If you're a defence contractor handling Controlled Unclassified Information, you have an SPRS score. You may have submitted it years ago. You may not remember what number you put in. You may have guessed.
That score is no longer a formality. Since November 2025, DoD contracting officers actively check SPRS scores before awarding contracts. If your score is missing, outdated, or inaccurate, you can lose work — or worse, face prosecution under the False Claims Act for misrepresenting your cybersecurity posture.
This article explains what the score means, how it's calculated, what "good" looks like, and what to do if yours is low.
What SPRS actually is
SPRS stands for Supplier Performance Risk System. It's a DoD platform that tracks contractor risk data, including cybersecurity compliance. The part that matters to you is the NIST SP 800-171 self-assessment score — a number between -203 and 110 that reflects how many of the 110 security controls you've implemented.
The requirement to submit this score comes from DFARS clause 252.204-7019. If your contracts reference this clause (and most CUI-related contracts do), you must have a current score in SPRS before contract award.
How the score is calculated
The scoring is counterintuitive. You don't start at zero and earn points. You start at 110 — a perfect score — and lose points for every control you haven't fully implemented.
Each of the 110 NIST SP 800-171 controls is weighted at 1, 3, or 5 points based on security impact:
| Weight | Impact if not implemented | Examples |
|---|---|---|
| 5 points | Could lead to significant network exploitation or CUI theft | Multi-factor authentication, encryption of CUI, access enforcement |
| 3 points | Specific but limited security effect | Audit logging, session controls, configuration management |
| 1 point | Limited or indirect security impact | Policy documentation, role assignment |
If you haven't implemented any controls, you subtract all the weights from 110 and land at -203. That's the floor. In practice, most first-time assessments come in somewhere between -20 and 60.
No partial credit. A control is either fully implemented or it isn't. If you've done 80% of the work on multi-factor authentication but haven't finished rolling it out, you lose the full 5 points. This catches a lot of contractors off guard.
What the numbers mean
Here's how to read your score:
| Score range | What it means |
|---|---|
| 110 | All 110 controls fully implemented. This is the target for CMMC Level 2 certification. |
| 88–109 | Strong posture with minor gaps. An 88 is the minimum threshold for CMMC Level 2 "Conditional" certification — but only if all 5-point controls are met and POA&Ms address the rest within 180 days. |
| 50–87 | Significant gaps. You're missing controls that carry real security weight. A C3PAO assessment at this stage would not result in certification. |
| 0–49 | Major remediation needed. Many foundational controls are missing. You're likely exposed in areas like access control, audit logging, and encryption. |
| Below 0 | Critical. Most security controls are not implemented. This score signals systemic gaps across multiple control families. |
The 88 threshold — and why it matters
Under CMMC 2.0, a score of 88 is the minimum for conditional Level 2 certification. But there's a critical caveat that most summaries leave out:
All 5-point controls must be fully implemented. You cannot use a Plan of Action & Milestones (POA&M) for any 5-point control. POA&Ms are only permitted for 1-point and 3-point controls. If you're missing even one 5-point control, you fail the assessment regardless of your overall score.
This means a contractor with a score of 95 who hasn't implemented multi-factor authentication (a 5-point control) will not receive even conditional certification. The overall number is misleading without knowing which specific controls are missing.
Why your self-reported score might be wrong
When the DoD first required SPRS submissions in 2020, many contractors self-reported a score of 110 — claiming full compliance. When the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) started auditing these claims, they found that most perfect scores were inaccurate.
That discovery is what led to CMMC 2.0 and the shift to mandatory third-party assessments. The DoD no longer trusts self-reported scores alone.
Common reasons scores are wrong:
Template-based SSPs. Many contractors downloaded a System Security Plan template, filled in the blanks, and claimed compliance. But a template doesn't describe your actual environment — it describes a generic one. If your SSP doesn't match your real infrastructure, your score is based on fiction.
Partial implementations counted as complete. If you enabled MFA for admins but not all CUI users, that control is not met. No partial credit. Many contractors scored themselves as if "mostly done" counts.
Controls implemented but not documented. You might actually have the technical control in place — encrypted drives, audit logs enabled, access controls configured — but if it's not documented in your SSP with supporting evidence, an assessor will mark it as not met.
The environment changed. You scored yourself two years ago. Since then, you've migrated to a new cloud provider, added remote workers, or changed your email platform. Your score reflects an environment that no longer exists.
What to do if your score is low
Step 1: Get an honest assessment
Before you can fix anything, you need to know exactly where you stand. That means a proper gap assessment against all 110 NIST SP 800-171 controls — not a checklist exercise, but a technical evaluation of your actual environment.
The output should be a control-by-control breakdown: met, not met, and for each gap, what specifically needs to change.
Step 2: Fix the 5-point controls first
These are non-negotiable for CMMC Level 2. You cannot POA&M them. They include controls around multi-factor authentication, encryption of CUI at rest and in transit, access enforcement, and audit logging. If any of these are missing, no amount of documentation will get you past an assessment.
Step 3: Build a real SSP
Your System Security Plan is what the assessor follows like a map. It must describe your actual system boundary — which systems handle CUI, which don't, how data flows between them, and how each control is implemented in your specific environment.
A passing SSP is not a template with your company name swapped in. It's a technical document that an assessor can read, follow, and verify against your live systems.
Step 4: Create POA&Ms for the rest
For 1-point and 3-point controls you haven't fully implemented yet, document them in a Plan of Action & Milestones. Each POA&M entry should specify: what the gap is, what you're doing to close it, who is responsible, and when it will be complete.
If you achieve conditional certification with POA&Ms, you have exactly 180 days to close every single one. If any remain open after 180 days, your certification is revoked and you start the assessment process over — including paying for a new assessment.
Step 5: Recalculate and resubmit
Once you've remediated controls, update your SSP, recalculate your score using the DoD Assessment Methodology, and submit the updated score to SPRS. Your score must be current — no older than three years, and ideally updated whenever your security posture changes.
Do not inflate your score. Submitting an inaccurate SPRS score is a violation of DFARS and can trigger False Claims Act liability. The penalties include contract suspension, debarment from future DoD work, and civil or criminal prosecution. If your score is 47, submit 47. An honest low score with a clear remediation plan is infinitely better than a fraudulent high score.
The timeline pressure
CMMC Phase 2 enforcement begins in November 2026. That's when third-party certification becomes mandatory for contracts involving CUI. If you're starting from a low score today, you need 6–12 months of remediation work before you'll be ready for an assessment.
The maths is straightforward: if you need to be assessment-ready by November 2026, you need to start remediation by Q1 2026 at the latest. If you haven't started yet, the window is closing.
The bottom line
Your SPRS score is not an administrative checkbox. It's a measure of whether you can protect the information the DoD trusts you with — and whether you're eligible to keep doing business with them.
If your score is below 88, you need a plan. If your score is above 88 but based on a template SSP or a two-year-old assessment, you need a reality check. And if you've never submitted a score at all, you need to act now.
The contractors who pass CMMC Level 2 will be the ones who treated the SPRS score as a starting point for real security work — not a number to game.