SPRS Score Guide: How to Calculate and Submit Your NIST 800-171 Score
This SPRS score guide gives you the bottom line first: your SPRS score starts at 110, and you subtract 5, 3, or 1 point for every NIST SP 800-171 requirement you have not fully implemented—no partial credit, except two specific controls—until you reach your final number, which can fall as low as −203. A score of 110 means all 110 requirements are met. You calculate the number yourself, outside the system, then post the summary inside the Supplier Performance Risk System (SPRS).
Here’s the part almost nobody explains, and the part quietly costing companies awards right now: there are two different scoresthat can live in your SPRS record—the legacy NIST 800-171 DoD Assessment score, and the newer CMMC Level 2 score that arrives bundled with a status, a unique ID, and an annual affirmation. Confusing them can knock you out of a contract, and overstating your score has already triggered a federal fraud settlement.
The fast answer
| Your question | The short answer | What to do next |
|---|---|---|
| Does SPRS calculate the score for me? | No. SPRS stores the result. You run the assessment first. | Finish your assessment and SSP, then enter the summary. |
| Where does the number start? | At 110. You subtract for each requirement not met. | Use the scoring worksheet before you post. |
| Can it go negative? | Yes. The published range is −203 to 110. | Don’t hide a low score—document gaps in a POA&M. |
| Is this the same as CMMC certification? | No. A NIST score and a CMMC status are different records. | Check whether your contract needs a score, a status, or both. |
| How long is it good for? | Generally three years, unless the solicitation says less. | Re-score after real remediation or any scope change. |
What is a SPRS score?
A SPRS score is the summary result of a NIST SP 800-171 assessment, stored in the Supplier Performance Risk System (SPRS)—the Department of Defense database contracting officers use to gauge supplier risk. It runs from −203 to 110 and reflects how completely a contractor has implemented the 110 security requirements in NIST SP 800-171 Revision 2, the federal standard for protecting Controlled Unclassified Information. It is a self-generated score unless DoD assessors produce it.
Let’s define the moving parts once, then use them freely.
- SPRS—the Supplier Performance Risk System, the DoD system of record for supplier risk and performance data.
- NIST SP 800-171—the National Institute of Standards and Technology publication listing 110 security requirements, organized into 14 control families, for protecting CUI on non-federal systems. See our NIST 800-171 requirements checklist for a full breakdown of all 110 controls.
- CUI (Controlled Unclassified Information)—sensitive but unclassified government information that requires safeguarding. If your contract involves CUI, the cybersecurity obligations attach.
- FCI (Federal Contract Information)—non-public information provided or generated under a contract; it carries lighter requirements than CUI.
- CAGE code—your Commercial and Government Entity code, the identifier that ties your score to your company.
- SSP (System Security Plan)—the document describing your system boundary and how each control is implemented. No SSP, no score.
According to the official SPRS guidance, the NIST module stores a specific, finite set of fields: your assessment date, your score, your scope, your plan-of-action completion date, the CAGE code(s) covered, your SSP name, SSP version, SSP date, and a confidence level. SPRS is a filing cabinet for results—it does not run the assessment, and the same guidance is explicit that the Basic Assessment cannot be performed inside SPRS.
A SPRS score is not a certificate, not a guarantee, and not something the system works out on your behalf.
Do you even need a SPRS score?
You generally need a current NIST 800-171 score in SPRS when your offer or contract requires you to implement NIST SP 800-171—which happens when DFARS 252.204-7012 (the Safeguarding clause) applies because you will handle CUI. If you only handle FCI and never touch CUI, this score isn’t your obligation; that world is governed by lighter requirements, and you may need only a CMMC Level 1 self-assessment.
Everyone else—primes bidding on CUI work, and subcontractors receiving CUI flow-down—should keep reading.
How is the SPRS score calculated?
You calculate a SPRS score by starting at 110 and subtracting the assigned point value for every NIST SP 800-171 Revision 2 requirement you have not fully implemented. Each requirement is weighted at 5, 3, or 1 point based on its security impact, there is no partial credit except for two specific controls, and unmet requirements can push the score below zero—to a floor of −203.
