The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

SPRS Score Guide: How to Calculate and Submit Your NIST 800-171 Score

The Defense Compliance Report Editorial TeamIndependent CMMC and DIB compliance research
Published: Last reviewed:
Editorial research — not formally reviewed by a CMMC Subject Matter Advisor. Verify scope and applicability with a Registered Practitioner before acting.

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. This is educational reporting, not legal or compliance advice, and we are not affiliated with the Department of Defense, the Cyber AB, or any U.S. government agency.

Provider-matching forms on this site may generate referral or lead-routing compensation. This page does not currently contain named provider rankings, endorsements, or "best provider" awards. If named provider reviews are published later, sponsored, affiliate, partner, or referral relationships will be labeled on the relevant provider card or review. See our Methodology and Editorial & Advertising Policy for details.

This SPRS score guide gives you the bottom line first: your SPRS score starts at 110, and you subtract 5, 3, or 1 point for every NIST SP 800-171 requirement you have not fully implemented—no partial credit, except two specific controls—until you reach your final number, which can fall as low as −203. A score of 110 means all 110 requirements are met. You calculate the number yourself, outside the system, then post the summary inside the Supplier Performance Risk System (SPRS).

Here’s the part almost nobody explains, and the part quietly costing companies awards right now: there are two different scoresthat can live in your SPRS record—the legacy NIST 800-171 DoD Assessment score, and the newer CMMC Level 2 score that arrives bundled with a status, a unique ID, and an annual affirmation. Confusing them can knock you out of a contract, and overstating your score has already triggered a federal fraud settlement.

The fast answer

Your questionThe short answerWhat to do next
Does SPRS calculate the score for me?No. SPRS stores the result. You run the assessment first.Finish your assessment and SSP, then enter the summary.
Where does the number start?At 110. You subtract for each requirement not met.Use the scoring worksheet before you post.
Can it go negative?Yes. The published range is −203 to 110.Don’t hide a low score—document gaps in a POA&M.
Is this the same as CMMC certification?No. A NIST score and a CMMC status are different records.Check whether your contract needs a score, a status, or both.
How long is it good for?Generally three years, unless the solicitation says less.Re-score after real remediation or any scope change.

What is a SPRS score?

A SPRS score is the summary result of a NIST SP 800-171 assessment, stored in the Supplier Performance Risk System (SPRS)—the Department of Defense database contracting officers use to gauge supplier risk. It runs from −203 to 110 and reflects how completely a contractor has implemented the 110 security requirements in NIST SP 800-171 Revision 2, the federal standard for protecting Controlled Unclassified Information. It is a self-generated score unless DoD assessors produce it.

Let’s define the moving parts once, then use them freely.

According to the official SPRS guidance, the NIST module stores a specific, finite set of fields: your assessment date, your score, your scope, your plan-of-action completion date, the CAGE code(s) covered, your SSP name, SSP version, SSP date, and a confidence level. SPRS is a filing cabinet for results—it does not run the assessment, and the same guidance is explicit that the Basic Assessment cannot be performed inside SPRS.

A SPRS score is not a certificate, not a guarantee, and not something the system works out on your behalf.

Do you even need a SPRS score?

You generally need a current NIST 800-171 score in SPRS when your offer or contract requires you to implement NIST SP 800-171—which happens when DFARS 252.204-7012 (the Safeguarding clause) applies because you will handle CUI. If you only handle FCI and never touch CUI, this score isn’t your obligation; that world is governed by lighter requirements, and you may need only a CMMC Level 1 self-assessment.

Everyone else—primes bidding on CUI work, and subcontractors receiving CUI flow-down—should keep reading.


How is the SPRS score calculated?

You calculate a SPRS score by starting at 110 and subtracting the assigned point value for every NIST SP 800-171 Revision 2 requirement you have not fully implemented. Each requirement is weighted at 5, 3, or 1 point based on its security impact, there is no partial credit except for two specific controls, and unmet requirements can push the score below zero—to a floor of −203.

