What Is an SPRS Score? The Supplier Performance Risk System Explained

What’s New (Updated CMMC & SPRS Enforcement)

This blog reflects current CMMC enforcement following the publication of the DFARS acquisition rule in September 2025. The rule took effect on November 10, 2025. As a result, DoD contracting officials now actively review SPRS self-assessment scores during contract evaluations. Executive attestation also faces increased scrutiny under CMMC 2.0. We updated references to SPRS to reflect its role in active contract-award decisions. SPRS no longer functions as an advisory or preparatory tool.

Understanding SPRS in Today’s Compliance Environment

If your company directly or indirectly serves the Department of Defense (DoD) and stores, handles, or processes Controlled Unclassified Information (CUI), specific cybersecurity requirements apply.

Specifically, you must complete a security self-assessment against the 110 controls identified in NIST Special Publication 800-171. You also must calculate your compliance score using the DoD’s Assessment Methodology and upload that score to the DoD’s Supplier Performance Risk System (SPRS).

The DoD has increased scrutiny by requiring contracting officers to consult SPRS self-assessment results during supplier risk assessments when evaluating contract bids.

This blog explains the essential aspects of the SPRS self-assessment score and how it impacts your business. It also outlines its role in supplier risk evaluation and the changes driven by active CMMC 2.0 enforcement.

The Supplier Performance Risk System for DOD Contractors

What is a SPRS Score?

A SPRS score is a numerical rating that reflects how well a defense contractor has implemented the 110 cybersecurity controls in NIST SP 800-171. The The Department of Defense uses the SPRS score in supplier risk evaluations. Defense Industrial Base organizations rely on it as well. The score helps determine contractor risk profiles and eligibility for contracts involving CUI. The score directly measures a contractor’s implementation of the cybersecurity controls mandated under DFARS cybersecurity requirements.

The Necessity of an Accurate Score

Under Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7019, defense contractors handling CUI must submit an accurate SPRS self-assessment score. CUI consists of sensitive information requiring safeguarding or dissemination controls under US federal laws, regulations, or policies. CUI is not classified but is deemed crucial for national security or federal agency functioning.

Contractors must calculate this score using the DoD Assessment Methodology, and the score must be no more than three years old. For this reason, SPRS accuracy is critical. DFARS clause 252.204-7020 authorizes the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to audit and validate submitted scores.

The Significance of the SPRS Self-Assessment Score

The SPRS score is a standardized measure of the security risk a contractor poses. The DoD and prime contractors consider SPRS scores when awarding contracts and forming bid teams, with higher scores providing a competitive advantage. Failure to maintain a current and accurate SPRS score can sideline companies from active and future contract awards. Inaccurate scores leave companies and their executives vulnerable to penalties, including False Claims Act exposure, if scores are misrepresented.

Calculating and Submitting Your SPRS Score

To calculate your SPRS score, conduct a self-assessment for compliance with NIST 800-171 using the DoD’s Assessment Methodology. The SPRS score range starts at a minimum of -203 for a complete failure to implement controls to a maximum of 110 points. Importantly, the SPRS score range can be negative based on how the DoD calculates it. Each unmet NIST SP 800-171 control deducts points from a starting score of 110. High-risk controls deduct up to five points, while lower-impact controls deduct one point. 

Your business should develop a System Security Plan (SSP) and Plans of Action and Milestones (POA&Ms) to meet DoD compliance requirements and indicate how you plan to address any controls that are unmet.  In all cases, an accurate SPRS score should be submitted to the DOD’s Supplier Performance Risk System.. It is essential to maintain an up-to-date and accurate SPRS score.

What Is a System Security Plan?

A system security plan is a formal document that describes how an organization implements and manages the security controls required by NIST SP 800-171. The SSP outlines the systems in scope, the controls in place, and any gaps that need to be addressed.

What Is a Plan of Action and Milestones?

A plan of action and milestones details the specific steps an organization will take to address any gaps or deficiencies identified during the NIST SP 800-171 assessment. The POA&M lists each unmet control, the actions required to remediate it, responsible parties, and target completion dates.

