contractors ask subcontractors for their SPRS score before awarding subcontracts. A score of 0 or below raises supply chain security flags.
Contracting officers see it. DoD COs can view your score in the SPRS portal when evaluating contract awards.
It's the foundation of CMMC. Your SPRS score is essentially your CMMC readiness baseline. Working on your score is working on your CMMC compliance.

How Points Are Assigned

Not all 110 controls are worth the same. The DoD assigned point values based on the security impact of each control:

5-point controls — the highest-impact requirements, typically in Access Control, Identification & Authentication, and System & Communications Protection. Failing these hurts your score the most.
3-point controls — moderate-impact requirements across most control families.
1-point controls — important but lower-impact requirements, typically in areas like Physical Protection and Personnel Security.

The practical implication: if you're working to improve your score, prioritize the 5-point controls first. Implementing a single 5-point control improves your score more than implementing five 1-point controls.

What Score Do You Need?

There's no mandated minimum score for SPRS submission — you must submit your actual score, not a target. But context matters:

For CMMC Level 2 assessment readiness: You need to meet at least 88 of 110 controls (the POA&M threshold). Controls you place on a POA&M must be remediated within 180 days.
For prime contractor comfort: Scores above 70 generally clear informal supply chain risk thresholds. Scores below 0 are a significant red flag.
For contract competitiveness: As CMMC enforcement ramps up in Phase 2, contractors with higher scores and demonstrated compliance programs will have an advantage in competitive awards.

A score of 88 doesn't mean you're done — it means you're eligible to go into a C3PAO assessment with POA&Ms in place. You still need to remediate those open items within 180 days of the assessment start.

How to Calculate and Submit Your Score

Complete a NIST 800-171 self-assessment — evaluate each of the 110 controls as met, partially met, or not met against your actual environment. This is what CMMC Map guides you through.
Calculate your score — start at 110, subtract points for each unmet or partially met control based on their assigned value. CMMC Map calculates this automatically.
Upload to SPRS — log in to sprs.navy.mil and submit your score along with your assessment date. You'll need a DoD-issued CAC or a PIEE account.
Update it when your posture changes — if you implement new controls or your environment changes, update your score in SPRS. Letting it go stale is also a compliance risk.

Calculate your SPRS score today

CMMC Map walks you through all 110 controls and calculates your score automatically as you go. Know where you stand before your prime asks.

Start Free Trial →

What Is an SPRS Score — and Why It Matters Before November 2026

What Is an SPRS Score?

Why It Matters Right Now

How Points Are Assigned

What Score Do You Need?

How to Calculate and Submit Your Score

Calculate your SPRS score today

Frequently Asked Questions

What is an SPRS score?

What is a good SPRS score?

Is my SPRS score public?

How do I improve my SPRS score?

Related Guides