What the Supplier Performance Risk System Score Actually Is
If you are a defense contractor or subcontractor pursuing Department of Defense work, your Supplier Performance Risk System score is no longer just a compliance checkbox. It is a visible, quantified signal to contracting officers about the state of your cybersecurity program. A poor score can quietly eliminate you from contract consideration before a single conversation takes place.
The Supplier Performance Risk System, commonly called SPRS, is a DoD enterprise database used to assess supplier risk across multiple dimensions including past performance, financial health, and cybersecurity posture. The cybersecurity component of your SPRS score is derived directly from your self-assessment against NIST SP 800-171, the federal standard governing protection of Controlled Unclassified Information on contractor systems.
Understanding how this score is calculated, what it communicates, and how to improve it is essential for any organization operating in or entering the Defense Industrial Base.
How Your SPRS Score Is Calculated
The cybersecurity score within SPRS starts at a maximum of 110 points, representing full compliance with all 110 security requirements in NIST SP 800-171. From that maximum, points are subtracted based on the practices your organization has not yet implemented.
Each of the 110 requirements is assigned a point value based on its assessed impact:
- 5-point requirements represent the highest-risk controls, such as multi-factor authentication and incident response.
- 3-point requirements cover moderately critical controls.
- 1-point requirements address foundational practices.
If a required control is not implemented, the corresponding point value is subtracted from 110. A contractor that has implemented none of the 110 requirements would score negative 203. Scores can and do go significantly below zero, which is an immediate red flag for any contracting officer reviewing your profile.
For a detailed walkthrough of how scoring works in practice, our post on calculating your SPRS score correctly provides step-by-step guidance.
Who Is Required to Submit a Score
Under DFARS clause 252.204-7019, contractors must conduct a NIST SP 800-171 self-assessment and post the resulting score to SPRS before being awarded a DoD contract. This requirement applies to any organization handling Controlled Unclassified Information on behalf of the Department of Defense.
This includes prime contractors and their subcontractors. If you are receiving or generating CUI in performance of a federal contract, you are expected to have a current score in the system. For organizations that are new to this requirement, our overview of DFARS 252.204-7012 provides important context on the underlying regulatory framework.
It is worth noting that submission is not the same as compliance. Posting a score — even a very low one — satisfies the submission requirement. However, a low or negative score signals to contracting officers that your cybersecurity posture is deficient, and many agencies now use SPRS scores as a formal evaluation factor in source selection.
Why Contracting Officers Pay Attention to Your Score
Contracting officers and program managers reviewing bids increasingly treat the Supplier Performance Risk System score as a proxy for overall security maturity. A score that has not been updated, sits at a very low value, or lacks an accompanying Plan of Action and Milestones (POA&M) raises serious questions about your organization's commitment to cybersecurity governance.
Several things your score communicates to a contracting officer include:
- Whether you have conducted a formal self-assessment at all
- How many of the 110 NIST SP 800-171 controls you have implemented
- Whether your score has improved over time, suggesting active remediation
- Whether your System Security Plan and POA&M are in place and current
Our post on what your SPRS score means to a DoD contracting officer goes deeper on how evaluators interpret specific score ranges and what they expect to see alongside your submission.
Common Mistakes That Damage Your Score
Self-assessments introduce significant room for error, and those errors carry real consequences. Inflated scores — where contractors claim credit for controls that are not actually implemented or are only partially in place — create False Claims Act exposure under the DoD Cyber Fraud Initiative. Deflated scores that result from misunderstanding how to apply the methodology leave capability on the table and may unfairly penalize compliant organizations.
The most common self-assessment errors we see in the field include:
- Claiming a control as implemented when only a policy document exists without technical enforcement
- Misapplying scope, failing to account for all systems that process or store CUI
- Not updating scores after remediation activities are completed
- Failing to document the basis for each scoring determination in a System Security Plan
- Treating inherited controls from cloud service providers as fully satisfied without verification
For a full breakdown of where self-assessments go wrong, see our post on self-assessment errors that result in inflated SPRS scores.
