Why Your Supplier Performance Risk System Score Deserves Immediate Attention
If you hold or pursue Department of Defense contracts, your Supplier Performance Risk System score is one of the most consequential numbers in your business. It signals to contracting officers how seriously your organization takes cybersecurity, and an inaccurate score — whether inflated or deflated — carries real contractual and legal consequences. Yet errors in SPRS submissions are far more common than most contractors realize, and the correction process is not always intuitive.
In my work with defense contractors across the country, I consistently find that organizations either overstate their compliance posture out of optimism or understate it due to misunderstanding the scoring methodology. Both scenarios create problems. An inflated score exposes you to False Claims Act liability. An understated score unnecessarily damages your competitive standing. Neither outcome is acceptable when contracts — and your company's reputation — are on the line.
This post is a practical guide for compliance managers and executives who need to understand how SPRS score errors happen, how to detect them, and how to correct the record accurately and defensibly.
What the Supplier Performance Risk System Score Actually Measures
Before diagnosing errors, it helps to understand exactly what the SPRS cybersecurity score represents. Under DFARS 252.204-7019 and 7020, defense contractors are required to conduct a self-assessment against the 110 security requirements in NIST SP 800-171 and report the resulting score to the SPRS system.
The scoring methodology assigns a maximum score of 110 points, with each of the 110 controls carrying a weighted value. When a control is not met, points are deducted based on that control's assigned weight. Scores can go negative. The methodology is defined in the DoD Assessment Methodology document, and deviations from that document — intentional or not — produce inaccurate submissions.
For a deeper breakdown of how scoring works and what your number communicates to acquisition officials, read our post on calculating your SPRS score correctly.
The Most Common Sources of SPRS Score Errors
Misapplying the DoD Assessment Methodology
The DoD Assessment Methodology is a specific document — not a general NIST scoring guide — and it assigns point values differently than some contractors assume. A common mistake is treating all 110 controls as equal when they carry different weights. Misreading the weighting table results in a score that is mathematically incorrect from the start.
Claiming Credit for Partially Implemented Controls
The methodology provides no partial credit. A control is either fully implemented or it is not. Contractors who document a control as "in progress" or "substantially met" and then claim full credit are producing an inflated score. This is one of the most frequently observed errors — and one of the most legally dangerous. Our blog post on self-assessment errors that inflate SPRS scores covers this issue in detail.
Scoping the Assessment Incorrectly
NIST SP 800-171 applies to systems that process, store, or transmit Controlled Unclassified Information. If your assessment scope excludes systems that legitimately fall within the CUI boundary, your score reflects an incomplete picture of your actual security posture. Conversely, including systems clearly out of scope wastes assessment resources and can distort results in other ways. Understanding what qualifies as CUI is foundational to getting the scope — and therefore the score — right.
Failure to Update the Score After System Changes
An SPRS submission has an assessment date attached to it. If you have made significant changes to your environment — added cloud services, onboarded new personnel, changed network architecture — and have not updated your assessment, the score on file no longer reflects current reality. Under the DoD methodology, assessments should be current. Stale submissions create a gap between what DoD sees and what actually exists.
Errors in the SPRS Portal Entry
Transposition errors, selecting the wrong contract number, entering the wrong assessment date, or submitting under an incorrect cage code are administrative errors that create a mismatch between your documented assessment and what is visible to contracting officers. These are correctable but require action.
Missing or Inadequate Supporting Documentation
The score itself is only as defensible as the documentation behind it. A System Security Plan and a Plan of Action and Milestones are required artifacts that substantiate the self-assessment. If those documents are missing, incomplete, or inconsistent with the submitted score, the submission is vulnerable to challenge. Our post on SSP and POA&M as critical compliance components explains what these documents must contain.
How to Identify Whether Your Current Score Contains Errors
Detection starts with a structured internal review. Here is a practical sequence to follow:
- Pull your current SPRS submission and compare the score, assessment date, and cage code against your internal records.
- Obtain the DoD Assessment Methodology document and re-score each of the 110 controls independently, using only the point values specified in that document — not third-party interpretations.
