A SPRS (Supplier Performance Risk System) score is a report card that signals a defense contractor’s level of compliance with the 110 security controls stipulated in NIST SP 800-171. High scores are evidence of high levels of compliance; low scores are a red flag that contractors present risk to the DoD supply chain. Every organization handling Controlled Unclassified Information (CUI) is required to meet the NIST SP 800-171 controls and must conduct a self-assessment against that standard and submit their score to the DoD’s SPRS database.
This blog tells you what you need to know about your SPRS score including, importantly, how to raise that score so that you can protect your competitive position in the Defense Industrial Base and win contracts.
Table of contents
#1: Why does my SPRS score matter?
If your company handles CUI, your contract likely includes a DFARS 7012 clause. This means you must follow specific cybersecurity standards (NIST SP 800-171) and regularly assess your compliance. With the advent of DFARS 7019, the results of this assessment, called an SPRS score, must be reported to the government.
SPRS scores have assumed greater importance now than in the past for two main reasons:
First, the DoD has ratcheted up the “flow down” obligations stipulated in DFARS 7012. Flow down means that prime contractors must not only comply with the requirements stipulated in any DoD regulation, but also must pass those standards on to their subcontractors. Now, DFARS 7020 requires primes to do more than just flow down those standards: it also requires primes to proactively check compliance by confirming that their subcontractors have an up-to-date (i.e., less than three years old) SPRS score on file.
The next logical step primes are taking is to ask for the score itself. And some primes are going further, stipulating minimum SPRS scores that subcontractors must achieve to work with them. It stands to reason that organizations with higher SPRS scores than their competitors are in a stronger position to win defense contracts.
Second, SPRS scores have become far more important because implementation of CMMC—the DoD’s Cybersecurity Maturity Model Certification program—is expected to begin in late 2024. Any organization that handles CUI will need to achieve at least CMMC Level 2 certification. Level 2’s security control requirements mirror the 110 controls stipulated in NIST SP 800-171, and so your SPRS score will play a pivotal role in your CMMC certification process.
#2 SPRS Score Range
DoD methodology assigns each of the 110 controls a weight of one, three or five points. Scoring starts at the highest possible score of 110. Points are deducted for each control not met, all the way down to -203. Negative self-assessment scores are possible, as scores can range from +110 down to -203, a spread of 313 points.
Most first-time assessments have a negative score due to incomplete controls. However, the SPRS Score can often improve with the assistance of an experienced professional team.
#3: What’s a good score?
As your SPRS score will soon be intertwined with CMMC compliance, a good (read passing) score will require meeting 88 out of 110 NIST 800-171 controls. This will be minimum score needed to initially pass a CMMC assessment. A perfect SPRS score of 110 after your first assessment is uncommon—the key is to have an active plan for improving your organization’s cybersecurity so that you can get there.
#4 How do I calculate my SPRS score?
Here’s what your organization needs to do to calculate and submit an SPRS score:
- Develop a System Security Plan (SSP): Your SSP details the policies and procedures your organization has in place to comply with NIST SP 800-171. The SSP is foundational for any self-assessment as well as consideration for any DoD contract.
- Conduct a self-assessment: Assess your organization according to the DoD’s NIST SP 800-171 Assessment Methodology.
- Submit your self-assessment score: The DoD’s Supplier Performance Risk System (SPRS) by the time of contract award. The self-assessment must have been completed within the last three years and be maintained for the duration of the contract. This DoD document, SPRS Access for NIST SP 800-171, offers step-by-step instructions for submitting scores via the DoD’s Procurement Integrated Enterprise Environment (PIEE).
- Create your POA&Ms: If your organization’s SPRS score falls below 110, create a Plan of Action & Milestones (POA&M) for security controls not met, and indicate by what date those security gaps will be remediated and a score of 110 will be achieved.
If your organization hasn’t yet submitted an SPRS score to the DoD, now is the time to move on getting that done. Alternatively, you may have an SPRS score on file that doesn’t accurately reflect your cybersecurity levels. If that’s the case, it’s time to update your score. Fraudulent scores—intentional or not—could result in serious consequences ranging from fines to cancellation of your contract.
#5: What score does CMMC require?
