What is your Supplier Performance Risk System (SPRS) score right now? Not the score you submitted. The score that reflects your actual implementation status today, measured against the 110 controls in NIST SP 800-171 Rev 2, with every unimplemented requirement reducing the number honestly. Most contractors know the score on file. Far fewer know the score their environment would produce if DCMA’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) scheduled a Medium or High assessment next quarter.
The gap between those two numbers is not just an internal concern. Under Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7020, DCMA’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) has explicit authority to conduct medium and high assessments to verify that the score you submitted to SPRS reflects your actual cybersecurity posture. A score inflated by aspirational controls rather than verified implementation is not a compliance position. Submitted under the false impression that planned states qualify, it becomes False Claims Act territory under 31 U.S.C. §3729. Department of Defense (DoD) contracting officers pull SPRS scores before award decisions. Industry guidance commonly references 88 as a soft scrutiny threshold (below which contracting officers may request additional justification before award), but no DFARS clause specifies a numerical threshold. The 88 figure is practitioner shorthand.
The SPRS scoring methodology is deterministic: 110 points available, one for each control (with weights assigned by risk level), the score falling from 110 as unimplemented controls reduce it. The floor is -203. For contractors preparing for CMMC Level 2 assessment preparation, the SPRS score is the quantitative foundation that Certified Third-Party Assessment Organization (C3PAO) assessors will validate. Understanding how the math works, which controls cost the most, and where the fastest legitimate gains sit turns SPRS improvement from a guessing exercise into a precision remediation campaign.
Calculate your SPRS score by assessing all 110 NIST SP 800-171 Rev 2 controls and subtracting the weighted value (1, 3, or 5 points) for each unimplemented control from 110. Access control (3.1.x) and audit (3.3.x) domains carry the heaviest per-control weights. Submit through the SPRS portal. A senior company official must attest the score reflects actual implementation, not planned state, under 32 CFR §170.22. Inaccurate submissions carry False Claims Act liability under 31 U.S.C. §3729.
How the SPRS Score Calculation Works
The SPRS score calculation follows the NIST SP 800-171 DoD Assessment Methodology. The starting point is 110. Each of the 110 controls in NIST SP 800-171 Rev 2 carries an assigned point value: 1, 3, or 5 points, weighted by the security risk the control addresses. An unimplemented control reduces the score by its assigned weight. A fully implemented control contributes nothing because its value is already embedded in the starting 110.
The floor of -203 is not a theoretical boundary. Subtract every weighted point from every control across all 14 domains and the result is -203. Real organizations rarely approach that floor, but scores in negative territory are not uncommon among contractors who have deferred security investment for years. Those organizations face a structural remediation problem, not a documentation problem.
Point Weight Distribution Across the 14 Domains
Not every gap costs the same. The weighting scheme reflects the DoD’s view of which control failures create the greatest risk to Controlled Unclassified Information (CUI). Access control requirements (3.1.x) include 22 requirements, several of which carry 5-point weights. Identification and authentication (3.5.x) contains multi-factor authentication requirements that assessors actively test and weight accordingly. Configuration management (3.4.x) and audit and accountability (3.3.x) carry mid-range weights but cover a large number of individual requirements.
The practical implication: a contractor with ten unimplemented controls in access control loses more points than a contractor with ten unimplemented controls spread across lower-weighted domains. Where the gaps live matters as much as how many gaps exist.
The POA&M Relationship to Score
A Plan of Action and Milestones (POA&M) documents unimplemented controls along with target completion dates, responsible parties, and interim mitigations. POA&M items still reduce the SPRS score because the controls are not implemented. What a POA&M does is demonstrate to the DoD that the contractor has identified the gaps and is working toward resolution. Contracting officers view both the score and the existence of a POA&M. A low score without a POA&M signals ignorance or indifference. A low score with a credible POA&M signals awareness and a remediation commitment.
POA&M items have time limits. The DoD Assessment Methodology does not allow open-ended POA&M entries. Controls must reach implemented status within defined timeframes or they represent an ongoing material vulnerability. The score reflects reality at the time of assessment; the POA&M reflects the plan to close the delta.
The audit fix. Conduct a control-by-control gap assessment against all 110 NIST SP 800-171 Rev 2 requirements before touching the SPRS portal. For each control, assign one of three statuses: fully implemented with documented evidence, partially implemented requiring remediation, or not implemented. Map each unimplemented control to its point weight using the NIST SP 800-171 DoD Assessment Methodology scoring table. Sum the deductions. That number, subtracted from 110, is your actual score. Do not submit until the number reflects verified status, not planned.
