An SPRS score is a report card that signals a defense contractor’s level of compliance with the 110 security controls stipulated in NIST SP 800-171. High scores are evidence of high levels of compliance; low scores are a red flag that contractors present risk to the DoD supply chain. Every organization handling Controlled Unclassified Information (CUI) is required to meet the NIST SP 800-171 controls and must conduct a self-assessment against them and submit their score to the DoD’s SPRS database.
 
This blog tells you what you need to know about your SPRS score including, importantly, how to raise that score so that you can protect your competitive position in the Defense Industrial Base and win contracts.

#1: Why does my SPRS score matter?

If your organization handles CUI, then you have a DFARS 7012 clause in your contract. DFARS 7012 mandates compliance with NIST SP 800-171, and DFARS 7019 requires contractors to conduct a self-assessment of that compliance. The self-assessment result—a score ranging from +110 to -203—must be submitted to the DoD’s Supplier Performance Risk System (SPRS), and so the score is commonly known as an SPRS score.
 
SPRS scores have assumed greater importance now than in the past for two main reasons:
 
First, the DoD has ratcheted up the “flow down” obligations stipulated in DFARS 7012. Flow down means that prime contractors must not only comply with the requirements stipulated in any DoD regulation, but also must pass those standards on to their subcontractors. Now, DFARS 7020 requires primes to do more than just flow down those standards: it also requires primes to proactively check compliance by confirming that their subcontractors have an up-to-date (i.e., less than three years old) SPRS score on file.
 
The next logical step primes are taking is to ask for the score itself. And some primes are going further, stipulating minimum SPRS scores that subcontractors must achieve to work with them. It stands to reason that organizations with higher SPRS scores than their competitors are in a stronger position to win defense contracts.
 
Second, SPRS scores have become far more important because implementation of CMMC—the DoD’s Cybersecurity Maturity Model Certification program—is expected to begin in late 2024. Any organization that handles CUI will need to achieve at least CMMC Level 2 certification. Level 2’s security control requirements mirror the 110 controls stipulated in NIST SP 800-171, and so your SPRS score will play a pivotal role in your CMMC certification process. In fact, one of the first things your CMMC assessor will ask for is your SPRS score.

#2 How do I calculate my SPRS score?

Here’s what your organization needs to do to calculate and submit an SPRS score:

  • Develop a System Security Plan (SSP) that details the policies and procedures your organization has in place to comply with NIST SP 800-171, as required by DFARS 7012. The SSP is required by NIST SP 800-171 and is foundational for any self-assessment as well as consideration for any DoD contract.
  • Conduct a self-assessment according to the DoD’s NIST SP 800-171 Assessment Methodology. DoD methodology assigns each of the 110 controls a weight of one, three or five points. Scoring starts at the highest possible score of 110. Points are deducted for each control not met, all the way down to -203. Negative self-assessment scores are possible, as scores can range from +110 down to -203, a spread of 313 points.
  • Submit your self-assessment score to the DoD’s Supplier Performance Risk System (SPRS) by the time of contract award. The self-assessment must have been completed within the last three years and be maintained for the duration of the contract. This DoD document, SPRS Access for NIST SP 800-171, offers step-by-step instructions for submitting scores via the DoD’s Procurement Integrated Enterprise Environment (PIEE).
  • If your organization’s SPRS score falls below 110, create a Plan of Action & Milestones (POA&M) for security controls not met, and indicate by what date those security gaps will be remediated and a score of 110 will be achieved.

If your organization hasn’t yet submitted an SPRS score to the DoD, now is the time to move on getting that done. Alternatively, you may have an SPRS score on file that doesn’t accurately reflect your cybersecurity levels. If that’s the case, it’s time to update your score. Fraudulent scores—intentional or not—could result in serious consequences ranging from fines to cancellation of your contract.

#3: What’s a good SPRS score?

The highest possible SPRS score is 110, which means that a contractor complies with every one of NIST SP 800-171’s 110 security controls. A perfect SPRS score of 110 after your first assessment is uncommon—the key is to have an active plan for improving your organization’s cybersecurity so that you can get there.
 
