NIST 800-171 Self-Assessment Scoring Guide: Calculating Your SPRS Score Correctly

Why Your SPRS Score Is More Than Just a Number

If your organization handles Controlled Unclassified Information under a Department of Defense contract, your Supplier Performance Risk System score is one of the most consequential numbers in your business. Contracting officers review it. Program managers flag low scores. And under DFARS 252.204-7019 and -7020, submitting an inaccurate score can expose your organization to False Claims Act liability.

Yet many defense contractors either guess at their score, copy a number from a peer, or rely on a consultant who applied the methodology inconsistently. This guide walks you through how the NIST 800-171 self-assessment scoring process actually works, where organizations commonly go wrong, and how to produce a defensible score that reflects your true security posture.

For broader context on what NIST SP 800-171 requires and how the regulation has evolved, see our post on NIST SP 800-171 Revision 3 and its impact on CUI security.

The Scoring Methodology: How NIST 800-171 Self-Assessment Points Work

The DoD assessment methodology, defined in the NIST SP 800-171 DoD Assessment Methodology document, assigns a maximum score of 110 points across all 110 security requirements spread across 14 control families. However, the scoring system is not simply one point per requirement. Each requirement carries a weight, and failure to implement a requirement results in a point deduction rather than a zero-sum tally.

Here is how the math works:

1. Start at 110 points. Every organization begins with a perfect score of 110.
2. Subtract points for each requirement not fully met. Requirements are evaluated as either fully implemented, partially implemented, or not implemented. Only full implementation retains the points for that requirement.
3. Partial implementation does not earn partial credit. This is the most misunderstood aspect of the methodology. If a requirement is not fully satisfied, you lose the entire point value for that requirement. There is no partial scoring.
4. Scores can go negative. Because you are subtracting from 110, and some requirements carry multiple points, final scores can range from negative 203 to positive 110.

For a detailed look at all 110 controls organized by priority, our NIST 800-171 compliance checklist is an essential companion resource.

Understanding Point Values Across Requirements

Not all 110 requirements are weighted equally. The DoD methodology assigns different point deductions to different requirements based on their security significance. Requirements are grouped into three value tiers:

• 1-point deductions: The majority of requirements fall here. Failing to fully implement one of these costs you one point from your running total.
• 3-point deductions: More critical requirements, particularly those tied to access control, incident response, and system and communications protection, carry higher weights.
• 5-point deductions: The highest-weighted requirements often involve multi-factor authentication, cryptographic protections, and other controls that directly mitigate significant attack vectors.

The practical implication is significant: a contractor can fail a small number of high-value requirements and end up with a score well below zero, while another contractor can fail many low-value requirements and still post a positive score. Understanding the weight of each requirement before you conduct your assessment helps you prioritize remediation where it matters most to your score and to your actual security posture.

The Three Assessment Values: Met, Not Met, and Not Applicable

When conducting your NIST 800-171 self-assessment, each of the 110 requirements must be assigned one of three values:

• MET: The requirement is fully implemented across all applicable systems and organizational processes. No deduction is applied.
• NOT MET: The requirement is partially implemented or not implemented at all. The full point deduction for that requirement applies.
• NOT APPLICABLE: The requirement genuinely does not apply to your environment based on your system boundary definition. No deduction is applied, but this designation requires documented justification in your System Security Plan.

The "Not Applicable" designation is frequently misused. Assigning it without documented justification is a red flag during a Defense Industrial Base Cybersecurity Assessment Center audit. If your SSP does not explain why a requirement falls outside your scope, expect the DIBCAC to treat it as Not Met. Our post on SSP and POA&M fundamentals covers how to document these determinations properly.

Common Scoring Mistakes That Inflate SPRS Scores

In our experience working with defense contractors across the federal and defense industrial base, the following errors appear repeatedly in self-assessments that later fail DIBCAC scrutiny:

• Scoping the assessment too narrowly. Defining a minimal system boundary to exclude assets that actually process, store, or transmit CUI is a compliance risk, not a strategy. The boundary must reflect where CUI actually lives.
• Crediting requirements met only for some systems. If a control is implemented on ten servers but not on two laptops that touch CUI, the requirement is not Met. It is Not Met.
• Treating planned controls as implemented. A Plan of Action and Milestones entry documents your intent to implement a control. Until that remediation is complete, the requirement remains Not Met and must be scored accordingly.
• Conflating policy with practice. Having a written policy satisfies the documentation component, but if the technical or operational practice does not match the policy, the requirement is not fully implemented.
• Ignoring third-party service providers. Cloud services, managed service providers, and other external systems that handle CUI on your behalf must be assessed. If your provider is not FedRAMP Moderate authorized or equivalent, their contribution to your compliance posture needs to be evaluated.

For a more complete look at the self-assessment process and how to make it defensible, see our practical guide on conducting a NIST 800-171 self-assessment that holds up under scrutiny.

Submitting Your Score to SPRS

Once your assessment is complete, you are required to submit your score to the Supplier Performance Risk System. The submission must include:

1. Your numerical score (which can be negative)
2. The date of the assessment
3. The date your System Security Plan was completed
4. The name of the plan and the system boundary it covers

Scores must be updated whenever your security posture materially changes, when you complete POA&M items that affect your score, or when your DoD contract requires a reassessment. The DoD recommends reassessment at least annually. Under the current CMMC framework, your SPRS score is also a prerequisite for certain contract awards and may be reviewed as part of a medium or high-confidence assessment. Our SPRS cybersecurity assessment overview provides additional context on how contracting officers use this data.

SPRS Score, POA&M, and the Path to 110

A score below 110 does not automatically disqualify you from contract awards. The DoD recognizes that most organizations will have open POA&M items. What matters is that your score is accurate, your POA&M is credible, and you are actively remediating gaps rather than ignoring them.

Contractors with scores below a threshold set by individual contracting commands may be required to submit their POA&M for review before award. Some programs specify a minimum score. Knowing your accurate score before the contracting process begins gives you the leverage to address deficiencies proactively.

For organizations working toward CMMC Level 2 certification, the connection between your NIST 800-171 self-assessment and your eventual C3PAO audit is direct. The 110 CMMC Level 2 practices map one-to-one to the 110 NIST SP 800-171 requirements. Improving your SPRS score is, functionally, preparing for your CMMC assessment. Our guide on preparing for a CMMC audit addresses that connection in detail.

When You Need Expert Help

Self-assessments are permitted under current DFARS requirements, but they carry real legal and contractual risk when done incorrectly. Organizations that lack internal cybersecurity expertise or that are preparing for a DIBCAC audit benefit significantly from external guidance. Our CMMC, CUI, and DFARS compliance services are designed specifically for defense contractors navigating these requirements, from initial gap analysis through SPRS submission and POA&M management. For organizations that want ongoing expert oversight without a full-time hire, our Regulatory vCISO services provide embedded compliance leadership at the right scale.

Get Your SPRS Score Right the First Time

An inflated SPRS score is not a compliance shortcut — it is a liability. An underestimated score may cost you contract opportunities you actually qualify for. Either way, accuracy is not optional. If your organization needs help conducting a rigorous, documented NIST 800-171 self-assessment or preparing your SPRS submission, contact Cleared Systems today. Request a quote and let our team help you calculate, document, and defend your score with confidence.