SPRS Score Calculation: A Step-by-Step Walkthrough
Walking through the calculation mechanics removes ambiguity about what the score represents and how to move it. The process has four steps: assess each control, record its implementation status, apply the weighted deduction for every unimplemented control, and sum the results against the 110 baseline.
Step 1: Assess Against the 110 Controls
Use the NIST SP 800-171A assessment objectives as the evaluation guide. For each control, the assessment objective specifies what “implemented” means in testable, observable terms. “MFA is deployed” is not sufficient. The assessment objective asks whether MFA is deployed for all users accessing CUI systems, including remote access, privileged accounts, and non-organizational users. Granularity at this level is what separates a score that holds up under DIBCAC verification from one that does not.
Assess against the in-scope environment: the systems that process, store, or transmit CUI. Controls implemented only on out-of-scope systems do not count toward the assessment. A contractor running a dedicated CUI enclave that has MFA deployed only on general corporate systems has not satisfied 3.5.3 for the assessed boundary.
Step 2: Apply Weighted Deductions
For most controls, apply the full point deduction when the control has a status of “not implemented” or “partially implemented.” The DoD Assessment Methodology v1.2.1 (June 24, 2020) treats most controls as binary: either the control meets the assessment objective for the entire assessed boundary or it does not.
Two notable exceptions allow partial credit. §3.5.3 (Multi-Factor Authentication) is structured to reward staged implementation: an organization that has deployed MFA for privileged and remote users but not for general users receives a 3-point deduction rather than the full 5-point deduction. §3.13.11 (FIPS-validated cryptography) carries a similar staged-credit structure. These exceptions reflect the methodology’s recognition that MFA and FIPS cryptography are typically rolled out to higher-risk user populations first [DoD Assessment Methodology v1.2.1, §3.5.3, §3.13.11].
Outside these exceptions, the methodology rewards complete implementation only. An organization that has deployed access controls (3.1.x) on 80 percent of in-scope systems loses the full point deduction for the unsatisfied control because the control is not fully implemented across the assessed boundary. Progress on most controls is not partial credit.
Step 3: Sum Deductions and Calculate the Score
Add all weighted deductions for unimplemented controls. Subtract the total from 110. The result is the current SPRS score. Run this calculation against a snapshot of current state, not the target state after remediation. The number submitted to SPRS must reflect actual implementation on the date of the self-assessment, attested to by a senior company official under 32 CFR §170.22. The attestation carries legal weight under the False Claims Act.
The audit fix. Build a scoring worksheet in a spreadsheet with four columns: control number, control description, point weight, and implementation status. Populate the point weight column from the NIST SP 800-171 DoD Assessment Methodology. For every row marked “not implemented,” auto-sum the deduction column. Subtract the total from 110. Lock the worksheet with a date-stamp before submission. That worksheet is your contemporaneous evidence of how the score was calculated and should be retained for at least three years.
| Domain | Control Family | Requirements Count | Typical Weight Range | High-Impact Controls |
|---|---|---|---|---|
| Access Control | 3.1.x | 22 | 1 to 5 points | 3.1.5 (least privilege), 3.1.6 (non-privileged accounts for non-security functions), 3.1.12 (remote access) |
| Identification & Authentication | 3.5.x | 11 | 3 to 5 points | 3.5.3 (MFA, partial-credit exception), 3.5.4 (replay-resistant auth) |
| Configuration Management | 3.4.x | 9 | 1 to 3 points | 3.4.1 (baseline configs), 3.4.2 (security settings) |
| Audit & Accountability | 3.3.x | 9 | 3 to 5 points | 3.3.1 (audit logging), 3.3.2 (user actions) |
| Incident Response | 3.6.x | 3 | 3 to 5 points | 3.6.1 (response capability), 3.6.2 (reporting) |
| Risk Assessment | 3.11.x | 3 | 3 to 5 points | 3.11.1 (risk assessment), 3.11.2 (vulnerability scan) |
| System & Comm. Protection | 3.13.x | 16 | 1 to 5 points | 3.13.1 (boundary protection), 3.13.11 (FIPS crypto, partial-credit exception) |
| Media Protection | 3.8.x | 9 | 1 to 3 points | 3.8.3 (media sanitization), 3.8.9 (backups) |
Submitting Your SPRS Score: The Submission Process
Score submission occurs through the Supplier Performance Risk System portal at sprs.csd.disa.mil. The submission requires a DoD-issued Common Access Card or an ECA certificate for non-DoD personnel accessing the system. Most contractors use a senior official with a PKI credential to complete the attestation and submission. The submission records the assessment date, the score, and the name of the attesting official.