The formula is genuinely this simple:

SPRS score = 110 − (the point values of every requirement you haven’t fully met)

The weighting is where it gets real. We pulled the exact distribution from 32 CFR 170.24, the controlling CMMC scoring methodology. Of the 110 requirements:

The two partial-credit controls (memorize these)

These are common gaps and the rule spells out the math precisely:

ControlDeducts 5 points if…Deducts 3 points if…
IA.L2-3.5.3 — Multi-factor authenticationMFA isn’t implemented for any usersMFA covers remote and privileged users, but not general users
SC.L2-3.13.11 — FIPS-validated encryptionEncryption isn’t employedEncryption is employed but is not FIPS-validated

Everywhere else, it’s binary. A control is Met or Not Met—there is no “70% of the way there” credit. One useful nuance: an objective marked N/A is treated the same as Met (no deduction). Honest scoping matters as much as honest implementation.

A worked example (how fast the number falls)

Start at 110. Now apply a set of common, real-world gaps:

That’s a company that “felt compliant” sitting in the low 60s—already well under the score CMMC Level 2 needs. A first honest self-assessment often comes in low—sometimes deep in the negatives—and that is not a reason to inflate it. The goal is an accurate, supportable number with a credible plan to improve it.

The SSP gate (the one that stops the assessment cold)

The System Security Plan (CA.L2-3.12.4) is not a small deduction—it’s a prerequisite. Section 170.24 states that without a current SSP, the assessment “could not be completed due to incomplete information and noncompliance with 48 CFR 252.204-7012.” Start there.

Run your number before you write it down.

The SPRS NIST SP 800-171 Quick Entry Guide (official DoD) walks every field you’ll need and the source document each one comes from—so you walk in prepared.


Which NIST 800-171 requirements move your score the most?

The biggest score swings come from the 42 requirements weighted at 5 points each—concentrated in Access Control, Configuration Management, System and Communications Protection, and System and Information Integrity. Missing a few of these does more damage than missing dozens of 1-point items, which is why remediation should sequence the heaviest-weighted controls first.

This maps every 5-point and 3-point requirement to its control family, built from 32 CFR 170.24. The remaining requirements in each family each deduct 1 point; the SSP requirement (CA.L2-3.12.4) acts as a gate with no point value.

Control family5-pt req.3-pt req.What the heavy controls protect
Access Control (3.1)72Limiting access to authorized users; securing remote, wireless, and external connections
Configuration Management (3.4)60Baseline configurations, change control, least functionality, controlling software and ports
System & Communications Protection (3.13)51Boundary protection, separating public-facing systems, controlling traffic at boundaries (plus FIPS encryption, 3.13.11, scored 5/3)
System & Information Integrity (3.14)52Flaw remediation, malicious-code protection, monitoring and alerts
Identification & Authentication (3.5)30Identifying and authenticating users and devices (plus MFA, 3.5.3, scored 5/3)
Audit & Accountability (3.3)21Creating, retaining, and reviewing audit logs
Awareness & Training (3.2)20Security awareness and role-based training
Incident Response (3.6)20An incident-handling capability; tracking and reporting
Maintenance (3.7)22Controlled maintenance; multifactor for nonlocal maintenance
Media Protection (3.8)23Sanitizing media; controlling removable media
Physical Protection (3.10)20Limiting and protecting physical access to systems
Security Assessment (3.12)21Periodically assessing controls; ongoing monitoring (SSP, 3.12.4, is the gate)
Personnel Security (3.9)11Screening; protecting CUI during personnel actions
Risk Assessment (3.11)11Scanning for and remediating vulnerabilities

Use this as a prioritizationtool, not a permission slip to ignore the rest. A 1-point control can still be mission-critical and assessment-critical—in fact, the six controls you can never defer (coming up) are all low-point items. But if you’re triaging the next 30 days, Access Control and Configuration Management are where a dollar of effort buys back the most score.

The uncomfortable corollary: “we’re close” is often a mirage. Four missing 5-point controls (−20) sink a score faster than twenty minor documentation gaps. Look at the weightof what’s open, not the count.


Are the SPRS score and the CMMC Level 2 score the same thing?

No—and this is the distinction that trips up almost everyone. They use the same 110-point, 5/3/1 math, but they are two different records under two different rules. The legacy “Basic Assessment” score has been required under DFARS 252.204-7019 and -7020 since November 30, 2020. The CMMC Level 2 self-assessment score is scored under 32 CFR 170.24, became enforceable under the DFARS rule effective November 10, 2025, and comes bundled with a CMMC status, a CMMC unique ID, and a mandatory affirmation.

We built this side-by-side because no single official page lays it out, and the blur is where companies post the wrong thing.