- Review your System Security Plan and verify that each control marked as implemented is backed by documented evidence — configurations, screenshots, logs, policies, or procedures.
- Audit your CUI boundary definition to confirm that the systems assessed match the systems actually handling CUI in your environment.
- Check whether any system changes since the assessment date would materially affect the score, and flag those for reassessment.
- Compare your POA&M to ensure that controls listed as not implemented are reflected as deductions in the submitted score — not accidentally counted as met.
If you discover a discrepancy at any point in this process, you have an obligation to address it before the score is relied upon in a source selection or contract award decision. For a comprehensive look at the self-assessment process, see our guide on conducting a defensible NIST 800-171 self-assessment.
How to Correct an Inaccurate SPRS Submission
Document the Error Before You Correct It
Before touching anything in the SPRS portal, create a written record of what the error is, how it was discovered, and what the corrected value should be. This documentation protects you if the change is ever questioned and demonstrates good faith in the correction process.
Conduct a Fresh Assessment
Do not simply edit the old score. Perform a complete reassessment against all 110 NIST SP 800-171 controls using the current DoD Assessment Methodology. This produces a defensible basis for the new submission and ensures the corrected score reflects your actual current posture rather than a patch on a flawed original.
Update Your SSP and POA&M Simultaneously
The corrected score must align with updated versions of your System Security Plan and Plan of Action and Milestones. A score correction submitted without corresponding documentation updates is internally inconsistent and will not hold up under scrutiny.
Submit the Corrected Score to SPRS
Log into the SPRS portal and submit a new assessment record. The system maintains historical submissions, so the original entry remains visible. This is appropriate — it shows the trajectory of your compliance program, not an attempt to obscure a prior submission.
Notify Your Contracting Officer If a Score Was Relied Upon
If the erroneous score was submitted in connection with an active contract or a recent source selection, consult legal counsel and consider whether proactive notification to your contracting officer is warranted. This situation requires careful handling, but transparency tends to serve contractors better than silence when errors surface later.
When a Third-Party Assessment Is the Right Answer
If your organization lacks internal expertise to conduct a technically rigorous self-assessment, or if prior assessments have been questioned by a contracting officer, engaging experienced outside support is the most defensible path forward. Our CMMC, CUI, and DFARS compliance services are specifically designed to help defense contractors establish accurate, documentable compliance postures — not paper scores that collapse under review.
Organizations operating under CMMC Level 2 requirements should also be aware that a third-party assessment by a C3PAO will eventually replace or supplement the self-assessment for many contractors. The habits you build around accurate self-assessment today directly affect how prepared you are for that formal evaluation. Our post on understanding the SPRS cybersecurity assessment provides additional context on where the self-assessment process fits within the broader DoD compliance framework.
Contractors in the aerospace and defense sectors face particularly intense scrutiny of their cybersecurity posture. If your organization operates in this space, our Federal and Defense industry page outlines the specific compliance landscape you are navigating.
The Relationship Between Score Accuracy and Contract Eligibility
Contracting officers have access to your SPRS score during source selection. A score that does not reflect your actual security posture — in either direction — creates friction. An inflated score can trigger False Claims Act exposure if misrepresentation is later established. A score that is genuinely lower than your actual posture may unnecessarily remove you from competitive consideration.
Accuracy is not just an ethical obligation. It is a business imperative. The contractors who manage this process rigorously — maintaining current assessments, aligning scores with documented evidence, and correcting errors promptly — are the ones who build durable relationships with DoD customers. For a deeper look at how contracting officers actually use this data, see our post on how DoD contracting officers use your Supplier Performance Risk System score in source selection.
Take Action Before an Error Becomes a Liability
Supplier Performance Risk System score errors rarely improve on their own. Whether you have discovered an inaccuracy in an existing submission, are uncertain whether your scoring methodology was applied correctly, or are preparing for an upcoming contract competition that will put your score under scrutiny, the time to act is now. Cleared Systems helps defense contractors and federal suppliers conduct technically rigorous NIST SP 800-171 assessments, correct prior submissions, and build the documentation infrastructure that makes those assessments defensible. Request a quote today to speak with our team about where your SPRS score stands and what it will take to get it right.