VIVID TECHNICAL
CMMC

SPRS Score: What It Is, How to Calculate It, and Why It Matters (2026)

If you’re a defense contractor, your SPRS score is the number the DoD uses to decide whether your cybersecurity is good enough to win contracts. It’s a self-assessed score between -203 and 110 that reflects how well your organization implements the 110 security requirements in NIST SP 800-171 Rev 2.

A score of 110 means you’ve implemented everything. Anything less means you have gaps — and the lower the number, the bigger the gaps. If you don’t have a score posted in SPRS, contracting officers can’t verify your cybersecurity posture and you’re effectively locked out of contract awards.

Here’s how the system works, how to calculate your score, and what’s changed now that CMMC is live.

What Is SPRS?

SPRS stands for Supplier Performance Risk System. It’s a DoD platform managed by the Defense Information Systems Agency (DISA) that tracks contractor performance across several dimensions — past performance, quality, delivery, and cybersecurity.

The cybersecurity piece is what matters here. SPRS is where the DoD stores and verifies your NIST 800-171 self-assessment score. When a contracting officer evaluates your bid, they check SPRS to confirm you have a current score on file. No score, no contract.

SPRS is accessed through the Procurement Integrated Enterprise Environment (PIEE) portal at sprs.csd.disa.mil.

How SPRS Scoring Works

Your SPRS score is calculated using the DoD NIST SP 800-171 Assessment Methodology. The concept is straightforward:

  1. Start at 110 — one point for each of the 110 NIST 800-171 Rev 2 security requirements
  2. For every requirement you haven’t fully implemented, subtract a weighted value
  3. The weighted values are 1, 3, or 5 points depending on how critical the control is
  4. Your final number is your SPRS score

The weighting reflects how much risk an unmet control creates. The 42 highest-impact controls — including all 17 of the basic safeguards from FAR 52.204-21 — are each worth 5 points. The remaining controls are distributed across the 1-point and 3-point categories.

The Math

ScenarioScore
All 110 requirements fully implemented110
Missing one 5-point control105
Missing one 3-point control107
Missing one 1-point control109
Nothing implemented (worst case)-203

The lowest possible score is -203 because the weighted values of all 110 controls add up to 313 points of potential deductions (110 - 313 = -203).

Partial implementation doesn’t count. If a control isn’t fully met, you subtract the full weighted value. There’s no partial credit.

How to Calculate Your SPRS Score

Here’s the step-by-step process.

1. Define Your CUI Boundary

Before you assess anything, you need to know what’s in scope. Identify every system, network, and application that stores, processes, or transmits Controlled Unclassified Information (CUI). This is your assessment boundary. If you haven’t scoped your CUI environment yet, start with our CMMC compliance checklist — it walks through this.

2. Assess Each of the 110 Controls

Go through each NIST 800-171 Rev 2 requirement and determine whether your organization has fully implemented it within your CUI boundary. For each control, the answer is one of three things:

  • MET — You’ve fully implemented the requirement. No deduction.
  • NOT MET — You haven’t fully implemented it. Subtract the weighted value (1, 3, or 5).
  • NOT APPLICABLE — The requirement doesn’t apply to your environment. No deduction. (Use this sparingly — assessors will scrutinize N/A claims.)

3. Add Up the Deductions

Start at 110. For every NOT MET control, subtract its weighted value. The result is your SPRS score.

For example, if you have five unmet controls — two worth 5 points, two worth 3 points, and one worth 1 point — your score would be:

110 - (5+5+3+3+1) = 93

4. Document Your System Security Plan (SSP)

Your SPRS score doesn’t exist in a vacuum. You need a System Security Plan that documents how you implement each control, your assessment boundary, and any gaps. The SSP is the backup documentation that proves your score is legitimate. If an assessor or contracting officer asks to see your evidence, the SSP is what you hand them.

5. Create POA&Ms for Unmet Controls

For every control you marked as NOT MET, you need a Plan of Action and Milestones (POA&M) that describes what the gap is, how you plan to close it, and when. A POA&M isn’t a free pass — it’s a commitment to remediate on a specific timeline.

What Score Do You Need?

This depends on which CMMC level your contracts require.

CMMC Level 1

Level 1 doesn’t use the 110-point SPRS scoring system. Level 1 maps to the 17 basic safeguarding requirements in FAR 52.204-21, not NIST 800-171. You self-assess against those 15 requirements annually and submit a MET or NOT MET result to SPRS along with an annual affirmation from a senior official.

There’s no numeric score for Level 1 — it’s pass/fail.

CMMC Level 2

Level 2 is where SPRS scores matter. Here’s what the numbers mean:

SPRS ScoreCMMC StatusWhat It Means
110Final Level 2Full compliance. You’ve met all 110 requirements.
88 – 109Conditional Level 2You have gaps, but they’re limited. You get 180 days to close them via your POA&M.
Below 88Not certifiedToo many gaps. You’ll need to remediate before you can achieve any CMMC Level 2 status.