Legacy: NIST 800-171 “Basic Assessment” scoreCMMC Level 2 self-assessment record
Governing authorityDFARS 252.204-7019 and -7020; DoD Assessment Methodology v1.2.132 CFR Part 170 (§170.16, .21, .22, .24); DFARS 252.204-7021 and -7025
In effect sinceNovember 30, 2020November 10, 2025 (DFARS rule); CMMC program rule December 16, 2024
The mathStart at 110, subtract 1/3/5 per unmet requirementThe same math, codified in 32 CFR 170.24
Assessed againstNIST SP 800-171 Rev. 2NIST SP 800-171 Rev. 2, using the NIST SP 800-171A (June 2018) objectives
“Passing”?No pass/fail. You need a current, accurate score (no more than 3 years old).110 = Final Level 2 (Self). ≥ 88 with an eligible POA&M = Conditional.
AffirmationNot a separate annual affirmation under this mechanicRequired—an Affirming Official affirms after each assessment, after POA&M closeout, and annually (§170.22). See our CMMC annual affirmation guide.
Identifier createdA DoD UID (10 characters; first two letters denote confidence level)A CMMC UID (10 alphanumeric characters per assessment, per system)
Cost of getting it wrongFalse Claims Act exposureFalse Claims Act exposure plus loss of CMMC status and award eligibility under DFARS 252.204-7025

The plain-English decision rule:

Watch the identifiers especially: the DoD UID that SPRS generates when you post a legacy Basic Assessment is not the CMMC UID issued for a CMMC assessment. Same length, different animal. If you take one thing from this guide, take that.


What counts as a “passing” SPRS score?

Under the legacy DFARS 252.204-7019/-7020 regime, there is no minimum passing score—you simply need a current, accurate score posted, no more than three years old. Under CMMC Level 2, a 110 is a full “Final” pass; a score of at least 88 (80%) can earn a “Conditional” status if every remaining gap is POA&M-eligible—and six specific controls can never be deferred.

Legacy Basic Assessment

There’s no threshold. A 70, a 40, even a negative number can satisfy DFARS 252.204-7019 as long as it’s current, honest, and you have a Plan of Action and Milestones (POA&M) with an expected date to reach 110. The clause cares that a real, current score is posted—not that it’s high.

CMMC Level 2 thresholds

CMMC Level 2 is stricter, and the rules are precise and public (32 CFR 170.21 and 170.24):

One clarification that prevents a real misunderstanding: a Level 2 self-assessment does not produce a C3PAO certificate. It produces a self-assessment CMMC status in SPRS. Third-party certification is a separate path, conducted by an accredited assessor. See our CMMC self-assessment vs. C3PAO guide for how the two paths compare.

The six controls you can never put on a POA&M

These requirements must be fully Metat assessment time—they cannot be deferred for a Conditional status, no exceptions. Transcribed straight from 32 CFR 170.21(a)(2)(iii):

ControlRequirementPointsWhy it can’t wait
AC.L2-3.1.20External Connections (CUI Data)1Controlling external system connections keeps CUI inside your boundary
AC.L2-3.1.22Control Public Information (CUI Data)1Stops CUI from landing on publicly accessible systems
CA.L2-3.12.4System Security PlanGate (no point value)Without a current SSP, the assessment can’t be completed at all
PE.L2-3.10.3Escort Visitors (CUI Data)1Physical-access control over visitors in CUI areas
PE.L2-3.10.4Physical Access Logs (CUI Data)1Maintaining audit logs of physical access
PE.L2-3.10.5Manage Physical Access (CUI Data)1Managing physical access devices and controls

Note the trap: five of these are worth only 1 point, so it’s tempting to leave them open and assume you can defer them. You can’t. Any unmet 3- or 5-point control (other than the encryption exception), or any of these six, means there is no Conditional path. It has to be fixed before you assess.

Not at 88 yet—or staring at hard 5-point gaps?

That’s a readiness problem, not a paperwork problem. See what a CMMC Level 2 readiness program actually involves and compare provider categories before you commit. Readiness and formal assessment are separate disciplines.

Disclosure: The Defense Compliance Report may earn a referral fee for qualified introductions. This does not control our analysis.


What do you need before you calculate or submit the score?

Before you post anything, you should have a System Security Plan, a defined assessment scope, the correct CAGE code(s), your assessment date, the scoring worksheet that supports your number, and a POA&M with an expected completion date if gaps remain. SPRS is where the summary result goes—not where you invent it.

The official SPRS Quick Entry Guide is clear that you complete the assessment methodology and the SSP before entering summary results.