The Current-Assessment Requirement
DFARS 252.204-7019 requires contractors to have a current NIST SP 800-171 assessment on record before the government considers them for award. Industry reporting suggests a February 1, 2026 DFARS class deviation may suppress -7019 for new prime contracts, routing the current-assessment-on-record requirement through DFARS 252.204-7021 (CMMC Requirements). As of May 2026, both DFARS -7019 and DFARS -7020 remain in the codified DFARS at acquisition.gov; the operative status of -7019 for new awards is subject to potential class-deviation suppression pending primary-source verification of the OSD memo at acq.osd.mil or the Federal Register. Practitioners should treat both clauses as live for assessment-of-record obligations until the deviation memo is published.
Regardless of clause, the substance is unchanged: the score must be posted in SPRS before the offer is submitted, not after award. A contractor without a valid score in SPRS at the time of offeror evaluation is noncompliant, regardless of the organization’s actual security posture. Contractors also need to confirm that the DFARS 252.204-7012 operational requirements — cyber incident reporting, media preservation, cloud equivalency — are met alongside the SPRS submission. The attestation of the submitted score carries legal weight under 32 CFR §170.22 and the False Claims Act.
DIBCAC Verification Authority Under DFARS 252.204-7020
DoD Medium and High assessments are executed by DCMA’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), DCMA’s cyber-assessment unit (not the Defense Counterintelligence and Security Agency, which handles industrial security clearances). The authorizing clause is DFARS 252.204-7020 as it appears in the codified DFARS at acquisition.gov; industry reporting of a renumber to DFARS 252.240-7997 under the February 1, 2026 class deviation is not supported by primary source as of May 2026 (no -7997 clause exists in DFARS Part 252; DFARS subpart 252.240 does not exist, with 252.24x running 241-243). Practitioners should anchor citations to -7020 pending OSD memo publication that confirms any renumber. A DIBCAC assessment goes beyond reviewing the score on file. DIBCAC assessors review the System Security Plan, interview personnel, and test controls against the assessment objectives. The score that comes out of a DIBCAC review may not match the score the contractor submitted.
When DIBCAC conducts an assessment and produces a score lower than the submitted score, the contractor must update SPRS to reflect the DIBCAC-determined score. A material discrepancy between a submitted score and a verified score invites scrutiny from both the contracting officer and, potentially, the DoD Inspector General. The False Claims Act does not require intent for liability when the underlying attestation was reckless.
SPRS scores are not private. Contracting officers see them before award decisions. Program managers with DoD access see them during performance. A low score does not automatically disqualify a contractor, but a score that cannot be substantiated by documented evidence does. Build the evidence file before the submission, not after DIBCAC calls.
The audit fix. Confirm your SPRS access credentials before the submission deadline. CAC holders access the portal directly; non-CAC users require an ECA certificate issued by a DoD-approved certificate authority, which takes 5 to 10 business days. Assign one senior official as the designated attesting authority under 32 CFR §170.22. That individual must review the scoring worksheet, confirm the assessment date, and execute the SPRS submission personally. Retain the submission confirmation, the scoring worksheet, and all underlying evidence in a compliance file. Update the record if implementation status changes materially before the next contract cycle.
Improving Your SPRS Score: A Targeted Remediation Strategy
Score improvement is a prioritization problem before it is a technical problem. The highest-weight unimplemented controls produce the largest score gains per remediation dollar. Identifying those controls, sequencing their implementation by weight and implementation effort, and capturing evidence as each control reaches full implementation status is the discipline that moves scores systematically.
Prioritize by Weight, Not by Domain
Addressing access control first because it is the first domain alphabetically is not a strategy. Address the controls with the highest point weights that have the most direct implementation path first. A 5-point control that requires a configuration change in Active Directory delivers five times the score improvement of a 1-point control that requires the same two hours of effort. Map the backlog against point weight before sequencing any remediation work.
