Why the Supplier Performance Risk System Score Is Under a Microscope in 2026
If you manage compliance for a defense contractor, the Supplier Performance Risk System score is no longer just an administrative checkbox. In 2026, it is a live indicator of your organization's cybersecurity posture that contracting officers actively review during source selection, and increasingly, during contract administration. The tolerance for inflated scores, incomplete submissions, and disconnected documentation has dropped to near zero.
Since the DFARS interim rule mandated SPRS reporting in late 2020, the system has accumulated years of contractor submissions—and DoD has spent that time learning how to use them. What was once a largely passive database is now an active procurement filter. Understanding what has changed, and what is coming next, is essential for any contractor holding or pursuing DoD work.
What the SPRS Score Actually Measures
Your Supplier Performance Risk System score reflects the results of your self-assessment against the 110 security requirements in NIST SP 800-171. The scoring methodology starts at 110 points and deducts value for each unmet or partially met control, with point values ranging from one to five depending on the criticality of the requirement. A perfect score of 110 indicates full compliance. Scores can go negative, and many contractors submitted scores well below zero in the early years of the program.
The score must be entered into the SPRS portal, accompanied by a date of assessment, the name of the assessing official, a plan of action and milestones, and an affirmation that a current System Security Plan exists. The SSP and POA&M are not uploaded to SPRS—they are held on-site for government review—but their existence is attested to in the submission itself.
For a deeper look at how scoring works and how to calculate your number accurately, our post on the NIST 800-171 self-assessment scoring guide walks through the methodology control by control.
New Expectations Shaping SPRS in 2026
CMMC 2.0 Is Now Enforced in Contracts
The most significant shift affecting the Supplier Performance Risk System score in 2026 is the enforcement of CMMC 2.0 requirements in DoD contracts. Under CMMC Level 2, contractors must now obtain a third-party assessment from an accredited C3PAO for contracts involving controlled unclassified information. That third-party assessment result is entered into SPRS alongside self-assessment data, and the two records do not always match.
When a C3PAO-assessed score diverges significantly from a contractor's prior self-assessment score, contracting officers take notice. A self-reported 104 followed by a third-party finding of 67 raises immediate questions about the integrity of the original submission—and potentially triggers False Claims Act scrutiny. Our CMMC, CUI and DFARS compliance services help contractors align their self-assessment practices with what a third-party assessor will actually find.
DoD Is Cross-Referencing SPRS Data
Contracting officers now routinely pull SPRS data as part of pre-award due diligence, and program offices are beginning to review scores during performance periods as well. The Defense Contract Management Agency and the Defense Industrial Base Cybersecurity Assessment Center have both expanded their audit activity, and contractors with suspicious score patterns—such as a score that has remained unchanged for multiple years—are increasingly flagged for review.
Understanding how DoD contracting officers use your Supplier Performance Risk System score in source selection helps compliance teams appreciate the operational stakes behind a number that once felt abstract.
Rev 3 of NIST SP 800-171 Is Reshaping the Control Landscape
NIST SP 800-171 Revision 3 introduced reorganized control families, new requirements around supply chain risk management, and expanded expectations for incident response and configuration management. While DoD has not yet mandated Rev 3 compliance universally, the trajectory is clear. Contractors who assessed against Rev 2 and have not revisited their scores against the updated framework face a growing gap between their reported posture and their actual one.
Contractors should be actively mapping their environments against the new requirements. Our post on what Rev 3 changes mean for your program outlines the specific areas that require re-evaluation.
Verification Trends That Compliance Teams Must Understand
DIBCAC Audits Are Expanding in Scope and Frequency
The Defense Industrial Base Cybersecurity Assessment Center has been steadily increasing both the volume and depth of its assessments. DIBCAC audits are no longer reserved for the largest primes. Mid-tier contractors and even some smaller subcontractors have received assessment notices, particularly those in sensitive program areas such as aerospace, electronics manufacturing, and advanced systems development.