What SPRS will ask forWhere it should come fromThe common mistake
Assessment scoreYour scoring worksheet / assessment recordGuessing, or copying last cycle’s number
Assessment dateThe date you completed the assessmentEntering the submission date instead
Scope (Enterprise / Enclave / Contract)Your SSP and system boundarySelecting “Enterprise” when you only assessed an enclave
CAGE code(s)Your SAM.gov / CAGE hierarchyMissing subsidiaries, or the wrong CAGE
SSP name / version / dateYour current SSPNo SSP, or an SSP dated after the assessment
POA&M completion dateYour POA&MAn unrealistic “date to 110”

A note on scope, because it quietly changes everything: Enterprisecovers your company’s network across the listed CAGEs; Enclave is a carved-out, standalone environment; Contractis scoped to a specific SSP for specific work. Score the boundary you actually assessed—not the one you wish you’d assessed. Our CMMC scoping guide covers how to define that boundary correctly.

On evidence: a Basic Assessment doesn’t require you to upload all your proof into SPRS. But the score must be supportableby your SSP, your implementation, and your POA&M. “Supportable” is the word that keeps you out of trouble.


How do you submit your NIST 800-171 score in SPRS?

You submit through PIEE—the Procurement Integrated Enterprise Environment at piee.eb.mil. Obtain the “SPRS Cyber Vendor User” role, open the NIST SP 800-171 Assessments module, select your CAGE hierarchy, and add a new assessment with your score, scope, SSP details, and—if you’re under 110—your expected completion date. SPRS stores the summary you enter; it does not perform the assessment.

Access is the most common place people get stuck, so we’ve front-loaded it.

  1. Confirm your CAGE in SAM.gov.

    SPRS imports your company/CAGE hierarchy from SAM. If it's wrong, fix it in SAM first — updates typically flow to SPRS within about 48 hours.

  2. Register or log in at PIEE and request the "SPRS Cyber Vendor User" role.

    Request the role for the SPRS application at piee.eb.mil. Your company’s account administrator approves it. If you’re stuck, call the PIEE Help Desk at 866-618-5988, tell them you’re a defense contractor who needs to enter a NIST score, and they’ll activate you.

  3. Open SPRS, then Cyber Reports, and select the NIST SP 800-171 Assessments tab.

    If the table is blank or there’s no “Add” button, that’s almost always a role/permission issue — go back to step 2.

  4. Create your header / select the CAGE.

    Set the standard to NIST SP 800-171 Rev. 2 and the confidence level to Basic — the only level vendors can self-enter. Medium and High are produced by DoD assessors.

  5. Click "Add New Assessment" and enter the summary data.

    Enter the assessment date, score, scope, SSP name/version/date, and — if under 110 — the planned completion date. You enter summary results here, not all 110 control answers.

  6. Save.

    SPRS assigns a DoD Unique Identifier (UID) — a 10-character code whose first two letters denote the confidence level. Don’t confuse this with a CMMC UID; different processes, different identifiers.

The most important sentence in this section: SPRS does not calculate your score, run the methodology, or build your SSP for you. Do the work offline, then file the result. For help verifying your company’s current SPRS status, see our step-by-step verification guide.


Can you email a Basic Assessment instead of entering it in SPRS?

Yes—DFARS 252.204-7020 still describes a path for submitting Basic Assessment summary information by encrypted email. But the official SPRS guidance walks you through direct PIEE/SPRS entry, and direct entry is cleaner because it creates the visible record DoD actually checks. Prefer direct entry when you have proper access.

DFARS 252.204-7020 lays out the encrypted-email option, and the fields it requires map cleanly onto the SPRS entry screen:

What the DFARS 7020 email requiresThe matching SPRS entry fieldSource document
NIST SP 800-171 version assessedAssessment standard (Rev. 2)Your assessment record
Organization conducting the assessmentConfidence level (Basic = self)Your assessment record
CAGE code(s) for the system(s)Included CAGE(s)SAM.gov hierarchy
Brief SSP architecture descriptionSSP name / version / dateYour SSP
Summary scoreScoreYour scoring worksheet
Date a score of 110 is expectedPlan of action completion dateYour POA&M

When to use the email path: rarely. It makes sense only in edge cases—you can’t get access in time, your CAGE situation is tangled, or a contracting officer instructs you otherwise. If your company will do this more than once, fix the role and CAGE problem permanently.


