What is an SPRS Score? Everything You Need to Know

If you work with the U.S. Department of Defense (DoD) and handle Controlled Unclassified Information (CUI), your SPRS score could be the difference between winning and losing defense contracts.

The Supplier Performance Risk System (SPRS) is a procurement risk measure for the DoD. It measures your organization’s cybersecurity posture and how well you’ve implemented controls found in NIST SP 800-171. Here’s everything you need to know about SPRS and why it matters for defense contractors.

What is an SPRS Score?

The Supplier Performance Risk System (SPRS) score meaures your compliance with the cybersecurity controls found in NIST SP 800-171. An SPRS score is a numerical grade, ranging from -203 to 110 and it gives the DoD a way to measure the risk a contractor poses to its supply chain when handling sensitive government information.

The DoD can use a contractor’s SPRS score to get an instant, at-a-glance report card on your security posture. This requirement is mandated under specific defense regulations, known as DFARS (Defense Federal Acquisition Regulation Supplement) clauses 252.204-7019 and 252.204-7020. If you want to work with the DoD, you need to perform a self-assessment and report your score. The requirement was put in place to ensure

Why SPRS Matters for DoD Contractors

The SPRS score is a key checkpoint in the DoD procurement. The DoD uses the score to gauge a supplier's cybersecurity maturity — a higher score signals a lower risk, making you a more attractive partner. Without a SPRS score, you proposal may not even be ready by the people awarding the contract.

If you’re a prime contractor, an SPRS score is essential and will also play a key role in Cybersecurity Maturity Model Certification (CMMC) requirements. Beginning November 10, 2025, DoD will phase CMMC requirements into contracts and contractors will need a current NIST SP 800-171 self-assessment posted in SPRS for award eligibility.

For sub-contractor, SPRS and CMMC requirements will also flow down to you. DFARS 7020 mandates that primes must ensure all sub-contractors meet DFARS/NIST 800-171 requirements (as CMMC phases in). So you’ll also need to be complaint and have an up-to-date SPRS score to be eligible to work with DoD prime contractors.

How the SPRS Score Is Calculated

The calculation for an SPRS score follows a specific methodology that can feel a bit counterintuitive at first. You start with a perfect score of 110 points. Then for every unmet requirement, you lose points. There are three tiers of point deductions: -5 for significant risks, -3 for requirements with specific impacts, and - 1 point for requirements with limited or indirect effects.

SPRS scores ranges from -203 to a perfect 110. While a perfect score of 110 shows full compliance, first-time assessments can often result in negative scores due to unmet controls, but you can improve your score over time.

Contractors are also required to have a System Security Plan (SSP) and Plan of Action & Milestones (POA&M) fixing any gaps in your controls. This SSP details how your company meets (or plans to meet) every single one of the 110 controls. If you don't have an SSP, you can’t go through the SPRS assessment.

What’s a Good SPRS Score?

A perfect 110 is the end-state for NIST SP 800-171. For CMMC Level 2, DoD requires at least 88/110 to obtain Conditional status (with eligible POA&Ms), and you must close POA&Ms to reach Final status. Initial SPRS scores vary widely, there’s no official “normal” starting range.

How to Submit Your SPRS Score

1. Conduct Your Self-Assessment

Before you can get a score, you have to do the work. This involves going through each of the 110 controls in NIST SP 800-171 and determining whether each one is "implemented" or "not implemented." This assessment should be thorough and honest, as it forms the basis of your score.

2. Gather the Required Information

Once your assessment is complete and you've calculated your score, you'll need to gather a few key pieces of information for the submission itself:

• Your final calculated score.
• The date the self-assessment was completed.
• A Plan of Action & Milestones (POA&M) completion date (the date by which you expect to have all controls implemented).
• Your company's CAGE code.

3. Log into the PIEE Portal

The score is submitted through the DoD's Procurement Integrated Enterprise Environment (PIEE). You'll need to have an account with the correct roles (SPRS Cyber Vendor User) to access the SPRS application within PIEE.

4. Enter and Certify Your Score

Submit your score in the SPRS NIST 800-171 module and attest to its accuracy. This is a formal attestation, and submitting false information can have serious consequences under the False Claims Act.

5. Keep Your Score Updated

Your SPRS score isn't a one and done submission. An assessment is valid for three years, but it's a best practice to update it at least annually or whenever you make significant improvements to your security program. A new, higher score shows progress and commitment.

How to Improve Your SPRS Score

Prioritize High-Value Controls

Start with the controls that carry the highest point deductions (-5 and -3). Fixing a single -5 point control has the same impact on your score as fixing five -1 point controls. This is the fastest way to make meaningful progress.

Maintain Your Documentation

Your SSP is the rulebook for your security program. It's a living document that must detail how each of the 110 controls is met. Keeping it updated is a fundamental part of compliance.

As you implement new controls and close out items on your POA&M, be sure to update your self-assessment and submit a new, higher score to SPRS. This provides the DoD with an up-to-date view of your progress.

Engage External Expertise

Many organizations lack internal experience with NIST SP 800-171 and self-assessments. This is where a compliance partner like Workstreet can accelerate your progress. An outside expert brings a fresh perspective and proven methodologies to help you identify and close security gaps efficiently.

Workstreet can help your organization with expert-led implementation of CMMC, FedRAMP, NIST 800-171, and NIST 800-53 frameworks. Get certified faster with our automated-first services and dedicated public sector compliance specialists.