The formula is genuinely this simple:
The weighting is where it gets real. We pulled the exact distribution from 32 CFR 170.24, the controlling CMMC scoring methodology. Of the 110 requirements:
- 42 requirements deduct 5 points each—the high-impact controls that, if missing, could lead to significant exploitation of your network or exfiltration of CUI.
- 14 requirements deduct 3 points each—controls with a specific, confined effect on security.
- 2 requirements deduct 5 or 3 points, depending on how far you’ve gotten: multi-factor authentication (IA.L2-3.5.3) and FIPS-validated encryption (SC.L2-3.13.11). These are the only two with built-in partial credit.
- The remaining 51 requirements deduct 1 point each—controls with a limited or indirect effect.
- One requirement stands apart: the System Security Plan (CA.L2-3.12.4). It carries no routine point value. Under §170.24, without an up-to-date SSP the assessment cannot be completed at all—treat it as a hard gate, not a line item.
The two partial-credit controls (memorize these)
These are common gaps and the rule spells out the math precisely:
| Control | Deducts 5 points if… | Deducts 3 points if… |
|---|---|---|
| IA.L2-3.5.3 — Multi-factor authentication | MFA isn’t implemented for any users | MFA covers remote and privileged users, but not general users |
| SC.L2-3.13.11 — FIPS-validated encryption | Encryption isn’t employed | Encryption is employed but is not FIPS-validated |
Everywhere else, it’s binary. A control is Met or Not Met—there is no “70% of the way there” credit. One useful nuance: an objective marked N/A is treated the same as Met (no deduction). Honest scoping matters as much as honest implementation.
A worked example (how fast the number falls)
Start at 110. Now apply a set of common, real-world gaps:
- No MFA anywhere
- Encryption in use but not FIPS-validated
- No centralized audit logging, no alerting on audit-process failures (two 5-point controls)
- No security-control assessment process, weak continuous monitoring (a 5 and a 3)
- Scattered 1- and 3-point configuration and documentation gaps
That’s a company that “felt compliant” sitting in the low 60s—already well under the score CMMC Level 2 needs. A first honest self-assessment often comes in low—sometimes deep in the negatives—and that is not a reason to inflate it. The goal is an accurate, supportable number with a credible plan to improve it.
The SSP gate (the one that stops the assessment cold)
The System Security Plan (CA.L2-3.12.4) is not a small deduction—it’s a prerequisite. Section 170.24 states that without a current SSP, the assessment “could not be completed due to incomplete information and noncompliance with 48 CFR 252.204-7012.” Start there.
Run your number before you write it down.
The SPRS NIST SP 800-171 Quick Entry Guide (official DoD) walks every field you’ll need and the source document each one comes from—so you walk in prepared.
Which NIST 800-171 requirements move your score the most?
The biggest score swings come from the 42 requirements weighted at 5 points each—concentrated in Access Control, Configuration Management, System and Communications Protection, and System and Information Integrity. Missing a few of these does more damage than missing dozens of 1-point items, which is why remediation should sequence the heaviest-weighted controls first.
This maps every 5-point and 3-point requirement to its control family, built from 32 CFR 170.24. The remaining requirements in each family each deduct 1 point; the SSP requirement (CA.L2-3.12.4) acts as a gate with no point value.