How long is a SPRS score current, and when should you update it?

DFARS 252.204-7019 treats an assessment as current if it is not more than three years old, unless a solicitation specifies a shorter window. Re-score sooner if remediation has materially changed your implementation, your scope has changed, your CAGE relationships have changed, or you discover the posted score is wrong.

Three things worth internalizing:


SPRS score vs. CMMC status, CMMC UID, and annual affirmation

A NIST 800-171 SPRS score is an assessment-score record. CMMC status, the CMMC UID, and the annual affirmation are separate CMMC records under DFARS 252.204-7021 and the solicitation provision DFARS 252.204-7025. Depending on the clause, level, and timing, you may need both a NIST assessment score and a current CMMC status with affirmation.

RecordTied toWhere it livesThe common mistake
NIST 800-171 SPRS scoreDFARS 7019/7020 assessmentSPRS NIST assessment recordTreating it as a certification
CMMC statusDFARS 7021/7025, 32 CFR 170SPRSAssuming a 110 score equals CMMC certified
CMMC UIDA CMMC assessment, per systemSPRSConfusing it with the DoD UID
Annual affirmationCMMC status maintenanceSPRSThinking the score alone is enough

Why this matters right now: CMMC became real for contracting officers on November 10, 2025, and per 32 CFR 170.3(e) the requirements roll out in four phases. Phase 1 runs November 10, 2025 through November 9, 2026; Phase 2 begins November 10, 2026, when third-party (C3PAO) Level 2 assessments become standard for a wider set of contracts. During this window, the difference between “I posted a NIST score” and “I have a current CMMC status and affirmation” is the difference between eligible and ineligible. Don’t update the wrong record under deadline pressure.

Not sure whether your contract needs a NIST score, a CMMC status, or both?

Tell us the clause you’re seeing, your CUI scope, your CAGE structure, and your deadline, and we’ll help you identify the right next step before you update the wrong record.

Provider matching is a free service for readers. Where DCR may receive compensation from a partner, that compensation does not influence our editorial analysis. See our Editorial & Advertising Policy.

Get matched with source-checked provider options →

What are Basic, Medium, and High NIST 800-171 assessments?

A Basic Assessment is your own self-assessment, based on your SSP, carrying a “Low” confidence level—it’s the one you enter in SPRS. Medium and High assessments are conducted by the government, with High involving on-site or virtual verification, examination, and demonstration of your controls. You post Basic; DoD posts Medium and High.

DFARS 252.204-7020 defines all three:

AssessmentWho performs itConfidence levelWho posts it
BasicThe contractor (self-assessment from the SSP)LowThe contractor
MediumThe governmentMediumDoD
HighThe government (often DIBCAC)HighDoD

The practical takeaway: when you self-score and submit, you’re producing a Basic assessment with Lowconfidence. That’s expected and fine. But the burden of accuracy is entirely on you—there’s no third party validating it before it goes in.


Which version applies—NIST SP 800-171 Rev. 2 or Rev. 3?

For CMMC and SPRS scoring today, use Revision 2—not Revision 3—even though NIST has marked Rev. 2 as withdrawn. NIST superseded Rev. 2 with Rev. 3 on its own site, but the CMMC program rule (32 CFR Part 170) currently incorporates Rev. 2, and DoD has signaled it will address any future NIST version through rulemaking. Don’t switch standards on your own initiative.

This is a live contradiction, and it’s a fair reason to be confused. On the NIST Computer Security Resource Center, SP 800-171 Rev. 2 now displays as withdrawn and superseded by Rev. 3. But the controlling CMMC text still points to Rev. 2, and the DoD Assessment Methodology and SPRS scoring were built for Rev. 2.

What to do: assess and score against Rev. 2until DoD amends the rule. What to watch: the NIST CSRC pages, the eCFR (32 CFR Part 170 and the DFARS clauses), and the Federal Register. When the controlling rule changes, the standard changes—not before. We re-verify this every quarter.


What if your SPRS score is low—or you already posted one that’s wrong?

A low score is not automatically a disaster; it’s a signal that gaps remain and need a documented POA&M. The dangerous move is inflating the score. Because a Basic Assessment is self-attested with no third-party check, the Department of Justice has used the False Claims Act to pursue contractors over false cybersecurity representations—including an inflated SPRS score.