High-weight quick wins typically cluster in identification and authentication. Multi-factor authentication for privileged and remote access (3.5.3) carries a 5-point weight and, for organizations already using Microsoft 365 or Google Workspace, implementation is a configuration change rather than a product procurement. Remember that §3.5.3’s partial-credit structure means deploying MFA for privileged and remote users first earns 2 of the 5 available points immediately. Authenticator app deployment for all CUI-system users follows. Two stages, ten points, reachable in days rather than quarters. Build to full implementation for the full 5-point benefit.
Documentation as Score Preservation
Controls implemented without documentation are controls that cannot be verified during a DIBCAC assessment. The score calculation reflects what the organization has actually implemented and can demonstrate. An organization that deployed endpoint detection across all CUI systems but has no configuration records, no deployment evidence, and no policy tying the deployment to the specific control requirement will find that control marked as unverified during an external review.
For each control moving from unimplemented to fully implemented status, capture three artifacts: the policy or procedure authorizing the control, the technical configuration or implementation record, and a test or verification record confirming the control operates as intended. That three-artifact model holds for almost every requirement in NIST SP 800-171 Rev 2. Organizations evaluating the transition timeline should understand the differences between NIST 800-171 Rev 2 vs Rev 3, as the revision affects which controls apply to future assessments. Build the habit at the control level, not at the audit cycle level.
Using POA&M Items Strategically
A POA&M is not a way to defer compliance indefinitely. It is a documented commitment that carries weight with contracting officers precisely because it demonstrates the contractor has identified the gap and is managing it. A contractor with a score of 72 and a credible POA&M covering the remaining deductions, with realistic timelines and interim mitigations documented, presents a materially different risk profile than one with the same score and no POA&M on file.
Interim mitigations matter. For controls not yet fully implemented, document what the organization is doing to reduce risk in the meantime. A firewall rule, an enhanced monitoring configuration, an additional access review cycle: these do not count toward the score, but they demonstrate that the organization is not simply waiting for the deadline. DIBCAC assessors and contracting officers distinguish between contractors managing toward compliance and those ignoring it.
The audit fix. Build your score improvement plan as a prioritized control list sorted by point weight descending. For each unimplemented control above 3 points, complete three tasks: identify the specific technical or procedural action required to reach full implementation, assign a responsible owner, and set a target date no more than 90 days out. Document this as the POA&M. Submit the updated score to SPRS within 30 days of each control reaching fully implemented status. Do not wait for a contract renewal cycle to refresh the number. Real-time accuracy is the protection against False Claims Act exposure.
Common SPRS Scoring Errors That Reduce Scores and Invite Scrutiny
Several scoring errors recur across contractor populations. Each one either artificially inflates the submitted score, producing False Claims Act exposure, or artificially deflates it, costing points the organization has actually earned. Both categories are worth eliminating before submission.
Counting Planned Controls as Implemented
The most consequential scoring error is marking controls as implemented when they are in progress or planned. “We are deploying MFA this quarter” does not satisfy 3.5.3. The control is not implemented until MFA is operational on all in-scope CUI systems and the implementation is documented. Submitting a score based on a roadmap rather than verified current state is the factual basis for a False Claims Act claim. Contractors who submitted inflated scores and received contract awards have faced civil penalties and debarment. The False Claims Act does not require proof of intent when the attestation was objectively inaccurate.
Ignoring Scope Boundary Precision
Controls implemented only outside the CUI boundary do not count toward the SPRS score for the assessed environment. A contractor with strong security on its general corporate network but minimal controls on the isolated environment where CUI is actually processed has a score that reflects the CUI environment, not the corporate network. Misidentifying the assessment boundary produces a score that cannot survive a DIBCAC verification review.
The flip side also applies. Contractors who scope the CUI environment too broadly, including systems with no CUI contact, create an unnecessarily large assessment surface. Every in-scope system requires full control coverage. Tight scoping through enclave architecture scoping, supported by an accurate data flow diagram, is both a score protection strategy and a cost control measure.
Not Updating the Score After Remediation
An SPRS score filed 18 months ago on a contract that has since added systems, changed architectures, or completed remediation work is not a current score. It is a historical record that no longer reflects the assessed environment. A contracting officer checking SPRS before an award decision sees the submission date. A score two years old with no updates signals an organization not actively managing its compliance posture.
Update the SPRS record whenever material changes occur: new systems added to the CUI boundary, controls moved from not implemented to fully implemented status, and changes in personnel or system architecture that affect the assessment. A consistent record of updates, each with a new assessment date and an improving or stable score, tells a more credible story than a single submission that was never revisited.
