If a prime contractor just asked for your SPRS score and you're not sure what that is, take a breath. You're not behind everyone else — most small shops are figuring this out at the same time you are. This article explains exactly how the score works, how to calculate yours, and what the number actually means for your contracts.
What SPRS Is, in One Paragraph
SPRS (Supplier Performance Risk System) is the Department of Defense database where contractors report a self-assessed cybersecurity score. If your contracts involve Controlled Unclassified Information (CUI), you're expected to have a current score in there. The score measures how many of the 110 security controls in NIST SP 800-171 Rev 2 you've actually implemented. Primes check it. Contracting officers check it. And under CMMC, it stops being a formality.
How the Math Works
The scoring system is simpler than it looks:
- You start at 110 — a perfect score, one point per control.
- For every control you haven't fully implemented, you subtract points. Not all controls are worth the same. Under the DoD Assessment Methodology (v1.2.1, Annex A), there are 44 controls worth 5 points, 14 worth 3 points, and 51 worth 1 point.
- Your score can go negative. If you had nothing in place at all, you'd land at -203. A negative score isn't a clerical error — it's what the math produces for a shop that hasn't started. Plenty of honest first scores are negative.
The 5-point controls are the big structural things: multi-factor authentication, encryption, access control basics. The 1-point controls tend to be narrower, procedural items. This weighting matters a lot, and here's why.
A Worked Example
Say you run a 20-person machine shop. You've got decent IT hygiene but you've never done this formally. A realistic first pass might look like:
- Missing 6 five-point controls (no MFA, no FIPS-validated encryption, no formal access reviews, a few others): -30
- Missing 4 three-point controls: -12
- Missing 15 one-point controls (mostly missing written policies and procedures): -15
110 - 57 = 53. That's a common, unremarkable starting point. It's not a passing score, but it's not a disaster either — it's a to-do list with a number attached.
One wrinkle worth knowing: a few controls have partial credit. Multi-factor authentication (control 3.5.3) costs you 5 points if you have none, but only 3 points if you've implemented it for remote and privileged users and just haven't rolled it out to everyone. Details like that can move your score more than you'd expect.
The Trap That Doesn't Show Up in the Math: Your SSP
Here's the one that catches people. The System Security Plan — control 3.12.4 — has no point value at all. You might think that means it doesn't matter. It's the opposite: per Annex A of the assessment methodology, without an SSP, the assessment cannot be conducted. No SSP, no score, no certification — full stop.
The SSP is the document that describes your systems and how each control is (or isn't) met. It's the foundation everything else sits on. If you write one document this year, write this one.
Blockers vs. Deferrable Gaps
When CMMC Level 2 certification happens, not all gaps are treated equally:
- Certification blockers: With one narrow exception (3.13.11, encryption, at partial credit), any unmet 3-point or 5-point control blocks certification outright. You can't defer these on a POA&M (Plan of Action & Milestones).
- POA&M-eligible gaps: Only 1-point controls can remain open at assessment time. And even then, you need a score of at least 88 with only POA&M-eligible items open to get a conditional certification — and the POA&M must close within 180 days.
So when you look at your gap list, the smart question isn't "how many gaps do I have?" It's "which of these are blockers?" Six missing 1-point policies is a paperwork sprint. One missing 5-point control is a project.
How to Actually Submit Your Score
Once you've calculated an honest score:
- Get a PIEE (Procurement Integrated Enterprise Environment) account at piee.eb.mil and add the SPRS role.
- Enter your score, the date of your assessment, your system's scope (which CAGE codes it covers), and the date you expect to reach 110.
- Keep your SSP and your worksheet — the score has to be traceable to real evidence.
And be honest about the number. Submitting an inflated SPRS score isn't a shortcut; it's False Claims Act exposure. The Department of Justice runs a Civil Cyber-Fraud Initiative for exactly this, and most of these cases start with an employee whistleblower — someone inside the company who knows the score was made up. A true 53 is a plan. A false 110 is a liability.
What Counts as a Good Score?
- 110 is the only score that's fully safe long-term.
- 88 or above, with only 1-point items open, is the floor for conditional certification.
- Anything below 88 means you have blocker work to do before an assessment is worth scheduling.
- Any honest number beats any dishonest one. Every time.
Get Your Estimated Score in About 20 Minutes
If you want to know where you actually stand, we built a free tool at fortlinecyber.com/assess. It asks plain-English questions (no acronyms you have to look up), gives you an estimated SPRS score, splits your gaps into certification-blockers vs. POA&M-eligible items, and generates free document drafts to get you started. No signup required to start.
FAQ
What is a passing SPRS score? There's no official "pass," but 110 is full implementation, and 88 is the minimum for conditional CMMC Level 2 certification — and only if every open item is a 1-point control.
Can my SPRS score be negative? Yes. The lowest possible score is -203. A negative score just means most controls aren't implemented yet.
Does the SSP affect my score? It has no point value, but without an SSP the assessment can't be conducted at all. It's a prerequisite, not a line item.
How often do I update my score? Scores are valid for three years, but you should update whenever your implementation meaningfully changes — and never let it say something that's no longer true.
Fortline Cyber does readiness work only — we prepare you for assessment, we don't certify anyone. Certification is performed by an independent C3PAO; assessing our own work would be a conflict of interest.