How DoD Contracting Officers Use Your Supplier Performance Risk System Score in Source Selection

Your SPRS Score Is Not Just a Number — It Is a Competitive Signal

If you are a defense contractor, your Supplier Performance Risk System score is visible to every DoD contracting officer evaluating your bid. Most contractors treat it as a compliance checkbox. The ones winning contracts understand it differently: as a real-time signal of cybersecurity posture that directly influences source selection decisions.

This post explains exactly how contracting officers use your SPRS score during the acquisition process, what scores are acceptable versus disqualifying, and what practical steps you can take to ensure your score reflects the program you have built — not the one you have been meaning to build.

What the Supplier Performance Risk System Score Actually Represents

The Supplier Performance Risk System score is a numerical value ranging from -203 to 110, derived from your self-assessment against the 110 security requirements in NIST SP 800-171. A score of 110 means every control is fully implemented. Each unimplemented or partially implemented control reduces your score by a weighted point value depending on the criticality of that requirement.

Contractors are required to submit their self-assessment results into the SPRS database under DFARS clause 252.204-7019. That score, along with your System Security Plan and Plan of Action and Milestones, becomes part of your permanent supplier record — accessible to DoD program offices and contracting officers before they ever read your technical proposal.

For a deeper breakdown of how scoring works and where contractors make calculation errors, read our post on calculating your SPRS score correctly.

How Contracting Officers Access and Interpret Your Score

Contracting officers access SPRS through the DoD procurement portal. When evaluating offerors for contracts involving Controlled Unclassified Information, they review several data points simultaneously:

• Your current SPRS score and the date it was submitted
• The age of your assessment — scores more than three years old raise immediate questions
• Whether a Plan of Action and Milestones is on file and whether it appears credible
• Prior DIBCAC assessment results, if your organization has been assessed by the Defense Industrial Base Cybersecurity Assessment Center

Contracting officers are not cybersecurity experts, but they have been trained to treat low or negative scores as indicators of supply chain risk. A negative score does not automatically disqualify you, but it creates a burden of explanation that your competitors without that baggage do not face.

Where SPRS Scores Enter the Source Selection Process

Pre-Award Responsibility Determination

Before a contracting officer can award a contract, they must make an affirmative responsibility determination under FAR 9.104-1. Cybersecurity posture is increasingly integrated into this analysis. A contractor with a deeply negative SPRS score, no credible POA&M, and no documented SSP may be found non-responsible — which effectively removes them from competition regardless of their technical proposal quality.

Source Selection Evaluation Factors

On contracts where cybersecurity is listed as an evaluation factor — which is increasingly common in DoD acquisitions — your SPRS score can directly affect your technical rating. Program offices have discretion to weight cybersecurity posture as a significant factor, and in some cases, a minimum SPRS threshold is stated in the solicitation. If your score falls below that threshold, your proposal may not be evaluated further.

Oral Clarifications and Discussions

Even on contracts where SPRS is not an explicit evaluation factor, contracting officers frequently raise low scores during discussions or clarification requests. You may be asked to explain your score, describe remediation timelines, and demonstrate that your POA&M is realistic and funded. Contractors who cannot answer these questions credibly — or who are visibly surprised that the question was asked — signal poor compliance culture to the source selection team.

Past Performance and Risk Ratings

SPRS is a risk-informing system. In source selection, the overall risk rating assigned to your proposal can be elevated from Low to Medium or High based on cybersecurity posture data, even if your past performance record is otherwise strong. A high risk rating in any factor rarely survives the tradeoff analysis when a competitor carries a low risk profile.

What Scores Are Contracting Officers Looking For?

There is no single universal threshold, but the practical reality in source selection is as follows:

• 110: Full implementation. Viewed favorably and raises no additional inquiry.
• 80 to 109: Acceptable with a credible POA&M. Most experienced contracting officers will not flag this range if your remediation plan is documented and realistic.
• Below 70: Begins drawing scrutiny, particularly for contracts with significant CUI scope.
• Negative scores: Treated as a serious risk indicator. Contractors in negative territory should expect questions and may face disadvantage in competitive source selections.
• No score on file: Treated as a compliance failure. An absent or expired score can be immediately disqualifying on contracts that require it as a condition of award.