What Is a Good SPRS Score?

A “perfect SPRS score is 110, indicating that your organization has implemented all NIST 800-171 controls. As a general rule, higher SPRS scores improve contract eligibility. Organizations closer to a score of 110 typically qualify for more opportunities. That doesn’t mean you must achieve a perfect score to be eligible. SPRS score range thresholds vary depending on individual contract requirements, and the DOD and defense contractors consider many other criteria in addition to the SPRS score.

However, a higher SPRS score demonstrates a commitment to cybersecurity and compliance with federal standards, which can enhance your organization’s reputation and competitiveness. Organizations with scores above a certain threshold may find themselves at a competitive advantage when bidding for contracts because they can reassure potential partners and clients of their robust cybersecurity and lower supplier risk profile.

Improving and Maintaining Your Supplier Performance Risk Score

To strengthen your SPRS score, self-assess your organization against the 110 NIST 800-171 controls and identify any gaps in your security controls. This SPRS self-assessment helps you score your organization and understand its shortcomings. Next, create a System Security Plan (SSP) and POA&Ms to address those controls your company does not fully meet today. However, identifying gaps alone does not improve your score; instead, remediation of these gaps is necessary to improve your score and meet DoD compliance requirements.

It is crucial to address the POA&Ms before submitting your SPRS score, as it is mandatory to have an SSP, and remediation helps to improve your score. Remember that higher SPRS scores can make your organization more attractive for contract opportunities.

CMMC 2.0 and SPRS Scores

Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0), a cybersecurity certification framework developed by the DoD to better protect sensitive data throughout the Defense Industrial Base (DIB), requires many DIB contractors to obtain independent third-party assessments to verify compliance and the accuracy of SPRS scores. Therefore, accuracy matters because DFARS clause 252.204-7020 authorizes the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to conduct audits to verify and validate submitted scores.

Exostar® Can Help You Navigate DoD Compliance Requirements and Win DoD Contracts

Understanding and maintaining an accurate SPRS score is crucial for companies in the DoD supply chain that store, process, or handle CUI. Compliance with DFARS 252.204-7012, 7019 and 7020, along with CMMC 2.0, require a strong focus on meeting the 110 NIST 800-171 controls and ensuring an up-to-date SPRS score. By improving your organization’s security and SPRS score, you can increase your chances of securing contracts and safeguarding your business’s future in the defense industry.

To streamline your compliance process, consider using Exostar’s CMMC Ready Suite™, which includes:

• Managed Microsoft 365™ is a cloud collaboration platform that fulfills the implementation of 85 of the 110 NIST 800-171 controls out of the box, accelerating the CMMC compliance journey.
• Certification Assistant™ guides you through the conduct of a SPRS self-assessment, calculates your SPRS score, and generates your SSP with just a click of a button. It also allows you to create POA&Ms for identified gaps.
• PolicyPro™ uses Machine Learning technology to evaluate and align your current policies against those required by the NIST 800-171 controls and the upcoming CMMC 2.0 requirements, or to create, review, and maintain compliant new policies from scratch.

By leveraging these powerful tools, you can jump-start your compliance efforts, improve your organization. Contact a defense industry compliance specialist to learn more about how Exostar streamlines compliance for the DIB. 

If your organization is unsure whether its SPRS score accurately reflects current security practices under active CMMC enforcement, now is the time to reassess. Explore structured approaches that help defense contractors validate NIST SP 800-171 controls, improve SPRS accuracy, and prepare for Level 1 or Level 2 requirements.

What Should Happen Now

Given active enforcement, organizations should confirm that their SPRS score is current. The score must accurately reflect implemented NIST SP 800-171 controls and include supporting documentation. Review SSPs and POA&Ms to ensure alignment with reported scores, validate executive attestation accuracy, and determine whether contracts require self-assessment or third-party validation under DFARS 252.204-7021. Addressing SPRS accuracy now reduces risk during solicitation review and contract award.