| Control family | 5-pt req. | 3-pt req. | What the heavy controls protect |
|---|---|---|---|
| Access Control (3.1) | 7 | 2 | Limiting access to authorized users; securing remote, wireless, and external connections |
| Configuration Management (3.4) | 6 | 0 | Baseline configurations, change control, least functionality, controlling software and ports |
| System & Communications Protection (3.13) | 5 | 1 | Boundary protection, separating public-facing systems, controlling traffic at boundaries (plus FIPS encryption, 3.13.11, scored 5/3) |
| System & Information Integrity (3.14) | 5 | 2 | Flaw remediation, malicious-code protection, monitoring and alerts |
| Identification & Authentication (3.5) | 3 | 0 | Identifying and authenticating users and devices (plus MFA, 3.5.3, scored 5/3) |
| Audit & Accountability (3.3) | 2 | 1 | Creating, retaining, and reviewing audit logs |
| Awareness & Training (3.2) | 2 | 0 | Security awareness and role-based training |
| Incident Response (3.6) | 2 | 0 | An incident-handling capability; tracking and reporting |
| Maintenance (3.7) | 2 | 2 | Controlled maintenance; multifactor for nonlocal maintenance |
| Media Protection (3.8) | 2 | 3 | Sanitizing media; controlling removable media |
| Physical Protection (3.10) | 2 | 0 | Limiting and protecting physical access to systems |
| Security Assessment (3.12) | 2 | 1 | Periodically assessing controls; ongoing monitoring (SSP, 3.12.4, is the gate) |
| Personnel Security (3.9) | 1 | 1 | Screening; protecting CUI during personnel actions |
| Risk Assessment (3.11) | 1 | 1 | Scanning for and remediating vulnerabilities |
Use this as a prioritizationtool, not a permission slip to ignore the rest. A 1-point control can still be mission-critical and assessment-critical—in fact, the six controls you can never defer (coming up) are all low-point items. But if you’re triaging the next 30 days, Access Control and Configuration Management are where a dollar of effort buys back the most score.
The uncomfortable corollary: “we’re close” is often a mirage. Four missing 5-point controls (−20) sink a score faster than twenty minor documentation gaps. Look at the weightof what’s open, not the count.
Are the SPRS score and the CMMC Level 2 score the same thing?
No—and this is the distinction that trips up almost everyone. They use the same 110-point, 5/3/1 math, but they are two different records under two different rules. The legacy “Basic Assessment” score has been required under DFARS 252.204-7019 and -7020 since November 30, 2020. The CMMC Level 2 self-assessment score is scored under 32 CFR 170.24, became enforceable under the DFARS rule effective November 10, 2025, and comes bundled with a CMMC status, a CMMC unique ID, and a mandatory affirmation.
We built this side-by-side because no single official page lays it out, and the blur is where companies post the wrong thing.
| Legacy: NIST 800-171 “Basic Assessment” score | CMMC Level 2 self-assessment record | |
|---|---|---|
| Governing authority | DFARS 252.204-7019 and -7020; DoD Assessment Methodology v1.2.1 | 32 CFR Part 170 (§170.16, .21, .22, .24); DFARS 252.204-7021 and -7025 |
| In effect since | November 30, 2020 | November 10, 2025 (DFARS rule); CMMC program rule December 16, 2024 |
| The math | Start at 110, subtract 1/3/5 per unmet requirement | The same math, codified in 32 CFR 170.24 |
| Assessed against | NIST SP 800-171 Rev. 2 | NIST SP 800-171 Rev. 2, using the NIST SP 800-171A (June 2018) objectives |
| “Passing”? | No pass/fail. You need a current, accurate score (no more than 3 years old). | 110 = Final Level 2 (Self). ≥ 88 with an eligible POA&M = Conditional. |
| Affirmation | Not a separate annual affirmation under this mechanic | Required—an Affirming Official affirms after each assessment, after POA&M closeout, and annually (§170.22). See our CMMC annual affirmation guide. |
| Identifier created | A DoD UID (10 characters; first two letters denote confidence level) | A CMMC UID (10 alphanumeric characters per assessment, per system) |
| Cost of getting it wrong | False Claims Act exposure | False Claims Act exposure plus loss of CMMC status and award eligibility under DFARS 252.204-7025 |
The plain-English decision rule:
- If your contract carries DFARS 252.204-7012, you already owe a current Basic Assessment score in SPRS—that obligation didn’t vanish when CMMC arrived.
- If a solicitation specifies a CMMC level (through DFARS 252.204-7025), you also owe that CMMC status and affirmation in SPRS before award.
- For now, a single contract can require both.
Watch the identifiers especially: the DoD UID that SPRS generates when you post a legacy Basic Assessment is not the CMMC UID issued for a CMMC assessment. Same length, different animal. If you take one thing from this guide, take that.
What counts as a “passing” SPRS score?
Under the legacy DFARS 252.204-7019/-7020 regime, there is no minimum passing score—you simply need a current, accurate score posted, no more than three years old. Under CMMC Level 2, a 110 is a full “Final” pass; a score of at least 88 (80%) can earn a “Conditional” status if every remaining gap is POA&M-eligible—and six specific controls can never be deferred.
