SPRS Score for CMMC: What Contractors Need to Know Before Award

Q: What is the SPRS score for CMMC?

The SPRS score is a Supplier Performance Risk System assessment result that represents a contractor's self-assessed implementation of NIST SP 800-171 Rev. 2 requirements. Scores range from -203 to 110, with 110 representing full implementation of all requirements. It is calculated using the DoD Assessment Methodology, which assigns point values to each of the 110 NIST SP 800-171 requirements based on their weight. A current SPRS score is required for contracts containing DFARS 252.204-7019/7020.

Q: What SPRS score do I need to win DoD contracts?

DFARS 252.204-7019 requires that offerors have a current SPRS score posted — it does not specify a minimum numerical score for basic eligibility. However, under CMMC, Conditional Level 2 status requires a minimum of 88 out of 110 (with all non-POA&M-eligible requirements fully implemented). For contracts requiring CMMC Level 2 C3PAO certification under DFARS 252.204-7025, award eligibility depends on having a Final Level 2 CMMC Status in SPRS — not just a score.

Q: How is the SPRS score calculated?

The SPRS score starts at 110 and decreases by point values assigned to each unimplemented NIST SP 800-171 requirement, as defined by the DoD Assessment Methodology. Not all requirements carry the same weight — some are worth 1 point, others 3 or 5 points. The maximum score is 110 (full implementation). Scores can go negative because the sum of all deductions exceeds 110.

Q: Does CMMC replace the SPRS score?

Not entirely. CMMC adds a CMMC Status to SPRS — either a Final or Conditional status at the applicable level — that coexists with the NIST SP 800-171 self-assessment score. For Level 2 C3PAO contracts, the C3PAO posts the Final status directly. The self-assessment score remains in SPRS for contracts that require it under DFARS 252.204-7019/7020, even after a CMMC Status is added.

Q: What do I do if my SPRS score is wrong?

If your self-assessment score is inaccurate, the appropriate fix is to re-evaluate your implementation, correct the score calculation, and have a senior official submit an updated affirmation in SPRS. Do not repost a higher score without correcting the underlying implementation gaps. Posting a materially false SPRS score can create False Claims Act liability.

The Defense Compliance Report Editorial TeamIndependent CMMC and DIB compliance research

Published: May 27, 2026Last reviewed: May 27, 2026

Editorial research — not formally reviewed by a CMMC Subject Matter Advisor. Verify scope and applicability with a Registered Practitioner before acting.

The Supplier Performance Risk System (SPRS) score is a DoD-required posting that represents a defense contractor’s self-assessed compliance with NIST SP 800-171 Revision 2. Under DFARS 252.204-7019, offerors must have a current NIST SP 800-171 assessment score posted in SPRS before they can receive a DoD contract containing that clause. Under CMMC, SPRS also houses the contractor’s CMMC Status — the compliance result that gates award on applicable contracts starting Phase 2.

A missing, stale, or inaccurate SPRS posting can delay or block award. An inflated SPRS score can create False Claims Act exposure. This guide covers how scoring works, what each score level means, and what to do when your score needs to change.

What SPRS Is — and What It Isn’t

SPRS (Supplier Performance Risk System) is the DoD’s government-wide database for contractor assessment data, past performance, and compliance statuses. For CMMC and NIST SP 800-171 purposes, SPRS holds two related but separate data points for each contractor:

NIST SP 800-171 DoD Assessment score— a numerical score from −203 to 110 representing the contractor’s self-assessed implementation of the 110 NIST SP 800-171 Rev. 2 requirements, calculated using the DoD Assessment Methodology
CMMC Status — a Final or Conditional status at Level 1, 2, or 3, posted either by the contractor (self-assessment and Level 1) or by a C3PAO (Level 2 C3PAO path) or DIBCAC (Level 3)

SPRS is not a certification database and does not issue CMMC certifications. It is a reporting and verification system. Contracting officers check SPRS during award decisions to confirm that a required score or CMMC Status is current and posted.

How the SPRS Score Is Calculated

The SPRS score is calculated using the DoD Assessment Methodology for NIST SP 800-171 (v1.2.1). The methodology assigns a point value to each of the 110 NIST SP 800-171 requirements based on their risk weight. The score starts at 110 (full implementation) and decreases by the point value of each unimplemented requirement. Because the sum of all deductions exceeds 110, scores can go negative — as low as −203.

