How to Improve SPRS Score: A Control-by-Control Plan for DoD Contractors

To improve your SPRS score, you implement the NIST SP 800-171 requirements you haven’t met yet — there is no way to raise the number without raising your actual security. Your score starts at 110 and drops by 5, 3, or 1 point for every unmet requirement, down to a floor of −203. The fastest gains come from the 44 controls worth 5 points each — and those are also the ones you usually cannotdefer to a Plan of Action and Milestones (POA&M). What changes the plan: your scope, your current SSP, and whether you need a formal CMMC status or just an updated NIST score.

That’s the whole answer in five sentences. The rest of this page is the part nobody gives you for free: exactly which controls to fix first, what you’re allowed to postpone, why the “controls you can’t defer” list that circulates across most compliance blogs is wrong at the source, and how to update the number without walking into a False Claims Act problem. We built it by reading the actual rule text — and one of the most-repeated “facts” about SPRS scoring turns out to be incorrect.

Who this page is for — and who it isn’t

The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.

If your problem is X, your first move is Y

Use this before you scroll. It’s the whole decision in one screen.

How is an SPRS score calculated, and why can it go negative?

Your SPRS score is the NIST SP 800-171 DoD Assessment summary score: it begins at 110 and subtracts a weighted value — 5, 3, or 1 point — for each of the 110 security requirements you haven’t fully implemented. There is no partial credit except for two controls. Because the weighted values add up to 313, the lowest possible score is −203, and the highest is 110.A negative number isn’t a moral failing. It means several high-weight basics aren’t in place yet.

SPRS is the Supplier Performance Risk System — the Department of Defense’s system of record where contractors post their cybersecurity assessment results. NIST SP 800-171 is the catalog of 110 security requirements, organized into 14 families, that protects Controlled Unclassified Information (CUI) on contractor systems. The scoring rubric is the NIST SP 800-171 DoD Assessment Methodology (Version 1.2.1).

The weights aren’t evenly distributed, and the −203 floor isn’t arbitrary. We tallied Annex A of the methodology line by line:

Most contractors never get near the floor, but plenty post their firsthonest self-assessment in the negatives — and that is normal, not disqualifying.

The two controls that allow partial credit

The methodology is all-or-nothing on 108 of the 110 requirements. Two controls are the exception, and they happen to be two of the most expensive:

“FIPS-validated” is a specific bar: the cryptographic module was tested and validated under FIPS 140 — not merely that you turned on encryption. Plenty of contractors assume “we encrypt our email and drives” satisfies 3.13.11. It usually doesn’t.

Which controls move your SPRS score the most?

The biggest, fastest score gains come from the 44 controls worth 5 points each — multifactor authentication, boundary protection, audit logging, configuration baselines, patching, and the like. Fix those before the 3-point and 1-point items, because one 5-point control is worth five of the smallest gaps.Below is every point-weighted control with a plain-English description, a typical fix, and whether you’re allowed to defer it.

One strategic point first: under the CMMC rules, almost none of these high-point controls can sit on a POA&M. The 5-point and 3-point controls are simultaneously your biggest score-gainers andthe ones you can’t postpone. That’s not bad news — it’s clarity. It tells you exactly where the real work is.

Tier 1 — the 44 controls worth 5 points (fix first; you generally cannot defer these)

Tier 2 — the 14 controls worth 3 points

Everything else — once you set aside the SSP (3.12.4), which is a gate rather than a normal deduction — is a 1-point control, and there are 51 of them. They’re not worthless; they’re the difference between a good score and a perfect one. But if your score is negative or low, you start at the top of Tier 1 and work down. Chasing 1-pointers while a 5-point gap sits open is the single most common mistake we see in low-score remediation.

Can a POA&M improve your SPRS score? (And the six controls almost everyone gets wrong.)

A POA&M — a Plan of Action and Milestones — documents how and when you’ll fix a gap, but it does not make an unmet requirement “met,” and it does not raise your score on its own. Under the CMMC rules, a POA&M can only carry you to a Conditional Level 2 status, you must already score at least 88 out of 110, and only 1-point requirements are eligible — with one narrow exception. Six specific controls are barred from a POA&M entirely, and the list that circulates across most compliance blogs gets them wrong. We caught it by reading the regulation instead of repeating it.

The CMMC Final Rule introduced the Operational Plan of Action (OPA) as the artifact for tracking temporary deficiencies and vulnerabilities on an ongoing basis. Today, the word POA&M is used more specifically: it’s the list of NOT MET items produced by a CMMC assessment— the artifact that triggers a 180-day clock and a conditional status. If a page is using “POA&M” loosely to mean any remediation backlog, it’s working from pre-2025 language.