Legacy Basic Assessment
There’s no threshold. A 70, a 40, even a negative number can satisfy DFARS 252.204-7019 as long as it’s current, honest, and you have a Plan of Action and Milestones (POA&M) with an expected date to reach 110. The clause cares that a real, current score is posted—not that it’s high.
CMMC Level 2 thresholds
CMMC Level 2 is stricter, and the rules are precise and public (32 CFR 170.21 and 170.24):
- Final Level 2 = a perfect 110. Everything met.
- Conditional Level 2is allowed only if your score ÷ 110 is at least 0.8—a score of 88 or higher—meaning you can be missing at most 22 points at assessment time.
- POA&M items may only be 1-point requirements—so at most 22 one-point gaps—with one narrow exception: CUI encryption (SC.L2-3.13.11) may go on a POA&M only if encryption is in use but not FIPS-validated (a 3-point condition).
- A Conditionalstatus must be cleared by closing the POA&M within 180 days, confirmed by a closeout assessment, or it expires.
One clarification that prevents a real misunderstanding: a Level 2 self-assessment does not produce a C3PAO certificate. It produces a self-assessment CMMC status in SPRS. Third-party certification is a separate path, conducted by an accredited assessor. See our CMMC self-assessment vs. C3PAO guide for how the two paths compare.
The six controls you can never put on a POA&M
These requirements must be fully Metat assessment time—they cannot be deferred for a Conditional status, no exceptions. Transcribed straight from 32 CFR 170.21(a)(2)(iii):
| Control | Requirement | Points | Why it can’t wait |
|---|---|---|---|
| AC.L2-3.1.20 | External Connections (CUI Data) | 1 | Controlling external system connections keeps CUI inside your boundary |
| AC.L2-3.1.22 | Control Public Information (CUI Data) | 1 | Stops CUI from landing on publicly accessible systems |
| CA.L2-3.12.4 | System Security Plan | Gate (no point value) | Without a current SSP, the assessment can’t be completed at all |
| PE.L2-3.10.3 | Escort Visitors (CUI Data) | 1 | Physical-access control over visitors in CUI areas |
| PE.L2-3.10.4 | Physical Access Logs (CUI Data) | 1 | Maintaining audit logs of physical access |
| PE.L2-3.10.5 | Manage Physical Access (CUI Data) | 1 | Managing physical access devices and controls |
Note the trap: five of these are worth only 1 point, so it’s tempting to leave them open and assume you can defer them. You can’t. Any unmet 3- or 5-point control (other than the encryption exception), or any of these six, means there is no Conditional path. It has to be fixed before you assess.
Not at 88 yet—or staring at hard 5-point gaps?
That’s a readiness problem, not a paperwork problem. See what a CMMC Level 2 readiness program actually involves and compare provider categories before you commit. Readiness and formal assessment are separate disciplines.
What do you need before you calculate or submit the score?
Before you post anything, you should have a System Security Plan, a defined assessment scope, the correct CAGE code(s), your assessment date, the scoring worksheet that supports your number, and a POA&M with an expected completion date if gaps remain. SPRS is where the summary result goes—not where you invent it.
The official SPRS Quick Entry Guide is clear that you complete the assessment methodology and the SSP before entering summary results.
| What SPRS will ask for | Where it should come from | The common mistake |
|---|---|---|
| Assessment score | Your scoring worksheet / assessment record | Guessing, or copying last cycle’s number |
| Assessment date | The date you completed the assessment | Entering the submission date instead |
| Scope (Enterprise / Enclave / Contract) | Your SSP and system boundary | Selecting “Enterprise” when you only assessed an enclave |
| CAGE code(s) | Your SAM.gov / CAGE hierarchy | Missing subsidiaries, or the wrong CAGE |
| SSP name / version / date | Your current SSP | No SSP, or an SSP dated after the assessment |
| POA&M completion date | Your POA&M | An unrealistic “date to 110” |
A note on scope, because it quietly changes everything: Enterprisecovers your company’s network across the listed CAGEs; Enclave is a carved-out, standalone environment; Contractis scoped to a specific SSP for specific work. Score the boundary you actually assessed—not the one you wish you’d assessed. Our CMMC scoping guide covers how to define that boundary correctly.