Score Range	What It Signals	CMMC Implications
110	All 110 requirements fully implemented	Eligible for Final Level 2 (self) affirmation
88–109	Some requirements on POA&M; others fully met	Eligible for Conditional Level 2 status (with restrictions)
1–87	Significant gaps in implementation	Not eligible for Conditional status; below minimum threshold
0 or negative	Material cybersecurity gaps	No CMMC status available; significant award risk

Sources: DoD Assessment Methodology v1.2.1; 32 CFR Part 170 §§ 170.4, 170.14, 170.24. Conditional Level 2 status requires min. 88/110 AND full implementation of all non-POA&M-eligible requirements.

How CMMC and SPRS Interact

Under CMMC, the SPRS score does not go away — it coexists with the CMMC Status posted by the contractor or C3PAO. For contracts requiring Level 2 C3PAO certification under DFARS 252.204-7025, the C3PAO posts the CMMC Status (Final or Conditional) directly in SPRS after the assessment. The numerical self-assessment score may also be present for contracts requiring it under DFARS 252.204-7019/7020.

Contract Clause	What SPRS Must Show	Who Posts It
DFARS 252.204-7019	Current NIST SP 800-171 self-assessment score	Contractor (senior official affirmation)
DFARS 252.204-7020	Current NIST SP 800-171 score + medium/high assessment	Contractor; DoD for medium/high assessments
DFARS 252.204-7021 (L2 Self)	CMMC Level 2 self-assessment status	Contractor (senior official affirmation)
DFARS 252.204-7025 (L2 C3PAO)	CMMC Level 2 Final or Conditional status (C3PAO-issued)	C3PAO posts directly in SPRS

What to Do If Your SPRS Score Is Wrong

Contractors routinely over-score their self-assessments. The most common sources of error: applying controls without testing their operational effectiveness (as NIST SP 800-171A requires), incorrectly scoping the assessment boundary (excluding systems that process CUI), and misapplying partial credit to requirements that NIST SP 800-171A treats as binary (implemented or not).

If your SPRS score is inaccurate:

Do not re-post a higher score without correcting the gaps. Posting an inflated score with unresolved implementation failures creates False Claims Act exposure. The senior official who affirms is attesting under federal attestation requirements.
Engage an independent reviewer. An external readiness review from an RPO or qualified consultant can validate your current scoring methodology and identify errors before the next affirmation.
Correct the implementation, then update the score.Remediate the identified gaps, re-evaluate using NIST SP 800-171A methods, recalculate the score, and repost with an updated senior official affirmation.
Consult legal counsel on any prior inaccurate posting.If a materially inflated SPRS score has been posted under a DoD contract, consult federal-contracts counsel about voluntary disclosure and correction obligations before assuming the risk of inaction.

False Claims Act and SPRS

The False Claims Act (31 U.S.C. §§ 3729–3733) applies to knowing submission of false claims to the federal government. DoJ and several contracting officers have cited inflated SPRS postings in enforcement contexts. A senior official who affirms a materially false SPRS score is the attesting individual, not just the company. Internal controls and independent validation before affirmation reduce — but do not eliminate — this risk.

SPRS at Award: What Contracting Officers Check

Contracting officers use SPRS as part of their pre-award review. What they look for:

Score currency: DFARS 252.204-7019 and 7020 require a "current" score — typically interpreted as within the triennial assessment cycle with annual affirmation. Stale scores (no recent affirmation) can trigger questions or delays.
CMMC Status (when required): For DFARS 252.204-7025 contracts, the contracting officer checks SPRS for a Final or Conditional CMMC Status at the level specified in the clause. Missing status = award ineligibility.
Score reasonableness: Contracting officers are not required to audit scores, but very low or negative scores can affect source selection evaluation, especially under past-performance or technical evaluation factors.

How to Improve Your SPRS Score

Improving your SPRS score means implementing the unmet NIST SP 800-171 requirements — not adjusting the score calculation. The path:

Start with a gap assessment to identify which requirements are unmet and by how much
Prioritize remediation by point weight — address high-value requirements first
Build your SSP and POA&M to document current state and remediation plans
After remediation, re-evaluate using NIST SP 800-171A methods for each requirement (interview, examine, test — not just documentation review)
Recalculate the score using the DoD Assessment Methodology
Have a senior official affirm the updated score in SPRS

The requirements with the highest point weights are not necessarily the hardest to implement — many high-weight gaps in small DIB companies are in Access Control (AC), Identification and Authentication (IA), and System and Information Integrity (SI). A gap assessment that prioritizes by DoD Assessment Methodology weighting, not alphabetical order, gives you the fastest path to a higher score.

