Your SPRS score is already on file with the Department of Defense. If you handle Controlled Unclassified Information (CUI) on any DoD contract, you’ve been required to submit one since November 2020. The question isn’t whether you have a score — it’s whether that score is accurate. And if you’re preparing for CMMC Level 2, the answer to that question determines everything that comes next.
This isn’t a beginner’s guide to SPRS. If you’re here, you already know your SPRS score exists. What you need to understand is how SPRS and CMMC interact, why self-assessed scores are consistently wrong, and what your score actually signals to a C3PAO walking into your assessment.
What SPRS Actually Is (The Operational Definition)
The Supplier Performance Risk System (SPRS) is a DoD enterprise system that stores contractor performance data, including NIST SP 800-171 self-assessment scores submitted under DFARS 252.204-7019 and 252.204-7020.
Your SPRS score is a numerical value representing your self-assessed implementation status against the 110 security practices in NIST SP 800-171 Rev 2. The score ranges from -203 (0 controls implemented) to +110 (all 110 controls fully implemented).
That range tells you something important: the scoring system is punitive, not additive. You don’t earn points for controls you’ve implemented — you start at 110 and lose points for controls you haven’t implemented. The point deduction per control is weighted by the DoD’s assessment of that control’s criticality.
High-weight controls (multiple points deducted when not met):
- Multi-factor authentication (Practice 3.5.3) — 5 points
- System and communications protection requirements — multiple high-weight practices
- Incident response and recovery controls
Low-weight controls:
- Some configuration management practices
- Certain awareness and training requirements
The Scoring Methodology — How SPRS Is Calculated
Under DFARS 252.204-7019 and the associated DoD assessment guide, your self-assessment must follow the DoD NIST SP 800-171 Assessment Methodology. Each of the 110 practices is assessed as:
- MET (1): Control is fully implemented as described
- NOT MET (0): Control is not implemented
- NOT APPLICABLE (N/A): Control does not apply to your environment (rare, requires justification)
Calculation: Start at +110. For each “Not Met” control, subtract the DoD-assigned point value for that practice. The result is your SPRS score.
For any controls in a Plan of Action & Milestones (POA&M) — meaning they’re not yet implemented but you have a documented remediation plan — those controls are still “Not Met” for scoring purposes until implementation is complete and verified.
Why Your Current SPRS Score Is Probably Wrong
This is the part that matters before your CMMC assessment.
CyberSheath’s 2023 DIB compliance survey found that among defense contractors who had submitted SPRS self-assessment scores, the average score was approximately 39. Translation: the average contractor assessed themselves as missing 71 controls.
But when those same contractors underwent professional gap assessments, the actual scores were significantly lower. The gap between self-assessed SPRS scores and practitioner-assessed scores is consistently in the range of 20–50 points — meaning contractors routinely over-credit themselves on control implementation.
Why self-assessment scores are systematically inflated:
1. “Partially implemented” is scored as “Met” by the contractor
MFA deployed for email but not VPN? Many contractors score this as Met. The DoD Assessment Methodology requires full implementation across all applicable systems. Partial implementation = Not Met.
2. Policy existence ≠ policy compliance
A written Acceptable Use Policy exists. Contractors mark that control Met. But the policy hasn’t been communicated to all users, isn’t acknowledged via signature, and isn’t enforced. Policy controls require evidence of implementation and enforcement — not just document existence.
3. Scope confusion
Contractors with a well-secured office environment often exclude home offices, remote workers’ endpoints, and mobile devices from their assessment scope. If those systems touch CUI or the CUI enclave, they’re in scope.
4. Vendor-managed controls overclaimed
Your MSP manages your endpoints. You mark the configuration management controls as Met because “the MSP handles it.” The NIST SP 800-171 assessment requires evidence that the MSP is actually implementing the control to DoD standards — their contract with you saying they’ll do it isn’t evidence of implementation.
5. Assessment Methodology misapplication
The DoD NIST SP 800-171 Assessment Methodology (High/Medium/Basic) uses different validation rigor. Many contractors apply the Basic methodology when the DoD expects Medium or High for their contract type. Self-assessments under the wrong methodology produce scores that don’t reflect assessment-grade evaluation.