The Connection Between Your SPRS Score and CMMC
The SPRS self-assessment is not disappearing as the Cybersecurity Maturity Model Certification program matures. Under CMMC 2.0, Level 1 contractors continue to rely on annual self-assessments, and Level 2 contractors pursuing self-assessment pathways must still post scores to SPRS. Even organizations that pursue third-party C3PAO assessments will have their results reflected in SPRS.
In practical terms, your SPRS score and your CMMC readiness are deeply linked. Improving your NIST SP 800-171 implementation directly raises your score and advances your position toward CMMC certification. Organizations that treat these as separate tracks typically end up duplicating effort and missing the integrated nature of the requirements.
Our CMMC, CUI, and DFARS compliance services are structured around this integrated approach, helping contractors build a cybersecurity program that satisfies SPRS requirements while advancing toward formal certification.
How to Improve Your SPRS Score
Improving your Supplier Performance Risk System score requires a disciplined, prioritized remediation plan, not a frantic attempt to claim credit for partially implemented controls. The highest-impact improvements come from addressing the five-point requirements first, as these represent both the highest scoring weight and the highest actual security risk.
Practical steps to move your score in the right direction include:
- Conducting or commissioning a thorough gap assessment against all 110 NIST SP 800-171 controls
- Building a prioritized POA&M with realistic remediation timelines and resource assignments
- Implementing technical controls in order of point value, starting with access control and identification and authentication requirements
- Updating your System Security Plan to accurately document implemented controls
- Resubmitting your SPRS score promptly after each substantive remediation milestone
For a structured path forward, our post on improving your SPRS score step by step provides actionable guidance organized by control domain. If your score is in negative territory, the SPRS score improvement roadmap addresses how to prioritize when the gap is significant.
The Role of a System Security Plan in Supporting Your Score
A credible SPRS submission is inseparable from a well-documented System Security Plan. The SSP is the primary artifact that supports your scoring determinations and demonstrates to assessors that your self-assessment was conducted with rigor. Without it, even an accurate score becomes difficult to defend under scrutiny.
Your SSP should document the scope of your CUI environment, describe how each implemented control is satisfied, identify responsible parties, and reference supporting policies and procedures. Our post on SSP and POA&M as critical components of a strong security program covers what these documents need to contain and how they interact.
Organizations that lack mature documentation often benefit from structured support. Our Federal and SLED risk assessment services include SSP development and review as part of a comprehensive compliance engagement.
What Happens If You Ignore Your Score
Failing to submit a score, submitting a score that is demonstrably inaccurate, or allowing a score to sit stale while your environment changes each carries distinct risk. Contracting officers can disqualify bids based on missing or low SPRS data. Program managers conducting assessments of existing contractors can use a poor or outdated score as grounds for additional oversight or contract remedies.
Beyond the immediate contract risk, the Department of Justice has pursued False Claims Act cases against contractors who knowingly misrepresented their cybersecurity posture. The Cyber Fraud Initiative treats inflated self-assessment scores as a potential basis for prosecution. This is not an abstract threat — it has resulted in settlements and judgments against defense contractors.
If you are uncertain about where your organization stands or whether your current score accurately reflects your security program, that uncertainty itself is a risk that warrants prompt attention.
Take Control of Your SPRS Score Before It Affects Your Next Opportunity
Your Supplier Performance Risk System score is one of the most consequential numbers in your compliance profile, and most organizations either do not know their current score or are not confident it is accurate. At Cleared Systems, we work with defense contractors, subcontractors, and regulated industry organizations to conduct defensible self-assessments, close control gaps, build credible System Security Plans, and submit accurate SPRS scores that hold up under DoD scrutiny. Whether you are starting from zero or working to recover from a low score, we can help you build a realistic path forward. Request a quote today and let us show you exactly where you stand and what it takes to get where you need to be.