Your organization may not even be close to a perfect SPRS score. If that’s the case, it may be some consolation to know that an MSSP in the Washington, D.C. area analyzed more than 500 compliance reviews it had conducted in 2020 for small to midsize defense contractors and found that the typical contractor scored a -27 on its initial NIST SP 800-171 self-assessment. That was a few years ago, though, and we know that pressure from the DoD to improve cybersecurity levels throughout its supply chain has spurred many SMBs to raise their SPRS scores since then.

#4: What SPRS score does CMMC require?

To achieve CMMC Level 2 certification, your organization should aim to achieve an SPRS score of at least 88 for its initial third-party assessment (which would occur after your own internal preparation and self-assessments).
 
The vast majority of defense contractors seeking Level 2 certification will need to be assessed by an independent third-party, or C3PAO (CMMC Third Party Assessment Organization), rather than conduct a self-assessment. Following their initial C3PAO assessment, organizations can receive a “CMMC Level 2 Conditional Certification” if their SPRS score is at least 88 out of 110 and if they create POA&Ms for the remaining controls.
 
But even though your organization won’t need a perfect score upon first assessment, there are some controls that you’ll have to meet from the start. DIBCAC has stated that, with one exception, POA&Ms will not be permitted for any three- or five-point controls. Additionally, POA&Ms will be time-bound. Organizations given CMMC Level 2 Conditional Certification are responsible for correcting all deficiencies listed in their POA&Ms within 180 days from the time of their Final Findings briefing with their C3PAO. If an organization has deficiencies remaining after 180 days, its Level 2 Conditional Certification will be revoked.

#5: How can I improve my organization’s SPRS score?

Your organization’s SPRS score is based on the results of an assessment of compliance with NIST SP 800-171, which was created specifically to protect CUI. The more you can improve your cybersecurity and protect CUI, the higher your SPRS score will go.
 
PreVeil suggests a three-step roadmap to raise your SPRS score:
 

  1. Adopt a platform that securely stores, processes and transmits CUI.
     
    File sharing and email is how CUI is most frequently transmitted. You’ll need to assess platforms and choose one that enables compliance with NIST SP 800-171. Know that the responsibility for choosing a compliant platform rests squarely on the shoulders of defense contractors. Don’t simply accept a provider’s self-attestation that they support NIST SP 800-171 standards. Ask for documented evidence.
     
    PreVeil customers have achieved perfect 110 out of 110 NIST SP 800-171 scores in rigorous DIBCAC and JSVA assessments. The JSVA assessments will translate directly to CMMC Level 2 Certifications once rulemaking is complete.
  2. Use prepared documentation to show compliance and save time and money.
     
    Defense contractors have to do more than implement technology and policies to comply with NIST SP 800-171. They also need detailed, evidence-based documentation to prove it. This can be a daunting, time-consuming and costly task.
     
    PreVeil offers its customers a compliance documentation package that gives them a huge head start on this essential documentation. The package includes a System Security Plan (SSP) template with detailed language that explains how a customer will be able to meet each of the NIST SP 800-171 controls and objectives that PreVeil supports; policy documents; POA&M templates; and more. (Note that your SSP will be the first document that your C3PAO will ask for when you kick off your C3PAO Level 2 assessment).
  3. Identify certified consultants that are familiar with your technology.
     
    It’s understandable that many organizations lack the internal security expertise to conduct their NIST SP 800-171 self-assessment accurately and cost effectively. If you get stuck and need help, outside partners can save you time and money.
     
    To facilitate connections to the specialized help many small to midsize businesses need, PreVeil has built a partner network of C3PAOs, Registered Practitioners, MSPs and other consultants and organizations—all with expert knowledge of DFARS, NIST, CMMC and PreVeil. The partners’ expert knowledge of PreVeil significantly streamlines your engagement because no time is spent learning how PreVeil supports compliance with NIST SP 800-171. This efficiency accelerates your path to a higher SPRS score.

    4. To learn more

    PreVeil is trusted by more than 1,000 small and midsize defense contractors. Learn more about how PreVeil can help you raise your SPRS score and, when the time comes, achieve CMMC Level 2 certification faster and more affordably: