Your SPRS Score is more than just a number, it directly impacts your ability to win and keep Department of Defense contracts. In this blog, we’ll explain why your score matters, what qualifies as “good”, and how you can improve it.
What is an SPRS Score?
An SPRS (Supplier Performance Risk System) score is a self-assessment score that indicates a Department of Defense (DoD) contractor’s ability to meet the compliance requirements outlined in NIST SP 800-171. Every contractor handling Controlled Unclassified Information (CUI) must adhere to these stringent cyber security controls, which form the foundation for CMMC Level 2.
A high SPRS score not only showcases your compliance but also strengthens your competitive stance in the Defense Industrial Base. Conversely, a low SPRS score can signal significant risks to the DoD supply chain, potentially jeopardizing future contracts.
Here are some important things to consider as your organization looks to calculate and improve their SPRS score.
Does My SPRS Score Matter?
SPRS scores hold critical importance for defense contractors for two key reasons:
1. DFARS 7020 mandates that prime contractors proactively verify the compliance of their subcontractors by ensuring they have a current SPRS score—no older than three years—on record. This score often becomes a deciding factor in subcontractor selection, with many primes setting specific SPRS score minimums as a requirement.
2. The significance of SPRS scores is set to increase with the impending rollout of the Cybersecurity Maturity Model Certification (CMMC). In Phase I of the CMMC rollout, organizations will largely self-assess their compliance with CMMC and report their SPRS score. Primes will look at these scores to determine eligibility for contracts.
SPRS Score Range
An SPRS score can range from -203 (the lowest) up to +110 (the highest). The Department of Defense (DoD) uses a precise methodology for evaluating SPRS scores, assigning each of the 110 NIST SP 800-171 controls a weight of one, three, or five points. Scoring begins at the base of -203, the lowest possible score. As contractors meet each control fully, their score increases, potentially reaching up to the perfect score of +110. It’s important to note that partial fulfillment of controls does not earn any points.
First-time assessments often result in negative scores due to unmet controls, but these scores generally improve significantly under the guidance of an experienced professional team.
What Is a Good SPRS Score?
An SPRS score of 88 or higher would be considered good, as that is the minimum threshold of controls that need to be met during an organization’s initial C3PAO-led assessment and indicates crucial security measures have been put in place to secure information. With CMMC going into contracts in November 2025, defense contractors seeking CMMC level 2 compliance will want to aim to achieve or surpass that score.
Critically, they must meet:
- All CMMC Level 1 controls
- All 3 or 5 point controls (except SC.L2-3.13.11, if it is partially met—encryption is employed but is not FIPS validated—reducing a SPRS score by 3 points instead of 5.
- The following 1 point controls:
- AC.L2-3.1.20 – External Connections (CUI Data)
- AC.L2-3.1.22 – Control Public Information (CUI Data)
- PE.L2-3.10.3 – Escort Visitors (CUI Data)
- PE.L2-3.10.4 – Physical Access Logs (CUI Data)
- PE.L2-3.10.5 – Manage Physical Access (CUI Data)
If a contractor is unable to meet any of the controls not in this list, they will need to create a Plan of Action and Milestones (POA&M) that describes their process for remediation. POA&Ms will be time-bound. Organizations given CMMC Level 2 Conditional Certification are responsible for correcting all deficiencies listed in their POA&Ms within 180 days from the time of their Final Findings briefing with their C3PAO. If an organization has deficiencies remaining after 180 days, its Level 2 Conditional Certification will be revoked.
If you don’t meet these requirements in your first assessment, you’ll need to start the entire assessment process over – including paying for a new assessment.
How To Calculate an SPRS Score
Here’s what an organization needs to do to calculate an SPRS score and submit it:
- Develop a SSP: Your System Security Plan (or SSP) details the policies and procedures your organization has in place to comply with NIST SP 800-171. The SSP is foundational for any self-assessment as well as consideration for any DoD contract.
