Updated May 2026

SPRS Score: NIST 800-171 Scoring

The Supplier Performance Risk System (SPRS) score is a 110-point self-assessment of NIST SP 800-171 implementation status required by DFARS 252.204-7019. It interlocks with the CMMC 2.0 implementation timeline and continues to apply through and beyond the Phase 2 November 2026 deadline.

The 110-point scoring math

DoD's Assessment Methodology assigns a weight to each of the 110 NIST SP 800-171 requirements. The score starts at 110 (full implementation) and decreases as unimplemented controls are deducted.

Weight	Example requirement families	Deduction per unimplemented
High	MFA on privileged accounts, FIPS-validated encryption, audit logging on CUI	-5 points
Medium	Access controls, configuration management, vulnerability scanning	-3 points
Low	Policy documentation, awareness training, low-risk physical security	-1 point

Reference: DoD Assessment Methodology (DAM) v1.2.1 in the NIST SP 800-171 ecosystem, accessible via DoD CIO CMMC programme office.

What does 110 mean

110 is the maximum SPRS score and means every NIST SP 800-171 requirement is fully implemented at the time of self-assessment. It does not certify ongoing compliance, does not authorise CMMC certification, and does not substitute for the Phase 2 C3PAO assessment that begins November 2026 for Level 2 contractors.

A score below the contracting officer's threshold (commonly 80, 100, or 110 depending on contract value and CUI sensitivity) can disqualify a bid, defer award until a POA&M is in place, or trigger a flow-down obligation to subcontractors.

Common SPRS scoring errors

Partial implementation scored as implemented

A control implemented on some assets but not all should score as unimplemented unless a POA&M closes the gap on the remaining assets. Partial credit is not the rule.

Missing the POA&M caveat

POA&M is acceptable up to the contracting officer's threshold, but partial implementation with a POA&M is still scored as unimplemented; the POA&M is the bridge, not the score.

Miscounting MFA on privileged accounts

MFA on privileged accounts is a high-impact requirement and deducts 5 points when unimplemented. Contractors sometimes score this as medium and lose the bid threshold.

Inherited-control miscounting

Controls inherited from a cloud service provider (CSP) must be documented in the SSP with the responsibility matrix. Counting CSP-provided controls as fully implemented without inheritance documentation is a common audit finding.

Stale score

SPRS scores should refresh on material in-scope changes (new system, new CUI flow) or at least annually. A stale score is grounds for re-bid in solicitation review.

Confusion with the CMMC level score

SPRS uses the 110-point NIST SP 800-171 score, not the CMMC Level (1, 2, 3). The two are related but not the same; Level 2 contractors should report both during the transition to Phase 2.

SPRS and the Phase 2 timeline

Phase 1 (since November 2025) requires Level 1 and Level 2 self-assessments in new DoD solicitations. SPRS is the channel for both.
Phase 2 (November 2026) mandates C3PAO certification for Level 2. SPRS continues to apply to Level 1 contractors and as the interim record for Level 2 contractors awaiting C3PAO assessment.
Phase 3 (2027) extends C3PAO certification to option exercises and adds Level 3 DIBCAC assessment requirements.
Phase 4 (2028) applies CMMC certification to all DoD contracts.

Frequently asked questions

What is an SPRS score?

The Supplier Performance Risk System (SPRS) score is the result of a NIST SP 800-171 basic self-assessment. The DoD scoring methodology starts at 110 (all 110 security requirements fully implemented) and deducts a weighted value for each unimplemented requirement. Negative scores are possible and common; the floor is roughly -203. DoD contracts under DFARS 252.204-7019 require the contractor to have a current SPRS score on file.

What is a good SPRS score?

110 is the only fully compliant score (every requirement implemented). Anything less indicates open gaps. Contracting officers can require any threshold (commonly 80, 100, or 110); a score below the threshold disqualifies the bid or triggers a Plan of Action and Milestones (POA&M) requirement. As Phase 2 of CMMC 2.0 lands in November 2026, the C3PAO assessment supersedes self-assessed SPRS scores for Level 2 contractors but the score continues to drive interim eligibility.

How is the SPRS score calculated?

The DoD assessment methodology assigns each of the 110 NIST SP 800-171 requirements a weighted value: high-impact requirements deduct 5 points each, medium-impact deduct 3 points each, and low-impact deduct 1 point each. Multi-factor authentication, FIPS-validated encryption, and audit logging are examples of high-impact 5-point deductions. The sum of deductions is subtracted from 110.

What are common SPRS scoring errors?

Five patterns recur: scoring requirements as implemented when only some assets are covered (partial implementation should score as unimplemented unless a POA&M is in place), missing the POA&M caveat (partial implementation with a POA&M is still scored as unimplemented but is acceptable up to a threshold), miscounting MFA deductions (the 5-point hit applies to privileged accounts), confusion over inherited controls in shared cloud environments, and stale scores not refreshed when controls change.

Who submits the SPRS score?

An authorised contractor representative submits via SPRS at sprs.csd.disa.mil. The submission requires the assessment date, the score, the system security plan (SSP) version, and the assessment scope. Contractors should refresh the SPRS score when any in-scope system materially changes or at least annually.

Phase 2 timeline POA&M cost Methodology