Find your CMMC path before your next contract

Answer questions about your contract clauses, current SPRS status, and environment. Get a matched recommendation before any contact info is required.

Find your CMMC path →

Frequently Asked Questions

What is the SPRS score for CMMC?

The SPRS score is a numerical representation of a contractor’s self-assessed compliance with NIST SP 800-171 Rev. 2. It ranges from −203 to 110 and is calculated using the DoD Assessment Methodology. A score of 110 means all 110 requirements are fully implemented.

What SPRS score do I need to win DoD contracts?

DFARS 252.204-7019 requires that a current SPRS score be posted — it does not specify a minimum numerical score for basic eligibility. However, under CMMC, Conditional Level 2 status requires a minimum of 88 out of 110 (with all non-POA&M-eligible requirements fully implemented). For contracts requiring CMMC Level 2 C3PAO certification under DFARS 252.204-7025, award eligibility depends on having a Final Level 2 CMMC Status in SPRS — not just a score.

How is the SPRS score calculated?

The score starts at 110 and decreases by the point values assigned to each unimplemented NIST SP 800-171 requirement in the DoD Assessment Methodology. Not all requirements carry the same weight — some are worth 1 point, others 3 or 5. Scores can go negative because the total deduction potential exceeds 110.

Does CMMC replace the SPRS score?

Not entirely. CMMC adds a CMMC Status to SPRS — a Final or Conditional level status — that coexists with the NIST SP 800-171 self-assessment score. For Level 2 C3PAO contracts, the C3PAO posts the Final status directly. The self-assessment score remains for contracts that require it under DFARS 252.204-7019/7020.

Can a low SPRS score prevent contract award?

It depends on the solicitation, clause, and contracting officer. DFARS 252.204-7019 requires a current score to be posted but does not specify a floor. DFARS 252.204-7025 makes CMMC Status a solicitation-level award gate — a contractor without the required status cannot receive award. A very low score may also affect source selection evaluations.

What do I do if my SPRS score is wrong?

Correct the underlying implementation gaps, re-evaluate using NIST SP 800-171A methods, recalculate the score, and repost with an updated senior official affirmation. Do not repost a higher score without correcting the gaps. Consult federal-contracts legal counsel if a materially false score has been affirmed under an active DoD contract.

Start with a gap assessment to understand your current score

A professional gap assessment gives you a defensible preliminary SPRS score posture, identifies gaps by DoD Assessment Methodology weight, and builds the SSP/POA&M evidence you need before any affirmation.

CMMC Gap Assessment Guide →

Sources & Regulatory Citations

32 CFR Part 170 — CMMC Program Final Rule (effective Dec. 16, 2024)
DFARS 252.204-7019 — Notice of NIST SP 800-171 DoD Assessment Requirements
DFARS 252.204-7020 — NIST SP 800-171 DoD Assessment Requirements
DFARS 252.204-7025 — Cybersecurity Maturity Model Certification Requirements (award gate)
NIST SP 800-171 Revision 2 — Protecting CUI in Nonfederal Systems
NIST SP 800-171A — Assessing Security Requirements for CUI
DoD Assessment Methodology for NIST SP 800-171 (Version 1.2.1)
SPRS User Guide — sprs.apps.mil
31 U.S.C. §§ 3729–3733 — False Claims Act
89 Fed. Reg. 66924 (Oct. 15, 2024) — CMMC Program Final Rule

Related Guides

Find your CMMC path before your next bid

Answer questions about your current SPRS status, contract requirements, and environment. Get a personalized recommendation before any contact info is required.

Find your CMMC path →

Or browse the provider directory to find verified CMMC providers.

Provider-matching forms on this site may generate referral or lead-routing compensation. This page does not currently contain named provider rankings, endorsements, or "best provider" awards. If named provider reviews are published later, sponsored, affiliate, partner, or referral relationships will be labeled on the relevant provider card or review. See our Methodology and Editorial & Advertising Policy for details.