The audit fix. Set a recurring calendar reminder every six months to review your SPRS submission for currency. Confirm that the in-scope system boundary still matches the data flow diagram. Confirm that any controls implemented since the last submission are reflected in an updated score. If any new systems have been added to the CUI environment, run a targeted gap assessment on those systems before updating the score. Document the review date and findings in your compliance file even in periods when no score update is required.
The SPRS score is a legal attestation, not an internal metric. Every contractor who submits a score is certifying under penalty of federal law that the number reflects verified, documented implementation of the specific controls that number implies. The False Claims Act exposure from an inaccurate submission is not theoretical: DoD has pursued it, and the settlements are public record. Build the score from verified evidence, document every control against its assessment objective, and treat each score update as a formal attestation event under 32 CFR §170.22. A score that accurately reflects your posture, even if below what contracting officers prefer, is a defensible position. A score that overstates your posture is a liability.
Frequently Asked Questions
What is the SPRS score calculation method for NIST SP 800-171?
This SPRS score calculation guide follows the NIST SP 800-171 DoD Assessment Methodology: scores begin at 110 and subtract a weighted point value for each unimplemented NIST SP 800-171 Rev 2 control. Point weights are 1, 3, or 5, assigned by the DoD Assessment Methodology based on control risk level. A score of 110 means all 110 controls are fully implemented. The floor is -203 if every control is unimplemented.
What score triggers DoD scrutiny on SPRS?
Industry guidance commonly references 88 as a soft scrutiny threshold below which contracting officers may request additional justification before award. No DFARS clause specifies a numerical threshold; the 88 figure is practitioner shorthand. Scores below 88 do not automatically disqualify a contractor, but they typically require additional justification and evidence of active remediation.
Does a POA&M item improve the SPRS score?
No. A Plan of Action and Milestones documents the gap and the remediation plan, but the control is not implemented until the implementation is complete. The unimplemented control still reduces the score by its full point weight. A POA&M demonstrates remediation intent to contracting officers but does not change the calculation.
How often do I need to update my SPRS score?
Best practice is to update the score whenever material changes occur: new systems entering the CUI boundary, controls reaching full implementation status, or significant architecture changes. For contracts awarded before February 1, 2026, DFARS 252.204-7019 required a current assessment within three years. For new prime contracts, the requirement flows through DFARS 252.204-7021 after the February 1, 2026 DFARS class deviation. Waiting between updates while the environment changes creates a gap between the submitted score and the verifiable posture.
Can DIBCAC override my self-assessed SPRS score?
Yes. DCMA’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conducts medium and high assessments under DFARS 252.204-7020 and can update the SPRS record based on findings. Industry reporting of a renumber to DFARS 252.240-7997 under the February 1, 2026 class deviation is not supported by primary source as of May 2026; practitioners should anchor citations to -7020 pending OSD memo publication. A DIBCAC-assessed score takes precedence over a self-assessed score. If the DIBCAC score is lower than the submitted score, the contractor must update SPRS to reflect the verified number.
What is the False Claims Act exposure for an inaccurate SPRS score?
Submitting an SPRS score that materially overstates implementation status exposes the contractor to False Claims Act liability under 31 U.S.C. §3729. The attestation submitted by a senior official under 32 CFR §170.22 certifies that the score reflects actual implementation. An inaccurate attestation, particularly one that resulted in contract award, creates liability for the full contract value, treble damages, and potential debarment. Intent is not required when the attestation was objectively reckless.
Does partial implementation earn partial SPRS score credit?
For most controls, no. The DoD Assessment Methodology v1.2.1 applies the full point deduction for any control that is not fully implemented across the assessed boundary. Two important exceptions: §3.5.3 (MFA) deducts only 3 points (rather than the full 5) when MFA is implemented for privileged and remote users but not yet for general users; §3.13.11 (FIPS-validated cryptography) carries a similar staged-credit structure. Outside these two controls, full implementation means the control meets the NIST SP 800-171A assessment objective for the entire assessed boundary [DoD Assessment Methodology v1.2.1, §3.5.3, §3.13.11].
Which NIST SP 800-171 domains carry the highest SPRS point weights?
Access control (3.1.x) and identification and authentication (3.5.x) carry the most aggregate scoring weight due to their combination of high per-control weights and large requirement counts. System and communications protection (3.13.x) contains 16 requirements with varying weights. Audit and accountability (3.3.x) and incident response (3.6.x) carry high per-control weights despite smaller requirement counts.
Subscribe to The Authority Brief for next week’s analysis.