Here’s what the rule actually allows, taken from 32 CFR 170.21:

• You must already be at 88. To earn Conditional Level 2, your assessment score divided by 110 must be 0.8 or higher — that’s a minimum of 88. A POA&M is for the last mile, not the marathon.
• Only 1-point items qualify. No requirement worth more than 1 point can sit on the POA&M. The lone exception: 3.13.11 (CUI encryption) can be deferred only if you’re already encrypting CUI but haven’t moved to a FIPS-validated module yet — the 3-point condition.
• Level 1 allows no POA&M at all. If you’re a Level 1 (FCI-only) contractor, every one of the 15 basic safeguards has to be met. Full stop.
• The clock is 180 days. From your Conditional CMMC Status Date, you have 180 days to close every POA&M item and pass a closeout assessment, or the conditional status expires and you start over.

The correction worth bookmarking

Several widely shared guides — including some from CMMC-focused vendors — list the “controls you can’t put on a POA&M” as 3.12.1, 3.10.6, and 3.14.7. That list is wrong, and 3.10.6 is the tell.Here’s the precise breakdown:

• 3.12.1 (worth 5 points) and 3.14.7 (worth 3 points) genuinely can’t be on a Level 2 POA&M — but only because they exceed 1 point, which the rule already covers. They aren’t on the special barred list at all.
• 3.10.6 — “Enforce safeguarding measures for CUI at alternate work sites” — is a 1-point control, and it is not on the barred list. That means 3.10.6 is actually POA&M-eligible. Labeling it non-deferrable is simply incorrect.

We pulled the actual enumerated list from 32 CFR 170.21(a)(2)(iii). Here are the six controls the rule specifically names — every one a 1-point control that would otherwise be eligible:

Of the 51 one-point controls, 46 are POA&M-eligible — including 3.10.6. The five named above are not; the SSP at 3.12.4 is separately barred and is also a gate; and 3.13.11 is eligible only under its non-FIPS condition. The takeaway is blunt: the POA&M is a small safety net for low-value items. The points that hurt your score are the points you can’t postpone.

The one hard truth: you can’t shortcut the number — and the contractors who tried are public record

A higher SPRS score is not always the right first goal. If your scope is wrong or your SSP is incomplete, raising the number doesn’t make you safer — it makes the representation harder to defend, and that exact fact pattern is what produced several of the most closely watched cybersecurity False Claims Act settlements on record.

The risk isn’t having a low number. The risk is posting a number your evidence can’t support. Three settlements — all public, all sourced to Department of Justice releases — show what that looks like. For the full enforcement picture, see our DOJ civil cyber fraud guide.

The Georgia Tech and LOGZONE matters resolved allegations; settlements included no determination of liability. None of these outcomes is typical — they’re enforcement actions cited as cautionary primary-source examples.

That’s exactly why the sequence we gave you starts with scope and the SSP — not with a remediation point. Get the boundary right, get the plan right, then improve the controls inside it. If you suspect your current scope or SSP doesn’t match your real environment, that’s the thing to fix before anything else. For the consequences side of this, see our deeper piece on what happens if you lie on your SPRS score.

Which SPRS, DFARS, or CMMC record are you actually trying to improve?

“SPRS score” can mean several different things in 2026: a NIST SP 800-171 self-assessment score, a government-led DIBCAC assessment result, or a CMMC status and annual affirmation — all recorded in SPRS but governed by different rules. The remediation work behind the number is the same; the contractual vehicle and who performs the assessment are not.

There are three records people call an “SPRS score”:

1. The legacy NIST SP 800-171 self-assessment score. The number you calculate yourself and post in SPRS. Historically required by DFARS 252.204-7019 and 252.204-7020.
2. A government Medium or High assessment. Performed by DCMA DIBCAC using NIST SP 800-171A, with results posted to SPRS. Higher confidence, not self-generated.
3. A CMMC status and affirmation. Under the CMMC Program rule (32 CFR Part 170, effective December 16, 2024) and the DFARS clause 252.204-7021 (effective November 10, 2025), covered contracts now require a current CMMC status in SPRS plus an annual affirmation of continuous compliance by a designated “affirming official.”

