How to Calculate Your SPRS Score (NIST SP 800-171)
Your SPRS score is one of the most consequential numbers in defense contracting. It sits in a government database where every DoW contracting officer can see it — and a low score can quietly cost you contract awards before you even know it's a factor. This guide explains exactly what the SPRS score is, how it's calculated, and what you need to do to report and improve yours.
What Is the SPRS Score?
SPRS stands for Supplier Performance Risk System. It is the US Department of War's centralized database for tracking defense contractor cybersecurity compliance. Every company that holds DoW contracts requiring NIST SP 800-171 compliance must self-report a score in SPRS.
The score range is -203 to +110:
- +110 = Full compliance with all 110 NIST SP 800-171 Rev 2 requirements
- 0 = Significant gaps across multiple domains
- Negative scores = Severe deficiencies; multiple high-value controls unimplemented
The Scoring Methodology: How Points Are Deducted
The scoring methodology comes from the DoW Assessment Methodology for NIST SP 800-171 (version 1.2.1). It assigns a specific point value to each of the 110 security requirements based on its criticality to cybersecurity.
Starting Point: 110
You start with a theoretical maximum of 110 — one point for every requirement. Every unimplemented requirement deducts a specific number of points from that starting value.
Point Values by Category
The DoW assessment methodology uses three point values:
| Point Value | Category | Examples |
|---|---|---|
| −5 points | High-value requirements | Multi-factor authentication (IA.3.083), system activity auditing (AU.2.041), incident response (IR.2.092) |
| −3 points | Moderate-value requirements | Access control reviews (AC.2.006), configuration management (CM.2.061), security training (AT.2.056) |
| −1 point | Basic requirements | Portable device rules (MA.2.112), physical protection basics (PE.1.131), personnel policies (PS.2.127) |
Partial Implementation: Can You Get Partial Credit?
Yes — but the bar is high. The DoW methodology allows partial credit for requirements where implementation is in progress but not yet complete. To claim partial credit, you must have a Plan of Action & Milestones (POA&M) documenting:
- The specific gap or deficiency
- The planned remediation actions
- Estimated completion date
- Responsible personnel
Without a POA&M, a requirement is scored as "Not Met" — full point deduction. With a POA&M, you may receive partial credit at the assessor's discretion. For self-assessments, you must honestly apply this standard when reporting your score.
Step-by-Step: How to Calculate Your SPRS Score
Step 1: Obtain the Assessment Materials
You need two documents:
- NIST SP 800-171 Rev 2 — available free at nvlpubs.nist.gov
- DoW Assessment Methodology v1.2.1 — available at dodcio.defense.gov
The DoW methodology document contains an appendix with the exact point value for every requirement. This is your scoring table.
Step 2: Conduct the Self-Assessment
For each of the 110 requirements, determine one of three statuses:
- Met — the control is fully implemented and documented
- Implemented with POA&M — partially implemented; POA&M exists
- Not Met — control is not implemented; full point deduction applies
This process typically takes days to weeks for a thorough first assessment. Rushing it produces an inaccurate score — in both directions.
Step 3: Apply the Point Deductions
Start at 110. For each "Not Met" requirement, subtract the assigned point value. For each "Implemented with POA&M" requirement, subtract a portion of the point value (typically 50–75% of the full deduction for basic assessments). The result is your current SPRS score.
Step 4: Document Everything
Your score must be backed by a System Security Plan (SSP) that documents how each requirement is addressed (or why it doesn't apply), and a Plan of Action & Milestones (POA&M)for every gap. If you're ever audited or subject to a C3PAO assessment, these documents are your evidence.
Step 5: Submit in the PIEE Portal
SPRS scores are self-reported at piee.eb.mil. You will need:
- A PIEE account (free to create; requires government-linked registration)
- Your company's CAGE code
- Your calculated score
- The date of assessment and assessment level (Basic, Medium, or High)
Most defense contractors file at the Basic assessment level — which is the self-assessment pathway. Medium and High assessments involve government assessment teams.
Step 6: Update Your Score as You Improve
There is no set schedule for updating your SPRS score beyond the annual re-assessment requirement for self-attestation. Best practice: update it whenever you implement a significant control or close out a POA&M item. A rising score tells contracting officers you're actively improving your posture.
What Does Your SPRS Score Mean?
| Score Range | Posture | Implication |
|---|---|---|
| 90–110 | Strong | Fully or near-fully compliant; competitive for critical DoW programs |
| 70–89 | Manageable | Good foundation; targeted remediation needed; acceptable for many contracts |
| 40–69 | Elevated Risk | Significant gaps; flag for contracting officers; remediation program required |
| Below 40 | Critical Risk | Major deficiencies; likely to affect contract eligibility; immediate action required |
5 Common SPRS Score Mistakes
1. Scoring Requirements You Haven't Actually Implemented
The most dangerous mistake. "We plan to implement MFA" or "we have a policy that says we should do this" does not constitute implementation. MFA must be enabled. Audit logs must be configured. Controls must be operational.
2. Not Having Documentation to Support Your Score
Your SPRS score without an SSP is an assertion. Your score with a detailed SSP is a defensible record. C3PAOs and government auditors will ask for your SSP first. If it doesn't exist or doesn't match your reported score, you have a problem.
3. Forgetting to Update After Remediation
Many contractors file an initial score and never update it — even after closing POA&M items and implementing new controls. An outdated low score hurts you. Update PIEE every time you make meaningful progress.
4. Applying the Wrong Assessment Level
If your contract requires a Medium or High assessment (government-conducted), self-reporting a Basic level score does not satisfy the requirement. Check your contract clauses (DFARS 252.204-7019 and 252.204-7020) for the required assessment level.
5. Treating Scope Incorrectly
Your SPRS score applies to all systems that process, store, or transmit CUI — your "CUI enclave." Contractors sometimes inadvertently exclude systems from scope (reducing the apparent difficulty of compliance) or include systems that don't need to be in scope (inflating the control burden). Proper scoping is foundational.
How Dragonfli Group Can Help
Calculating your SPRS score accurately requires assessing all 110 NIST SP 800-171 requirements, applying the correct DoW methodology, documenting your SSP, and building POA&Ms for every gap. Most small-to-mid-size defense contractors don't have the internal expertise to do this correctly on the first try.
The Dragonfli Group CMMC Accelerator provides:
- Guided assessment across all 14 domains and 110 requirements
- Estimated SPRS score based on your responses
- Draft SSP and POA&M generated automatically
- Domain-by-domain gap analysis with remediation priorities
- Dragonfli-reviewed results from a CyberAB Registered Practitioner Organization
GET YOUR SPRS ESTIMATE
Know Your Score Before Your Contracting Officer Does
The free Pulse Check takes 10 minutes and gives you a readiness score across your 5 highest-risk CMMC domains.
Start Free Pulse Check →