On evidence: a Basic Assessment doesn’t require you to upload all your proof into SPRS. But the score must be supportableby your SSP, your implementation, and your POA&M. “Supportable” is the word that keeps you out of trouble.
How do you submit your NIST 800-171 score in SPRS?
You submit through PIEE—the Procurement Integrated Enterprise Environment at piee.eb.mil. Obtain the “SPRS Cyber Vendor User” role, open the NIST SP 800-171 Assessments module, select your CAGE hierarchy, and add a new assessment with your score, scope, SSP details, and—if you’re under 110—your expected completion date. SPRS stores the summary you enter; it does not perform the assessment.
Access is the most common place people get stuck, so we’ve front-loaded it.
Confirm your CAGE in SAM.gov.
Register or log in at PIEE and request the "SPRS Cyber Vendor User" role.
Open SPRS, then Cyber Reports, and select the NIST SP 800-171 Assessments tab.
Create your header / select the CAGE.
Click "Add New Assessment" and enter the summary data.
Save.
The most important sentence in this section: SPRS does not calculate your score, run the methodology, or build your SSP for you. Do the work offline, then file the result. For help verifying your company’s current SPRS status, see our step-by-step verification guide.
Can you email a Basic Assessment instead of entering it in SPRS?
Yes—DFARS 252.204-7020 still describes a path for submitting Basic Assessment summary information by encrypted email. But the official SPRS guidance walks you through direct PIEE/SPRS entry, and direct entry is cleaner because it creates the visible record DoD actually checks. Prefer direct entry when you have proper access.
DFARS 252.204-7020 lays out the encrypted-email option, and the fields it requires map cleanly onto the SPRS entry screen:
| What the DFARS 7020 email requires | The matching SPRS entry field | Source document |
|---|---|---|
| NIST SP 800-171 version assessed | Assessment standard (Rev. 2) | Your assessment record |
| Organization conducting the assessment | Confidence level (Basic = self) | Your assessment record |
| CAGE code(s) for the system(s) | Included CAGE(s) | SAM.gov hierarchy |
| Brief SSP architecture description | SSP name / version / date | Your SSP |
| Summary score | Score | Your scoring worksheet |
| Date a score of 110 is expected | Plan of action completion date | Your POA&M |
When to use the email path: rarely. It makes sense only in edge cases—you can’t get access in time, your CAGE situation is tangled, or a contracting officer instructs you otherwise. If your company will do this more than once, fix the role and CAGE problem permanently.
How long is a SPRS score current, and when should you update it?
DFARS 252.204-7019 treats an assessment as current if it is not more than three years old, unless a solicitation specifies a shorter window. Re-score sooner if remediation has materially changed your implementation, your scope has changed, your CAGE relationships have changed, or you discover the posted score is wrong.
Three things worth internalizing:
- The three-year windowis the outer limit, not a target. In SPRS, an assessment that ages past three years turns red—a flag DoD and primes can see.
- “Not expired” is not the same as “still accurate.” If you’ve stood up MFA, deployed FIPS-validated encryption, or moved CUI into an enclave, your real score has moved. Update it.
- Update after material change, not on a whim. Re-score after genuine remediation, after a scope change, or after a CAGE/hierarchy change. The number should follow the implementation—never the other way around.
SPRS score vs. CMMC status, CMMC UID, and annual affirmation
A NIST 800-171 SPRS score is an assessment-score record. CMMC status, the CMMC UID, and the annual affirmation are separate CMMC records under DFARS 252.204-7021 and the solicitation provision DFARS 252.204-7025. Depending on the clause, level, and timing, you may need both a NIST assessment score and a current CMMC status with affirmation.
| Record | Tied to | Where it lives | The common mistake |
|---|---|---|---|
| NIST 800-171 SPRS score | DFARS 7019/7020 assessment | SPRS NIST assessment record | Treating it as a certification |
| CMMC status | DFARS 7021/7025, 32 CFR 170 | SPRS | Assuming a 110 score equals CMMC certified |
| CMMC UID | A CMMC assessment, per system | SPRS | Confusing it with the DoD UID |
| Annual affirmation | CMMC status maintenance | SPRS | Thinking the score alone is enough |
Why this matters right now: CMMC became real for contracting officers on November 10, 2025, and per 32 CFR 170.3(e) the requirements roll out in four phases. Phase 1 runs November 10, 2025 through November 9, 2026; Phase 2 begins November 10, 2026, when third-party (C3PAO) Level 2 assessments become standard for a wider set of contracts. During this window, the difference between “I posted a NIST score” and “I have a current CMMC status and affirmation” is the difference between eligible and ineligible. Don’t update the wrong record under deadline pressure.