The clause shuffle most pages missed (and why your solicitation is the source of truth)

On February 1, 2026, the Department issued class deviations under the Revolutionary FAR Overhaul (class deviation memo 2026-O0025). For solicitations that use the deviation path:

• DFARS 252.204-7019 — the provision that required posting a Basic self-assessment score — drops out of the package for new prime contracts under the deviation.
• DFARS 252.204-7020 is renumbered to DFARS 252.240-7997 and now describes only government-led Medium and High assessments.
• FAR 52.204-21 (the Level 1 / FCI safeguards clause) is renumbered to FAR 52.240-93, with the same requirements.
• No change to DFARS 252.204-7012 (safeguarding and 72-hour incident reporting), 252.204-7008, 252.204-7021, or 252.204-7025.

This is a class deviation, not codified rulemaking — Acquisition.gov and the eCFR still show the legacy 7019/7020 numbers, and older or non-deviation solicitations may still carry them. None of this eliminates CMMC Level 2 self-assessments, SPRS score posting, or affirmations.

What’s a “good” SPRS score — and do you really need 110?

The only score that produces a Final CMMC Level 2 status is a perfect 110. A score of 88 (80% of 110) earns a Conditional Level 2 status if your remaining gaps are POA&M-eligible. There’s no universal “passing” number for the older self-assessment requirement — DoD and primes treat the score as a risk signal, and a higher score backed by an honest SSP wins work. Aim for 88 to be conditionally eligible, and 110 to be done.

Two numbers do real work here. 88 is the floor for Conditional Level 2 — and remember, 88 only helps you if every gap below it is a 1-point control you’re allowed to defer. 110 means all applicable requirements are met or properly marked not applicable for your assessed scope; it’s the only number that yields Final Level 2 and the cleanest position for executive sign-off, prime confidence, and assessment readiness.

The defensible move is to post the current score your evidence actually supports — and keep your “expected date to reach 110” accurate — rather than withholding or inflating the number until you hit a perfect mark. Transparency with a credible plan beats a number that won’t survive scrutiny.

How do you update or resubmit your SPRS score after you remediate?

SPRS stores your result; it doesn’t perform the assessment. After you’ve implemented controls and updated your SSP, recalculate your score using the DoD methodology, then enter the new self-assessment in SPRS through the PIEE portal using the “SPRS Cyber Vendor User” role. The risk isn’t raising the score, it’s raising it without the evidence to back it.

You reach SPRS through PIEE (the Procurement Integrated Enterprise Environment, at piee.eb.mil), and editing the NIST self-assessment record requires the SPRS Cyber Vendor Userrole for your organization. The record you post or update carries specific fields — the score, the assessment date, the scope, the included CAGE codes, your SSP name, version, and date, the POA&M completion date, and the confidence level. A mismatched SSP version or scope is exactly the kind of inconsistency that undermines an otherwise honest number.

One precision point on “currency”: the three-year rule applies to legacy NIST self-assessment records and to a Final Level 2 status. A Conditionalstatus runs on a different clock — the 180-day POA&M closeout window — and your CMMC affirmation has to be renewed annually regardless.

Before you update SPRS, confirm:the correct organization and CAGE hierarchy; the correct SSP name, version, and date; the correct scope and assessment date; the new summary score; the POA&M completion (or expected-110) date; the correct confidence level; that your evidence is retained internally; and that the person signing or affirming actually understands what’s being represented.

Safety note:Do not submit CUI, drawings, export-controlled technical data, system diagrams, vulnerability details, or sensitive contract specifics. Improving a score never requires exposing the very data you’re trying to protect.

How long does it take — and how much does it cost — to improve an SPRS score?

It depends heavily on your starting maturity, your scope, how many high-point controls are open, your cloud architecture, and whether you need a full CMMC status or just a current NIST score. Documentation-only cleanup can move a negative score within weeks, while full NIST SP 800-171 implementation commonly runs many months to over a year. And the hard deadline: any POA&M item must be closed within 180 days of a Conditional status, or it expires.

The quick, cheap gains are usually documentation and policy controls plus an MFA rollout and disabling unused services. The long, expensive poles are architectural: boundary protection and a DMZ, FIPS-validated cryptography, centralized logging with real monitoring, and a defensible continuous-monitoring program. Sequencing by point-impact-versus-effort matters — you want every early dollar buying the most points and the most risk reduction. We keep a running breakdown on our CMMC Level 2 cost page.

Which provider category actually helps you improve an SPRS score?

Most contractors with a low or stale score need readiness and implementation help before any formal assessment. A C3PAO is the right call only when your contract requires a Level 2 C3PAO assessment and you’re already assessment-ready — it is not the default first stop for remediation, and the firm that fixes your environment generally can’t also be the one that assesses it. Match the category to your actual gap, not to whoever markets hardest.