During a DIBCAC engagement, assessors do not simply verify that a score was submitted. They examine the underlying evidence—configuration screenshots, access control logs, policy documentation, incident records, and training completions—against each claimed control. A score of 95 that cannot be supported with adequate evidence is treated as a score of something far lower. Contractors in the aerospace and defense sector are particularly advised to ensure their evidence repositories are current and organized before any assessment window opens.
False Claims Act Enforcement Is a Real Risk
The Department of Justice has made clear through multiple enforcement actions that submitting an inflated SPRS score can constitute a False Claims Act violation. The Civil Cyber-Fraud Initiative, launched in 2021, has resulted in settlements and ongoing investigations involving contractors who misrepresented their cybersecurity posture. In 2026, with more DoD contracts explicitly incorporating cybersecurity certifications as material contract terms, the legal exposure has grown.
Contractors should treat their SPRS score submission as a legal attestation, not an internal estimate. If your score does not accurately reflect your implemented controls, the correct path is remediation and honest reporting—not optimistic scoring. Our post on self-assessment errors that result in inflated SPRS scores identifies the most common places where contractors overclaim credit.
Subcontractor Score Visibility Is Increasing
Prime contractors face growing contractual pressure to verify the cybersecurity posture of their supply chains. Many primes now require subcontractors to provide their SPRS scores as part of teaming agreements and subcontract awards. Subcontractors who cannot produce a current, defensible score risk being cut from competitive bids regardless of their technical qualifications.
This dynamic makes the SPRS score a supply chain management issue, not just a regulatory one. If you are a subcontractor operating in the defense industrial base, your score is part of your business development profile.
How to Strengthen Your SPRS Position Before Your Next Assessment
Conduct a Defensible Gap Assessment
The starting point for any score improvement effort is an honest gap assessment—one that evaluates your implemented controls against the actual NIST SP 800-171 requirements, not a best-case interpretation of them. Our post on how to perform a NIST 800-171 gap assessment provides a practical framework for compliance and IT teams to work through systematically.
Update Your SSP and POA&M
Your System Security Plan must accurately describe your environment as it exists today, not as you plan for it to exist. If your SSP was last updated in 2022, it almost certainly does not reflect current configurations, personnel changes, or technology updates. Your Plan of Action and Milestones should document every gap with realistic remediation timelines and assigned owners. Assessors will ask for both documents, and discrepancies between your SSP and your actual environment are among the fastest paths to a failed assessment.
Prioritize High-Value Control Remediation
Not all 110 controls carry equal weight. Controls in access control, identification and authentication, incident response, and configuration management carry higher point values and are among the most frequently cited deficiencies in DIBCAC findings. Our step-by-step SPRS score improvement guide identifies where remediation investment produces the fastest score gains.
Align Your Score with Third-Party Reality
If your organization is subject to CMMC Level 2, your self-assessed score will eventually be compared against a C3PAO finding. Contractors who use our regulatory vCISO services benefit from ongoing expert oversight that keeps their compliance posture—and their SPRS score—aligned with what a third-party assessor will find. This approach eliminates the credibility gap that has created legal exposure for other contractors.
The Bottom Line for Defense Contractors in 2026
The Supplier Performance Risk System score has matured from a reporting formality into a consequential data point that affects contract awards, business development positioning, and legal standing. The verification environment in 2026 is more rigorous than at any prior point in the program's history, and that trajectory will continue as CMMC enforcement deepens and DoD's analytical use of SPRS data expands.
Contractors who treat their score as a genuine reflection of implemented security controls—and who invest in remediation where gaps exist—are far better positioned than those who manage the number for appearances. The former builds durable contract eligibility. The latter builds legal risk.
If your organization needs a clear-eyed assessment of where your Supplier Performance Risk System score stands and what it will take to defend it, request a quote from Cleared Systems today. Our team has helped defense contractors across the industrial base build compliant, defensible postures that hold up under the scrutiny that 2026 demands.