Not sure whether your contract needs a NIST score, a CMMC status, or both?
Tell us the clause you’re seeing, your CUI scope, your CAGE structure, and your deadline, and we’ll help you identify the right next step before you update the wrong record.
Get matched with source-checked provider options →What are Basic, Medium, and High NIST 800-171 assessments?
A Basic Assessment is your own self-assessment, based on your SSP, carrying a “Low” confidence level—it’s the one you enter in SPRS. Medium and High assessments are conducted by the government, with High involving on-site or virtual verification, examination, and demonstration of your controls. You post Basic; DoD posts Medium and High.
DFARS 252.204-7020 defines all three:
| Assessment | Who performs it | Confidence level | Who posts it |
|---|---|---|---|
| Basic | The contractor (self-assessment from the SSP) | Low | The contractor |
| Medium | The government | Medium | DoD |
| High | The government (often DIBCAC) | High | DoD |
The practical takeaway: when you self-score and submit, you’re producing a Basic assessment with Lowconfidence. That’s expected and fine. But the burden of accuracy is entirely on you—there’s no third party validating it before it goes in.
Which version applies—NIST SP 800-171 Rev. 2 or Rev. 3?
For CMMC and SPRS scoring today, use Revision 2—not Revision 3—even though NIST has marked Rev. 2 as withdrawn. NIST superseded Rev. 2 with Rev. 3 on its own site, but the CMMC program rule (32 CFR Part 170) currently incorporates Rev. 2, and DoD has signaled it will address any future NIST version through rulemaking. Don’t switch standards on your own initiative.
This is a live contradiction, and it’s a fair reason to be confused. On the NIST Computer Security Resource Center, SP 800-171 Rev. 2 now displays as withdrawn and superseded by Rev. 3. But the controlling CMMC text still points to Rev. 2, and the DoD Assessment Methodology and SPRS scoring were built for Rev. 2.
What to do: assess and score against Rev. 2until DoD amends the rule. What to watch: the NIST CSRC pages, the eCFR (32 CFR Part 170 and the DFARS clauses), and the Federal Register. When the controlling rule changes, the standard changes—not before. We re-verify this every quarter.
What if your SPRS score is low—or you already posted one that’s wrong?
A low score is not automatically a disaster; it’s a signal that gaps remain and need a documented POA&M. The dangerous move is inflating the score. Because a Basic Assessment is self-attested with no third-party check, the Department of Justice has used the False Claims Act to pursue contractors over false cybersecurity representations—including an inflated SPRS score.
Here’s the one hard truth, stated straight: a Basic Assessment has no referee.Nobody validates your number before it lands in SPRS. That feels like a loophole. It’s actually the trap—because the absence of a gatekeeper is exactly what makes a false score legally dangerous, and what makes an honest one your best protection.
That’s not theoretical. In March 2025, defense contractor MORSECORP agreed to pay $4.6 million to resolve False Claims Act allegations. According to the DOJ, MORSE had posted a SPRS score of 104—near the maximum—while its actual score, once a third party did the work, was −142. The company didn’t correct the posted score until after it received a subpoena. The case was brought by a whistleblower—the company’s own head of security—and sits within the DOJ’s Civil Cyber-Fraud Initiative, which has also produced settlements with Penn State for $1.25 million and Health Net/Centene for over $11 million.
The lesson isn’t “be afraid.” It’s the opposite: a low but defensible score is safer than a high but unsupported one. A modest, honest number with a credible POA&M creates business friction you can manage. An inflated number creates exposure you can’t.