Here’s the one hard truth, stated straight: a Basic Assessment has no referee.Nobody validates your number before it lands in SPRS. That feels like a loophole. It’s actually the trap—because the absence of a gatekeeper is exactly what makes a false score legally dangerous, and what makes an honest one your best protection.

That’s not theoretical. In March 2025, defense contractor MORSECORP agreed to pay $4.6 million to resolve False Claims Act allegations. According to the DOJ, MORSE had posted a SPRS score of 104—near the maximum—while its actual score, once a third party did the work, was −142. The company didn’t correct the posted score until after it received a subpoena. The case was brought by a whistleblower—the company’s own head of security—and sits within the DOJ’s Civil Cyber-Fraud Initiative, which has also produced settlements with Penn State for $1.25 million and Health Net/Centene for over $11 million.

The lesson isn’t “be afraid.” It’s the opposite: a low but defensible score is safer than a high but unsupported one. A modest, honest number with a credible POA&M creates business friction you can manage. An inflated number creates exposure you can’t.

So, practically:

If your posted score might not hold up, don’t treat it as a quick edit.

Tell us what changed—your score, SSP, scope, CAGE, or deadline—and we’ll help you figure out whether you need a gap assessment, remediation support, or counsel-led review before you touch a government-facing record.

This is the call worth making before, not after. Provider matching is a free service for readers; compensation does not control our analysis.

Get matched →

How should primes and subcontractors handle SPRS score requests?

Tie every SPRS score request back to the contract clause, the CUI scope, the system boundary, the CAGE, and the assessment date. A SPRS score is a government-facing cybersecurity assertion—so treat a request for it, especially a screenshot, with the same care you’d give any compliance attestation.

What a prime can reasonably ask a sub for: confirmation of a current score, the assessment date, the scope, the relevant CAGE, and—increasingly under CMMC—your status. What a subcontractor should verify before responding: which clause is driving the request, whether CUI actually flows to your system, where your boundary sits, and whether they’re asking for a NIST score or a CMMC status.

On screenshots: primes ask for them constantly, and they can create disclosure and interpretation risk. Provide only what’s necessary, through an approved channel, and avoid exposing control-level detail you don’t need to share. Under DFARS 252.204-7021, CMMC requirements flow down to subcontractors that will process, store, or transmit FCI or CUI, and the prime stays responsible for subcontractor compliance even without seeing the sub’s SPRS records directly.


When should you get outside help before submitting or updating your score?

Get help before you post if you don’t have an SSP, can’t define your scope, don’t know where your CUI lives, have a score that conflicts with your evidence, are juggling multiple CAGEs or enclaves, or face a near-term award deadline. The right kind of help depends on the problem—and readiness is a different discipline from formal assessment.

If this is your problem…The provider category that fitsWhat to verify before you hire
No SSP; unclear scope; very low score; scattered evidenceReadiness / remediation (RPO, CMMC-focused MSP/MSSP, vCISO)Track record with your level and environment; who writes the SSP
CUI is everywhere; GCC High / cloud decisions unresolvedSecure enclave / managed cloudWhether the enclave actually narrows your CUI boundary
Controls exist, but evidence and POA&M tracking are chaoticGRC / compliance software (a supporting layer)That it complements—not replaces—implementation
Implementation is done; you need formal Level 2 certificationC3PAO (third-party assessment)Current authorization in the Cyber AB Marketplace; independence from your remediation
You already posted a score you’re no longer sure aboutGap assessment + possibly counselIndependence from whoever produced the original number

Two cautions worth stating plainly. First, software alone does not make you compliant—no tool satisfies CMMC by itself. Second, on independence: under the Cyber AB’s CMMC Assessment Process, a C3PAO must manage conflicts of interest and cannot offer remediation advice to an organization it assesses. Use a Registered Practitioner Organization (RPO) or RP for readiness, and a separate C3PAO for the assessment.

The honest disqualifier: if you can’t define your scope or support your score yet, you don’t need a C3PAO—you need readiness. Sending a remediation problem to an assessor wastes everyone’s time and money.

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options. No guesswork, no pressure—a clear next step toward the right category for your situation.

Disclosure: The Defense Compliance Report may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

Get matched →

What we actually verified for this SPRS score guide

We don’t ask you to take our word for it. Here’s what we checked, against which primary source, and when—so you can re-verify any claim yourself.