Our team has worked with contractors who discovered their SPRS score was based on an outdated or inaccurate self-assessment only after a solicitation was already in progress. By then, options are limited. Our post on what your SPRS score actually means to a contracting officer goes deeper on these evaluation dynamics.

The Connection Between SPRS Scores and CMMC Certification

As CMMC 2.0 requirements flow into contracts, the relationship between your SPRS score and your certification status becomes more consequential. Under CMMC Level 2, contractors handling CUI must undergo third-party assessment by a C3PAO. But prior to that assessment, your self-assessed SPRS score remains the primary cybersecurity data point in the procurement system.

Contractors who have built genuine programs — not paper compliance — tend to score accurately and fare well in C3PAO audits. Contractors who inflated their SPRS scores to win contracts are increasingly exposed by DIBCAC assessments and face False Claims Act liability for material misrepresentation. Our CMMC, CUI, and DFARS compliance services are specifically structured to help contractors close the gap between their stated score and their actual security posture.

Common SPRS Score Vulnerabilities That Hurt Contractors in Source Selection

Based on our work supporting defense contractors through assessments and contract competitions, these are the most common issues we see:

1. Scores calculated without a complete SSP in place. Without a documented System Security Plan, your self-assessment lacks the foundation assessors expect, and your score may be challenged.
2. POA&M items with no completion dates or resource assignments. A POA&M that lists gaps without remediation timelines reads as a wish list, not a corrective action plan.
3. Scores that have not been updated after significant infrastructure changes. Cloud migrations, mergers, and new CUI handling workflows all affect your assessment baseline.
4. Misapplication of control scoring weights. Several NIST SP 800-171 controls carry disproportionately large score penalties. Contractors who do not understand the weighting methodology often underestimate how much a few gaps are costing them.
5. No supporting evidence that controls are operational. Stating that a control is implemented without policies, configurations, or audit logs to support it creates audit exposure and can result in score adjustments during DIBCAC review.

Our post on self-assessment errors that inflate SPRS scores outlines the specific mistakes we see most frequently and how to correct them before they become a problem in source selection.

Improving Your SPRS Score Before the Next Solicitation

The window between contract opportunity identification and proposal submission is not the time to begin remediation. Contractors who want their SPRS score to serve as a competitive differentiator — rather than a liability — need to treat cybersecurity as an ongoing program, not a point-in-time exercise.

Practical steps include:

• Conducting an honest gap assessment against all 110 NIST SP 800-171 controls before calculating your score
• Prioritizing remediation of the highest-weighted controls first to maximize score improvement per dollar spent
• Ensuring your SSP accurately reflects your current environment, including cloud services, remote work configurations, and third-party systems
• Documenting your POA&M with specific completion dates, responsible owners, and interim mitigations
• Scheduling periodic score reviews to catch drift before it affects a live competition

For contractors who need structured guidance through this process, our federal risk assessment services provide a defensible foundation for your self-assessment and help you understand exactly where your score stands before a contracting officer sees it.

Contractors who want to understand their obligations under NIST SP 800-171 in more depth will also find our beginner's guide to NIST SP 800-171 compliance a useful starting point before engaging in a full remediation effort.

The Strategic Reality for Defense Contractors

DoD acquisition has become more data-driven. Contracting officers now have access to supplier cybersecurity records that did not exist a decade ago. Your Supplier Performance Risk System score is one of the first things a source selection team sees when your company's name appears in a competitive field.

Contractors who treat SPRS as a compliance formality are competing with a self-imposed disadvantage. Contractors who have invested in building real security programs, documented them accurately, and submitted scores that reflect genuine posture are entering source selections with a credibility advantage that no proposal writing team can manufacture after the fact.

The defense industrial base is under sustained cybersecurity pressure, and the federal government has made clear that it intends to use procurement leverage to raise the baseline. Your SPRS score is one of the most visible expressions of where you stand.

Take the Next Step Toward a Defensible SPRS Score

At Cleared Systems, we work directly with defense contractors to assess, document, and improve their cybersecurity posture in ways that hold up under scrutiny — whether from a contracting officer reviewing your score in SPRS or a C3PAO auditor walking through your environment. If your current score does not reflect the program you have built, or if you are not confident your self-assessment methodology would survive a DIBCAC review, now is the time to act. Request a quote to speak with our team, or explore our engagement models to find the right level of support for your organization's size and contract pipeline.