- Conduct a Self-Assessment: Assess your organization according to the DoD’s NIST SP 800-171 Assessment Methodology.
- Submit your self-assessment score: Contractors must submit their self-assessment score to the DoD’s Supplier Performance Risk System (SPRS) by the time of contract award. The self-assessment must have been completed within the last three years and be maintained for the duration of the contract.
- Create your POA&Ms: If your organization’s SPRS score falls below 110, create a Plan of Action & Milestones (POA&M) for security controls not met, and indicate by what date those security gaps will be remediated and a score of 110 will be achieved.
If your organization hasn’t yet submitted an SPRS score to the DoD, now is the time to move on getting that done. Alternatively, you may have an SPRS score on file that doesn’t accurately reflect your cybersecurity levels. If that’s the case, it’s time to update your score. Fraudulent scores—intentional or not—could result in serious consequences ranging from fines to cancellation of your contract.
How to Improve Your SPRS Score
Your organization’s SPRS score is based on the results of an assessment of compliance with NIST SP 800-171, which was created specifically to protect CUI. The more you can improve your cybersecurity and protect CUI, the higher your SPRS score will go.
Here are three ways to raise your SPRS score:
- Adopt a platform that securely stores, processes and transmits CUI.
File sharing and email is how CUI is most frequently transmitted. You’ll need to assess platforms and choose one that enables compliance with NIST SP 800-171. Know that the responsibility for choosing a compliant platform rests squarely on the shoulders of defense contractors. Don’t simply accept a provider’s self-attestation that they support NIST SP 800-171 standards. Ask for documented evidence.
Dozens of PreVeil customers have achieved CMMC compliance – validated by a perfect 110 score on their C3PAO or DoD assessment. - Use prepared documentation to show compliance and save time and money.
Defense contractors have to do more than implement technology and policies to comply with NIST SP 800-171. They also need detailed, evidence-based documentation to prove it. This can be a daunting, time-consuming and costly task.
PreVeil offers its customers a compliance documentation package that gives them a huge head start on this essential documentation. The package includes a System Security Plan (SSP) template with detailed language that explains how a customer will be able to meet each of the NIST SP 800-171 controls and objectives that PreVeil supports; policy documents; POA&M templates; and more. (Note that your SSP will be the first document that your C3PAO will ask for when you kick off your C3PAO Level 2 assessment). - Identify certified consultants that are familiar with your technology.
It’s understandable that many organizations lack the internal security expertise to conduct their NIST SP 800-171 self-assessment accurately and cost effectively. If you get stuck and need help, outside partners can save you time and money.
To facilitate connections to the specialized help many small to midsize businesses need, PreVeil has built a partner network of C3PAOs, Registered Practitioners, MSPs and other consultants and organizations—all with expert knowledge of DFARS, NIST, CMMC and PreVeil. The partners’ expert knowledge of PreVeil significantly streamlines your engagement because no time is spent learning how PreVeil supports compliance with NIST SP 800-171. This efficiency accelerates your path to a higher SPRS score.
Read our Guide to CMMC, used by over 5,000 defense contractors
SPRS Score Assistance from PreVeil
PreVeil is trusted by more than 2,000 small and midsize defense contractors and has enabled numerous organizations achieve a perfect 110 SPRS score. These organizations have been successful in their compliance efforts because they relied on:
- PreVeil’s Email and Drive Platform: Enables organizations to quickly secure their CUI data and support 102/110 controls
- Compliance Accelerator: A proven toolkit with C3PAO-validated videos, prefilled documentation (Standard Operating Procedure, System Security Plan, etc.) and 1×1 support from our compliance experts if you get stuck
- Preferred Partner Network: Support through your entire compliance journey – from prep to assessment – through our network of CMMC consultants & auditors.
Learn more about how PreVeil can help you raise your SPRS score and achieve CMMC Level 2 certification faster and more affordably:
- Check out our case study on Kokosing Construction Company to learn how they used PreVeil to achieve a perfect 110/110 score.