One independence rule is worth spelling out: under the CMMC Assessment Process (CAP) and ISO/IEC 17020 impartiality requirements that govern C3PAOs, a C3PAO that has consulted on or remediated your environment generally can’t turn around and assess it. Line up your readiness help and your assessor as two separate engagements. See our CMMC self-assessment vs. C3PAO guide for more on this distinction.

This routing logic is part of The CMMC Path Framework — our method for mapping your required level, FCI vs. CUI handling, assessment type, environment, and timeline to a provider category. It routes to a category, never a named provider, and it is not a score, a ranking, or compliance advice. When a provider claims a certification, a perfect-score track record, or market leadership, treat it as company-stated until you verify it yourself — check the Cyber AB Marketplace for regulated roles.

Is NIST SP 800-171 Revision 2 or Revision 3 used for SPRS and CMMC scoring?

For CMMC Level 2 under the active rule, the controlling baseline is NIST SP 800-171 Revision 2, with assessment procedures from NIST SP 800-171A (June 2018). NIST has since published Revision 3 and lists Revision 2 as superseded in its own publication stream — but that does not change what CMMC assesses. Don’t self-substitute Revision 3 for a CMMC score unless DoD amends the rule, the clause, or your specific contract requires it.

The CMMC Program rule at 32 CFR Part 170 still incorporates Revision 2 and NIST SP 800-171A (June 2018)for Level 2 — and DoD has used class deviations to keep contract requirements aligned to Revision 2 rather than forcing a jump to Revision 3. Even where a newer revision looks like it should apply, confirm the version your contract and any applicable deviation actually require before you re-score against it. NIST publication versions and DoD contractual baselines don’t always move in lockstep.

What should a small subcontractor do when a prime asks for its SPRS score?

First, clarify what the prime is actually asking for: a NIST assessment score, a CMMC status and UID, an annual affirmation, or a supplier-questionnaire answer. Then confirm the flow-down basis and whether you’ll process, store, or transmit FCI or CUI — before sharing anything sensitive. CMMC requirements flow down through the supply chain at every tier when a subcontractor handles FCI or CUI, but the specific ask varies.

Under 32 CFR Part 170, a CUI-handling subcontractor needs at least CMMC Level 2 (Self), and Level 2 (C3PAO) when the associated prime contract requires it. Before you respond, pin down: What clause or flow-down language is being invoked? Will you actually handle FCI or CUI on your systems? Is the prime asking for a score, a status, a UID, an affirmation, or a screenshot? Is this contractual or part of the prime’s own supplier risk management? Sharing a raw score with a prime who only needed a yes/no on CMMC status can create more questions than it answers. See our guide on what to do when a prime asks for your SPRS score and SSP.

Frequently asked questions about how to improve SPRS score

Why trust this page

We did the thing most pages skip: we read the primary sources and tallied them ourselves. The 44 / 14 / 51 point breakdown and the −203 floor come from Annex A of the DoD Assessment Methodology, counted line by line. The POA&M rules — including the 3.10.6 detail that most of the internet gets wrong — come straight from the text of 32 CFR 170.21. The clause shuffle comes from the February 2026 class deviation memo. The enforcement figures come from Department of Justice releases, quoted to the dollar. If we removed every link to our matching tool, this would still be the clearest free explanation of how to improve an SPRS score we could write. That’s the standard.

Primary sources we read

• NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1 (Annex A — scoring weights): acq.osd.mil
• NIST SP 800-171 Revision 2 and NIST SP 800-171A (the 110 requirements and 320 assessment objectives): csrc.nist.gov
• 32 CFR Part 170 — CMMC Program Rule, esp. §170.9, §170.21, §170.24, §170.17, §170.22: ecfr.gov
• DFARS 252.204-7012 / 7019 / 7020 / 7021 / 7025: acquisition.gov
• Revolutionary FAR Overhaul Class Deviation 2026-O0025 (DFARS 252.240-7997; FAR 52.240-93): acq.osd.mil/dpap/dars
• CMMC Assessment Process (CAP) and ISO/IEC 17020 impartiality requirements: Cyber AB
• SPRS record fields, access, Cyber Vendor User role: sprs.csd.disa.mil and piee.eb.mil
• Enforcement: U.S. Department of Justice press releases — MORSECORP Inc.; Georgia Tech Research Corporation; LOGZONE Inc. settlement

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. This article is educational research, not legal, contractual, or compliance advice. The contract clause and your CUI handling set your required level, not a checklist. Confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney before you act. See our editorial standards and corrections policy.

Need help deciding what type of CMMC provider you need?