To achieve CMMC Level 2 certification, your organization should aim to achieve an SPRS score of at least 88 for its initial third-party assessment (which would occur after your own internal preparation and self-assessments).
The vast majority of defense contractors seeking Level 2 certification will need to be assessed by an independent third-party, or C3PAO (CMMC Third Party Assessment Organization), rather than conduct a self-assessment. Following their initial C3PAO assessment, organizations can receive a “CMMC Level 2 Conditional Certification” if their SPRS score is at least 88 out of 110 and if they create POA&Ms for the remaining controls.
But even though your organization won’t need a perfect score upon first assessment, there are some controls that you’ll have to meet from the start. DIBCAC has stated that, with one exception, POA&Ms will not be permitted for any three- or five-point controls. Additionally, POA&Ms will be time-bound. Organizations given CMMC Level 2 Conditional Certification are responsible for correcting all deficiencies listed in their POA&Ms within 180 days from the time of their Final Findings briefing with their C3PAO. If an organization has deficiencies remaining after 180 days, its Level 2 Conditional Certification will be revoked.
#6: How can I improve my organization’s SPRS score?
Your organization’s SPRS score is based on the results of an assessment of compliance with NIST SP 800-171, which was created specifically to protect CUI. The more you can improve your cybersecurity and protect CUI, the higher your SPRS score will go.
PreVeil suggests a three-step roadmap to raise your SPRS score:
- Adopt a platform that securely stores, processes and transmits CUI.
File sharing and email is how CUI is most frequently transmitted. You’ll need to assess platforms and choose one that enables compliance with NIST SP 800-171. Know that the responsibility for choosing a compliant platform rests squarely on the shoulders of defense contractors. Don’t simply accept a provider’s self-attestation that they support NIST SP 800-171 standards. Ask for documented evidence.
PreVeil customers have achieved perfect 110 out of 110 NIST SP 800-171 scores in rigorous DIBCAC and JSVA assessments. The JSVA assessments will translate directly to CMMC Level 2 Certifications once rulemaking is complete. - Use prepared documentation to show compliance and save time and money.
Defense contractors have to do more than implement technology and policies to comply with NIST SP 800-171. They also need detailed, evidence-based documentation to prove it. This can be a daunting, time-consuming and costly task.
PreVeil offers its customers a compliance documentation package that gives them a huge head start on this essential documentation. The package includes a System Security Plan (SSP) template with detailed language that explains how a customer will be able to meet each of the NIST SP 800-171 controls and objectives that PreVeil supports; policy documents; POA&M templates; and more. (Note that your SSP will be the first document that your C3PAO will ask for when you kick off your C3PAO Level 2 assessment). - Identify certified consultants that are familiar with your technology.
It’s understandable that many organizations lack the internal security expertise to conduct their NIST SP 800-171 self-assessment accurately and cost effectively. If you get stuck and need help, outside partners can save you time and money.
To facilitate connections to the specialized help many small to midsize businesses need, PreVeil has built a partner network of C3PAOs, Registered Practitioners, MSPs and other consultants and organizations—all with expert knowledge of DFARS, NIST, CMMC and PreVeil. The partners’ expert knowledge of PreVeil significantly streamlines your engagement because no time is spent learning how PreVeil supports compliance with NIST SP 800-171. This efficiency accelerates your path to a higher SPRS score.
Read our Guide to CMMC, used by over 5,000 defense contractors
#7 How PreVeil can help
PreVeil is trusted by more than 1,200 small and midsize defense contractors and has enabled numerous organizations achieve a perfect 110 score on their SPRS. These organizations have been successful in their compliance efforts because they relied on:
- PreVeil’s Email and Drive Platform: Enables organizations to quickly secure their CUI data and support 102/110 controls
- Compliance Accelerator: A proven toolkit with C3PAO-validated videos, prefilled documentation (Standard Operating Procedure, System Security Plan, etc.) and 1×1 support from our compliance experts if you get stuck
- Preferred Partner Network: Support through your entire compliance journey – from prep to assessment – through our network of CMMC consultants & auditors.
Learn more about how PreVeil can help you raise your SPRS score and achieve CMMC Level 2 certification faster and more affordably:
- Sign up for a free 15-minute consultation with our compliance team
- Check out our case study on Kokosing Construction Company to learn how they used PreVeil to achieve a perfect 110/110 score.