So, practically:
- If your score is low: document the gaps, prioritize the heaviest-weighted controls first (use the family map above), remediate, and update the score when the implementation is real. Build an executive-ready memo—current score, scope, top deductions, POA&M, date to 110, and the risk owner—so leadership sees the path, not just the number.
- If you already posted a number that’s too high or unsupported: treat it as a compliance-risk issue, not a data-entry cleanup. Reconcile the score against your SSP, scope, CAGE, evidence, and assessment date before you change anything. If there was no SSP when you posted, that’s serious.
- If the wrong CAGE or scope was used: correct it deliberately, with the supporting documentation lined up.
If your posted score might not hold up, don’t treat it as a quick edit.
Tell us what changed—your score, SSP, scope, CAGE, or deadline—and we’ll help you figure out whether you need a gap assessment, remediation support, or counsel-led review before you touch a government-facing record.
Get matched →How should primes and subcontractors handle SPRS score requests?
Tie every SPRS score request back to the contract clause, the CUI scope, the system boundary, the CAGE, and the assessment date. A SPRS score is a government-facing cybersecurity assertion—so treat a request for it, especially a screenshot, with the same care you’d give any compliance attestation.
What a prime can reasonably ask a sub for: confirmation of a current score, the assessment date, the scope, the relevant CAGE, and—increasingly under CMMC—your status. What a subcontractor should verify before responding: which clause is driving the request, whether CUI actually flows to your system, where your boundary sits, and whether they’re asking for a NIST score or a CMMC status.
On screenshots: primes ask for them constantly, and they can create disclosure and interpretation risk. Provide only what’s necessary, through an approved channel, and avoid exposing control-level detail you don’t need to share. Under DFARS 252.204-7021, CMMC requirements flow down to subcontractors that will process, store, or transmit FCI or CUI, and the prime stays responsible for subcontractor compliance even without seeing the sub’s SPRS records directly.
When should you get outside help before submitting or updating your score?
Get help before you post if you don’t have an SSP, can’t define your scope, don’t know where your CUI lives, have a score that conflicts with your evidence, are juggling multiple CAGEs or enclaves, or face a near-term award deadline. The right kind of help depends on the problem—and readiness is a different discipline from formal assessment.
| If this is your problem… | The provider category that fits | What to verify before you hire |
|---|---|---|
| No SSP; unclear scope; very low score; scattered evidence | Readiness / remediation (RPO, CMMC-focused MSP/MSSP, vCISO) | Track record with your level and environment; who writes the SSP |
| CUI is everywhere; GCC High / cloud decisions unresolved | Secure enclave / managed cloud | Whether the enclave actually narrows your CUI boundary |
| Controls exist, but evidence and POA&M tracking are chaotic | GRC / compliance software (a supporting layer) | That it complements—not replaces—implementation |
| Implementation is done; you need formal Level 2 certification | C3PAO (third-party assessment) | Current authorization in the Cyber AB Marketplace; independence from your remediation |
| You already posted a score you’re no longer sure about | Gap assessment + possibly counsel | Independence from whoever produced the original number |
Two cautions worth stating plainly. First, software alone does not make you compliant—no tool satisfies CMMC by itself. Second, on independence: under the Cyber AB’s CMMC Assessment Process, a C3PAO must manage conflicts of interest and cannot offer remediation advice to an organization it assesses. Use a Registered Practitioner Organization (RPO) or RP for readiness, and a separate C3PAO for the assessment.
The honest disqualifier: if you can’t define your scope or support your score yet, you don’t need a C3PAO—you need readiness. Sending a remediation problem to an assessor wastes everyone’s time and money.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options. No guesswork, no pressure—a clear next step toward the right category for your situation.
