Why Your SPRS Score May Be Lying to You
The Supplier Performance Risk System score is one of the most consequential numbers a defense contractor maintains. Submitted under DFARS 252.204-7019 and -7020, your SPRS score signals to the Department of Defense exactly how seriously your organization takes the protection of Controlled Unclassified Information. A score of 110 means you fully satisfy all 110 security requirements in NIST SP 800-171. A negative score means you have documented deficiencies. The problem is that far too many scores sitting in SPRS today do not reflect reality.
In our work supporting federal defense contractors through assessments and compliance engagements, we encounter the same patterns repeatedly: organizations that genuinely believe they have met the standard but have made scoring errors that inflate their numbers. When the Defense Contract Management Agency or a cognizant federal official comes in for a medium or high confidence assessment, those inflated scores become a liability — legally, financially, and reputationally.
This post covers the five most common errors we see during a NIST 800-171 self-assessment that produce scores contractors cannot defend. If any of these sound familiar, treat them as a warning sign.
Error 1: Awarding Full Credit for Partially Implemented Controls
The NIST 800-171 DoD Assessment Methodology is explicit: a practice is either fully implemented, partially implemented, or not implemented. A control that is partially implemented receives a value of zero in your score calculation. There is no partial credit. Yet in practice, we regularly review System Security Plans where organizations have awarded themselves full point value for controls that apply to only a subset of systems, only some user populations, or only certain locations.
A common example is multi-factor authentication under the Identification and Authentication family. A contractor may have MFA deployed for remote access but not for privileged local accounts. That is not full implementation. Another example involves configuration management — having a baseline configuration documented for workstations but not for servers or network devices. Under the assessment methodology, partial implementation is scored the same as no implementation: it contributes negatively to your total.
The fix is disciplined scoping. Every control must be evaluated against every asset within your defined system boundary. If any asset is out of compliance, the control is not fully met. Our SPRS scoring guide walks through the methodology in detail and is worth reviewing before your next self-assessment cycle.
Error 2: Conflating Policy Documentation With Operational Practice
Writing a policy is not the same as implementing a control. This distinction is foundational to NIST SP 800-171, and it is one of the most common sources of score inflation we encounter. Organizations produce well-written security policies, reference them in their System Security Plan, and then award themselves credit — without verifying that the documented practices are actually being followed in day-to-day operations.
Incident response is a classic example. You may have an incident response plan that satisfies the letter of NIST 800-171 requirement 3.6.1. But if your staff has never been trained on it, if no tabletop exercise has been conducted, and if the contact list in the plan includes personnel who left the organization two years ago, the control is not operationally implemented. An assessor will ask for evidence of execution, not just documentation of intent.
The same disconnect appears frequently in audit log reviews, access recertification cycles, and media sanitization. The System Security Plan and POA&M should reflect what is actually happening in your environment — not what you aspire to. If there is a gap between your written procedures and operational reality, that gap belongs in the Plan of Action and Milestones, not hidden inside an inflated score.
Error 3: Scoping the Assessment Too Narrowly
Scope manipulation — whether intentional or inadvertent — is one of the riskiest errors a contractor can make. The assessment boundary must include all systems, components, and personnel that process, store, or transmit CUI. When organizations draw that boundary too tightly, they exclude assets that legitimately fall within scope and end up with a score that only describes a portion of their actual environment.
We see this frequently with cloud services, shared drives, collaboration platforms, and third-party IT systems. If your team uses a cloud file sharing service to exchange technical drawings with a prime contractor, that service is in scope. If your IT managed service provider has access to systems that touch CUI, their environment may carry shared responsibility for specific controls. Excluding these assets from the assessment boundary does not make them out of scope — it just makes your score inaccurate.
Understanding what constitutes CUI and where it lives across your organization is a prerequisite for drawing an accurate assessment boundary. Organizations in defense manufacturing and other sectors with complex operational technology environments are especially prone to scoping errors that leave shop floor systems, PLCs, or engineering workstations outside the boundary when they clearly belong inside it.