Source we readWhat it confirmsLast verifiedRefresh trigger
32 CFR 170.24The 5/3/1 scoring, the two partial-credit controls, the SSP gate, the negative-score ruleeCFR amendment
32 CFR 170.21The 88-point threshold, the six non-deferrable controls, the 180-day closeouteCFR amendment
32 CFR 170.3The four-phase rollout and Phase 1 / Phase 2 timingeCFR amendment
DFARS 252.204-7019 & -7020The current-assessment requirement, 3-year window, Basic/Medium/High, email pathDFARS update
DFARS 252.204-7021& -7025CMMC status, UID, affirmation, and award-eligibility rulesCMMC implementation update
Official SPRS NIST guidance + Quick Entry GuideThe PIEE access path, role required, entry fields, and that SPRS stores (not calculates) resultsNew SPRS guide / UI change
NIST CSRC SP 800-171 Rev. 2Rev. 2 status vs. CMMC’s continued use of Rev. 2NIST or DoD rule change
DOJ MORSECORP settlement (March 26, 2025)The enforcement example and the cost of an inflated scoreNew DOJ case
Cyber AB CMMC Assessment ProcessThe C3PAO conflict-of-interest and no-remediation-advice rulesNew CAP version

This guide is general regulatory information from The Defense Compliance Report, an independent trade publication on CMMC 2.0 and DIB compliance. It is not legal, contractual, or compliance advice, and it is not a guarantee of award, certification, or assessment outcome. For potential false-certification exposure or contract interpretation, consult qualified counsel.


SPRS score guide: frequently asked questions

What is the highest SPRS score?

110. A score of 110 means all 110 NIST SP 800-171 Revision 2 requirements are fully implemented for the assessed scope.

What is the lowest SPRS score?

−203. The scoring methodology lets the score go negative, and the DOJ described the possible range as −203 to 110 in the MORSECORP matter.

What is a good SPRS score?

A higher score means fewer unimplemented requirements, but there is no single public “passing” SPRS score for every contract. Under the legacy DFARS 7019/7020 rule the score just needs to be current and accurate; under CMMC Level 2, you need 110 for a Final status or at least 88 for a Conditional one. The right score is current, accurate, supportable, and acceptable for your specific solicitation or CMMC level.

Can my SPRS score be negative?

Yes. A first honest self-assessment often comes in low — sometimes well into the negatives — because unmet 5-point controls add up fast. That's normal and fixable.

Does a score of 110 mean we're CMMC certified?

No. A 110 means your NIST 800-171 calculation has no deductions for that scope. It does not by itself create a CMMC status, a CMMC UID, or a C3PAO certification.

Do we upload all 110 control answers into SPRS?

No. SPRS stores summary information — the date, score, scope, CAGEs, SSP details, and POA&M completion date. You do the full 110-control assessment offline.

Do we need an SSP before submitting?

Yes, practically. The official SPRS Quick Entry Guide says the methodology and SSP should be completed first, and 32 CFR 170.24 states that without a current SSP the assessment can't be completed.

Can we edit our SPRS score after submission?

Yes. The official guidance allows you to update Basic Assessments as needed — and you should, after real remediation or a scope change.

Which NIST version should we use — Rev. 2 or Rev. 3?

Rev. 2, for CMMC and SPRS scoring, until DoD amends the rule. NIST has superseded Rev. 2 with Rev. 3, but the CMMC program still incorporates Rev. 2.

Who can see our SPRS score, and should I send a screenshot to a prime?

DoD personnel can view posted summary scores, and your own authorized representatives can view your scores in SPRS. A prime generally can't pull your score directly, which is why they ask you for it. Share only what the request and your contract require, through an approved channel — a confirmation of your current score, date, and scope is usually enough, without exposing control-level detail.

Is a SPRS score the same as the annual CMMC affirmation?

No. The annual affirmation is part of the CMMC status framework and is a separate act by a senior Affirming Official. Having a NIST score posted does not satisfy the affirmation requirement.

What if our CAGE hierarchy is wrong?

Fix it in SAM.gov first — SPRS imports the hierarchy from SAM, and updates usually appear within about 48 hours. A wrong hierarchy is also a frequent cause of missing assessment screens or access errors in SPRS.


Provider-matching forms on this site may generate referral or lead-routing compensation. This page does not currently contain named provider rankings, endorsements, or "best provider" awards. If named provider reviews are published later, sponsored, affiliate, partner, or referral relationships will be labeled on the relevant provider card or review. See our Methodology and Editorial & Advertising Policy for details.

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

All guides in this topic: SPRS scores & reporting