Skip to main content
govconCyber
Compliance Guidance

Your SPRS Score: How DoD's NIST 800-171 Self-Assessment Actually Works

Before CMMC verifies anything, most DoD contractors already owe a NIST 800-171 self-assessment score posted in SPRS — and on covered contracts, a current score is a condition of award. Here's how the number is built and why it matters.

Brandon Hancock, J.D., CMMC-RPPublished June 8, 2026Updated June 8, 20266 min read

If you handle Controlled Unclassified Information on a Department of Defense contract, you have probably heard you need a "SPRS score" — and you may not be sure what it is, how it's calculated, or why a contracting officer keeps asking for it. The short version: the Supplier Performance Risk System (SPRS) is the DoD database where contractors post the results of their NIST SP 800-171 self-assessment, and under the DFARS, a current score is a precondition to winning covered work. It predates CMMC, runs alongside it, and is not going away.

The Two Clauses Behind the Score

Two DFARS clauses create the obligation, and they work as a pair:

  • DFARS 252.204-7019 tells offerors that to be eligible for award on a covered contract, they must have a current NIST SP 800-171 DoD Assessment — generally one performed within the last three years — posted in SPRS. No current score, no award.
  • DFARS 252.204-7020 sets out the NIST SP 800-171 DoD Assessment Requirements themselves: it requires contractors to provide the Government access for higher-level assessments, to keep the score current, and to flow the requirement down to subcontractors who will handle CUI.

Together they convert "implement NIST 800-171" (the substance, from DFARS 252.204-7012) into "prove it with a posted, current score" (the gate, from 7019/7020).

How the Number Is Calculated

The DoD Assessment Methodology produces a single score on a scale that tops out at 110 and can fall as low as -203. You start by assuming a perfect score of 110 — one point for each of the 110 requirements in NIST SP 800-171 Revision 2, the version DoD contracts still run on through a standing class deviation. Then, for every control you have *not* fully implemented, you subtract its assigned weight: 5 points for the controls with the greatest security impact, 3 points for moderate ones, and 1 point for the rest. Because the high-impact controls carry the heaviest penalty, a handful of gaps can pull the number well below zero.

A few practical consequences fall out of the math:

  • A negative score is normal for companies early in their journey — it simply reflects unimplemented high-weight controls, not failure.
  • Not every gap is equal. Closing one 5-point control moves your score more than closing five 1-point controls. Prioritize by weight.
  • A POA&M doesn't erase the deduction. Controls on a Plan of Action and Milestones still count against the score until they are actually implemented; the methodology gives credit for *done*, not *planned*.

Three Assessment Levels

DFARS 252.204-7020 recognizes three assessment levels, distinguished by who performs them and how much confidence they carry:

  • Basic — a contractor self-assessment using the DoD methodology. This is what most companies post in SPRS, and it is what 7019 requires for eligibility.
  • Medium and High — assessments conducted by the Government (the Defense Contract Management Agency's DIBCAC), involving document review and, at the High level, an on-site or thorough examination. These carry more weight and are used for higher-risk programs.

The Basic self-assessment is honest self-reporting — but it is reported *to the Government*, which means an inflated score is not just an internal problem.

Why Accuracy Is Non-Negotiable

Your SPRS score is a representation to the Department of Defense. Posting a number you cannot support is exactly the kind of misstatement the DOJ's Civil Cyber-Fraud Initiative has pursued under the False Claims Act, where contractors have paid multimillion-dollar settlements for misrepresenting their cybersecurity posture. The discipline that protects you is the same discipline that improves the score: assess honestly against all 110 Rev 2 controls, document your evidence, fix the high-weight gaps first, and refresh the score as your environment changes. That work also positions you for CMMC, which verifies the very same controls.

Key Takeaways

  • SPRS is where DoD contractors post their NIST 800-171 self-assessment score, and under DFARS 252.204-7019 a current score (generally within three years) is a condition of award on covered contracts.
  • The score runs from 110 down to -203: start at 110 and subtract 5, 3, or 1 points per unimplemented control, weighted by security impact. POA&M items still count against you until implemented.
  • Basic = self-assessment; Medium/High = government (DIBCAC) assessment. Whichever applies, the score is a representation to DoD — accuracy carries real False Claims Act exposure.

See how SPRS fits the broader standards on Frameworks and the DoD rollout on the Defense industry page, review enforcement risk on Enforcement & Penalties, and confirm what applies to your contracts with Find My Requirements.

Tags
Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the editor of GovConCyber. He translates federal cybersecurity rules into plain language for the contractor community, with a focus on CMMC, DFARS, and False Claims Act enforcement trends.

About GovConCyber →Subscribe to the newsletter →
Was this post helpful?

Keep reading

Compliance GuidanceCISA Reopened the CIRCIA Comment Window — and the Defense Industrial Base Has a Seat on June 18CISA reopened CIRCIA stakeholder input with town halls June 15-18, 2026; the defense industrial base is scheduled June 18. The 72-hour reporting rule isn't final — its scope and burden are still open for comment.June 14, 2026 · 5 min readCompliance GuidanceDoD's Cyber-Harmonization Deadline Has Passed: What NDAA Section 866 Means for Defense ContractorsNDAA Section 866 required DoD to harmonize and trim defense-industrial-base cyber requirements by June 1, 2026. Relief will roll out gradually, but the security bar stays in place.June 9, 2026 · 6 min readCompliance GuidanceFAR 52.204-21: The 15 Basic Safeguards Every Federal Contractor Has to MeetFAR 52.204-21 is the one cybersecurity clause that applies government-wide, no matter the agency, contract size, or industry. If Federal Contract Information touches your network, you owe all fifteen safeguards.June 8, 2026 · 5 min read