The 88-point threshold is important. To qualify for even a Conditional Level 2 status, you need to score at least 88. And there’s a catch — POA&Ms are not allowed for controls weighted at 3 or 5 points. If you’re missing a high-weighted control, you have to fix it before your assessment, not after.

That means the controls you can defer to a POA&M are only the 1-point controls. Everything worth 3 or 5 points must be fully implemented at the time of assessment.

How to Submit Your SPRS Score

Option 1: PIEE Portal (Recommended)

  1. Go to piee.eb.mil and create an account if you don’t already have one
  2. Request the “SPRS Cyber Vendor User” role — this is what lets you enter and edit assessment data
  3. Once approved, navigate to the SPRS module and select NIST SP 800-171 Assessments
  4. Enter your self-assessment data: score, date of assessment, scope (which CAGE codes are covered), and the name/title of your affirming official
  5. Submit and confirm

The PIEE portal has been updated to support CMMC Level 2 self-assessment entries as well. DISA released the CMMC Level 2 Self-Assessment Quick Entry Guide to walk you through the process.

Option 2: Email Submission

If you can’t access PIEE, you can submit your score via encrypted email to webptsmh@navy.mil. Include your CAGE code(s), the assessment date, your score, and the version of NIST 800-171 you assessed against. This is a fallback option — the PIEE portal is preferred.

What Changed in 2026

If you’ve been tracking DFARS clauses, you may have noticed that DFARS 252.204-7019 and 252.204-7020 — the clauses that originally required SPRS score submissions — were deleted as of February 1, 2026. This was part of the broader FAR overhaul effort to reduce regulatory redundancy.

Don’t interpret that as “SPRS scores don’t matter anymore.” They absolutely still matter. The assessment and submission requirements have been consolidated under DFARS 252.204-7021 — the CMMC clause. SPRS is now the system of record for CMMC assessment results, not just NIST 800-171 self-assessment scores.

In practical terms, nothing changes about what you need to do. You still assess against NIST 800-171, you still calculate your score, and you still submit it to SPRS. The legal citation just moved from 7019/7020 to 7021.

Common SPRS Mistakes

We see the same problems come up repeatedly when companies calculate and submit their scores.

Inflating your score. Marking a control as MET when you haven’t fully implemented it. This is the most common and most dangerous mistake. If a C3PAO assessment later reveals a gap you claimed was closed, you have a credibility problem — and potentially a False Claims Act problem. Be honest.

Forgetting to update it. Your SPRS score has a shelf life. Self-assessments must be refreshed based on the assessment type’s validity period, and annual affirmations are required for Level 1. If your score expires, contracting officers will see it as stale and may not award you a contract.

Scoping too broadly. If you assess your entire corporate network instead of just the CUI boundary, you’re creating unnecessary work and unnecessary risk of lower scores. Enclave strategies exist for a reason — reduce your scope to reduce your compliance burden.

Skipping the SSP. Your score is just a number without the System Security Plan backing it up. Assessors will ask for it. Contracting officers can request it. If you can’t produce an SSP that matches your claimed score, the number is meaningless.

Not knowing your weighted values. Some organizations just count unmet controls without applying the correct weights. Missing five 1-point controls (score: 105) is very different from missing five 5-point controls (score: 85). The methodology document specifies the weight for each control — use it.

FAQ

What does SPRS stand for?

Supplier Performance Risk System. It’s a DoD platform managed by DISA that tracks contractor performance data, including cybersecurity assessment scores.

Is there a minimum SPRS score to win contracts?

There’s no universal minimum. However, for CMMC Level 2, you need at least 88 to qualify for a Conditional status. A score of 110 is required for a Final Level 2 certification. Contracting officers can see your score and factor it into award decisions even below those thresholds.

How often do I need to update my SPRS score?

For CMMC Level 1, you must complete a self-assessment and affirmation annually. For Level 2 self-assessments, the assessment is valid for three years but requires annual affirmation. For Level 2 C3PAO assessments, the certification is valid for three years.

Can I submit a SPRS score with a POA&M?

Yes. A POA&M means you acknowledge the gap and have a plan to fix it. For CMMC Level 2, your POA&M items must be remediated within 180 days to move from Conditional to Final status. But remember — POA&Ms are only allowed for 1-point controls. Controls weighted at 3 or 5 points must be fully implemented.

Do subcontractors need a SPRS score?

Yes. If a subcontractor handles CUI or FCI, they need their own SPRS score and CMMC certification at the appropriate level. Prime contractors are responsible for ensuring their subcontractors are compliant. This requirement flows down through the entire supply chain.

What if my score is negative?

A negative score means you have significant gaps in your NIST 800-171 implementation. It doesn’t disqualify you from ever winning contracts, but it does mean you have substantial work ahead. Focus on the 5-point and 3-point controls first — they have the biggest impact on both your score and your actual security posture. Our CMMC certification cost breakdown can help you budget for the remediation work.