Error 4: Misapplying the Scoring Methodology for Practice Values
NIST SP 800-171 has 110 security requirements spread across 14 families. The DoD Assessment Methodology assigns a specific negative point value to each unimplemented practice — and those values are not uniform. Some practices carry a value of minus one, others minus three, and others minus five. Misunderstanding this weighting leads to arithmetic errors that overstate a score.
A particularly frequent mistake is treating the assessment as a simple count of satisfied controls out of 110, rather than working backward from 110 using the correct deduction values for each unmet requirement. If an organization has not implemented a high-weighted practice — such as those related to incident response planning, system and communications protection, or audit and accountability — and scores it as a minus one instead of a minus five, that single error can add four points to a reported score. Multiply that across several miscategorized controls and the cumulative distortion becomes significant.
Before submitting to SPRS, every organization should independently verify their calculation using the official DoD Assessment Methodology worksheet. Our post on understanding the SPRS cybersecurity assessment provides additional context on how DoD uses these scores in source selection and contract award decisions.
Error 5: Conducting the Assessment Without Sufficient Technical Expertise
The NIST 800-171 self-assessment is not a checkbox exercise that can be completed by a compliance manager working from a spreadsheet alone. It requires genuine technical knowledge of the systems being assessed — network architecture, authentication mechanisms, audit logging capabilities, encryption implementations, and endpoint security controls. When assessments are performed by individuals who lack the technical depth to validate what they are documenting, the result is almost always an inflated score.
This is not a criticism of compliance professionals. It is an acknowledgment that an accurate assessment requires collaboration between compliance, IT, and often external advisors who can probe beneath the surface of what a policy document says. For example, assessing requirement 3.13.8 — which requires the implementation of cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission — requires someone who can verify cipher suite configurations, not just confirm that a TLS policy exists on paper.
Organizations that lack in-house technical depth should consider working with a qualified partner for at minimum a gap assessment before finalizing their self-assessment score. Our federal risk assessment services are specifically structured to support contractors in producing defensible, accurate assessments. For organizations that want ongoing support, our Regulatory vCISO services provide the sustained technical oversight that keeps scores accurate between assessment cycles.
The Legal Stakes Have Changed
It is worth being direct about why all of this matters beyond contract performance. The Department of Justice Civil Cyber-Fraud Initiative, launched in 2021, has made it explicitly clear that knowingly submitting false SPRS scores can trigger liability under the False Claims Act. Contractors who certify compliance while knowingly failing to meet NIST SP 800-171 requirements face the prospect of treble damages, contract termination, and debarment. "We didn't know our score was wrong" is a harder defense to sustain when the errors described above are visible in the documentation.
With CMMC 2.0 enforcement now in motion, the self-assessment is also the foundation for CMMC Level 2 preparation. An inflated SPRS score that has never been stress-tested will not survive a third-party C3PAO assessment. Contractors who invest in accuracy now avoid far more painful corrections later. Our CMMC, CUI, and DFARS compliance services are designed to close that gap systematically.
What an Accurate Self-Assessment Actually Requires
An accurate NIST 800-171 self-assessment requires four things: a precisely defined and defensible system boundary that includes all CUI-touching assets; honest evaluation of each practice against operational evidence rather than documentation alone; correct application of the DoD Assessment Methodology point deductions; and sufficient technical expertise to validate implementation claims at the system level.
Organizations that are uncertain about any of these elements should treat that uncertainty as a risk. A score that cannot be defended is not a compliance asset — it is a liability waiting to be discovered.
If you want to understand where your current score stands and whether it would hold up under scrutiny, request a quote for a structured assessment review. Our team at Cleared Systems works with defense contractors across the industrial base to produce scores that are accurate, documented, and defensible — before a federal auditor makes that determination for you.