Get matched →What we actually verified for this SPRS score guide
We don’t ask you to take our word for it. Here’s what we checked, against which primary source, and when—so you can re-verify any claim yourself.
| Source we read | What it confirms | Last verified | Refresh trigger |
|---|---|---|---|
| 32 CFR 170.24 | The 5/3/1 scoring, the two partial-credit controls, the SSP gate, the negative-score rule | eCFR amendment | |
| 32 CFR 170.21 | The 88-point threshold, the six non-deferrable controls, the 180-day closeout | eCFR amendment | |
| 32 CFR 170.3 | The four-phase rollout and Phase 1 / Phase 2 timing | eCFR amendment | |
| DFARS 252.204-7019 & -7020 | The current-assessment requirement, 3-year window, Basic/Medium/High, email path | DFARS update | |
| DFARS 252.204-7021& -7025 | CMMC status, UID, affirmation, and award-eligibility rules | CMMC implementation update | |
| Official SPRS NIST guidance + Quick Entry Guide | The PIEE access path, role required, entry fields, and that SPRS stores (not calculates) results | New SPRS guide / UI change | |
| NIST CSRC SP 800-171 Rev. 2 | Rev. 2 status vs. CMMC’s continued use of Rev. 2 | NIST or DoD rule change | |
| DOJ MORSECORP settlement (March 26, 2025) | The enforcement example and the cost of an inflated score | New DOJ case | |
| Cyber AB CMMC Assessment Process | The C3PAO conflict-of-interest and no-remediation-advice rules | New CAP version |
SPRS score guide: frequently asked questions
What is the highest SPRS score?
110. A score of 110 means all 110 NIST SP 800-171 Revision 2 requirements are fully implemented for the assessed scope.
What is the lowest SPRS score?
−203. The scoring methodology lets the score go negative, and the DOJ described the possible range as −203 to 110 in the MORSECORP matter.
What is a good SPRS score?
A higher score means fewer unimplemented requirements, but there is no single public “passing” SPRS score for every contract. Under the legacy DFARS 7019/7020 rule the score just needs to be current and accurate; under CMMC Level 2, you need 110 for a Final status or at least 88 for a Conditional one. The right score is current, accurate, supportable, and acceptable for your specific solicitation or CMMC level.
Can my SPRS score be negative?
Yes. A first honest self-assessment often comes in low — sometimes well into the negatives — because unmet 5-point controls add up fast. That's normal and fixable.
Does a score of 110 mean we're CMMC certified?
No. A 110 means your NIST 800-171 calculation has no deductions for that scope. It does not by itself create a CMMC status, a CMMC UID, or a C3PAO certification.
Do we upload all 110 control answers into SPRS?
No. SPRS stores summary information — the date, score, scope, CAGEs, SSP details, and POA&M completion date. You do the full 110-control assessment offline.
Do we need an SSP before submitting?
Yes, practically. The official SPRS Quick Entry Guide says the methodology and SSP should be completed first, and 32 CFR 170.24 states that without a current SSP the assessment can't be completed.
Can we edit our SPRS score after submission?
Yes. The official guidance allows you to update Basic Assessments as needed — and you should, after real remediation or a scope change.
Which NIST version should we use — Rev. 2 or Rev. 3?
Rev. 2, for CMMC and SPRS scoring, until DoD amends the rule. NIST has superseded Rev. 2 with Rev. 3, but the CMMC program still incorporates Rev. 2.
Who can see our SPRS score, and should I send a screenshot to a prime?
DoD personnel can view posted summary scores, and your own authorized representatives can view your scores in SPRS. A prime generally can't pull your score directly, which is why they ask you for it. Share only what the request and your contract require, through an approved channel — a confirmation of your current score, date, and scope is usually enough, without exposing control-level detail.
Is a SPRS score the same as the annual CMMC affirmation?
No. The annual affirmation is part of the CMMC status framework and is a separate act by a senior Affirming Official. Having a NIST score posted does not satisfy the affirmation requirement.
What if our CAGE hierarchy is wrong?
Fix it in SAM.gov first — SPRS imports the hierarchy from SAM, and updates usually appear within about 48 hours. A wrong hierarchy is also a frequent cause of missing assessment screens or access errors in SPRS.
All guides in this topic: SPRS scores & reporting
- How to Improve SPRS Score: Control-by-Control 2026 Plan
- How to Verify a Company's CMMC Status in SPRS (2026)
- How to Prove CMMC Compliance to a Prime (What to Send)
- False SPRS Score Risk: FCA, Criminal & Whistleblower
- DFARS 252.204-7019 and 7020 Explained (2026): SPRS & CMMC
- Penalty for Inaccurate SPRS Score: FCA Risk & Fix Steps
- Prime Asking for SPRS Score / SSP From Subcontractor? (2026)