What SPRS Score Thresholds Mean for CMMC
There’s no official “passing SPRS score” for CMMC Level 2 — the C3PAO assessment is what determines certification. But your SPRS score signals your starting posture and has direct implications for your timeline:
| SPRS Score Range | Interpretation | Typical CMMC Timeline |
|---|---|---|
| +90 to +110 | Strong posture — few gaps, mostly documentation cleanup | 3–6 months to C3PAO-ready |
| +50 to +89 | Solid foundation — targeted remediation needed | 6–9 months to C3PAO-ready |
| +1 to +49 | Moderate gaps — meaningful remediation investment required | 9–14 months to C3PAO-ready |
| -50 to 0 | Significant gaps — prioritized remediation required | 14–18 months to C3PAO-ready |
| Below -50 | Severe gaps — full security program buildout likely required | 18–24+ months or scope reduction |
These ranges assume active, funded remediation starting immediately. They also assume you’re working from an accurate SPRS score — which is why gap assessment comes before timeline planning.
SPRS vs. CMMC Assessment: Key Differences
Contractors often ask: if I submitted a SPRS self-assessment, why do I need a CMMC C3PAO assessment?
The SPRS self-assessment (required under DFARS 252.204-7019/7020) is not CMMC Level 2 certification. They are distinct requirements:
| Dimension | SPRS Self-Assessment | CMMC Level 2 Assessment |
|---|---|---|
| Who conducts it | The contractor (self) | Authorized C3PAO |
| Regulatory basis | DFARS 252.204-7019/7020 | DFARS 252.204-7021 (anticipated) |
| Validity | Annual resubmission required | 3-year certification cycle |
| DoD reliance | Risk indicator; not certification | Certification of compliance |
| Evidence standard | Self-attested | Third-party verified |
| Score inflation risk | High (systematic overcrediting) | Low (assessors apply DoD methodology) |
Your SPRS score is a starting-point signal. Your CMMC Level 2 certificate is what actually protects contract eligibility under the anticipated DFARS 252.204-7021 enforcement framework.
The SPRS Score Accuracy Problem: What C3PAOs Actually See
When a C3PAO team begins your Level 2 assessment, they review your submitted SPRS score as part of initial preparation. A contractor who submitted +75 but actually implemented 60 of 110 controls correctly is going to have a difficult assessment.
Assessment findings that contradict your SPRS self-assessment don’t just affect your CMMC outcome — they can flag your organization in SPRS as having submitted an inaccurate self-assessment. DFARS 252.204-7020 includes a representation that the information in SPRS is “complete and accurate.”
The practical risk: an inflated SPRS self-assessment followed by a CMMC assessment that finds materially more gaps is an adverse finding. Getting this right before your assessment isn’t just about preparation — it’s about avoiding compliance liability on the self-assessment itself.
How to Get an Accurate SPRS Score Before Your CMMC Assessment
The only way to get a defensible SPRS score is to conduct a rigorous gap assessment against the full NIST SP 800-171 Rev 2 control set using the DoD NIST SP 800-171 Assessment Methodology. This means:
- Scope correctly: Define your CUI boundary and assessment scope before evaluating any controls. Controls apply to all systems in scope — not just your “secure” environment.
- Apply correct validation: Each control must be evaluated based on actual evidence of implementation, not self-reporting. Policy controls require evidence of communication and enforcement. Technical controls require configuration evidence.
- Score conservatively: When implementation is partial or documentation is incomplete, score Not Met. POA&M the gap with a realistic completion date.
- Have it reviewed: A practitioner review of your self-assessment before you submit to SPRS — or before a C3PAO arrives — can catch the systematic errors above before they become assessment findings.
What a competent SPRS review includes:
- Scope validation: confirming the CUI boundary is accurate and all in-scope systems are assessed
- Methodology review: confirming the DoD Assessment Methodology is applied correctly
- Control-by-control challenge: questioning each “Met” determination for the most commonly overclaimed controls
- POA&M review: confirming POA&M items are realistic and not inflating the score
- Updated SPRS submission with corrected score if needed
The Connection Between SPRS and Your Gap Assessment
Your SPRS score and a professional gap assessment should produce the same result when the self-assessment is conducted correctly. In practice, they rarely do.
A professional gap assessment from a qualified CMMC practitioner:
- Establishes an accurate baseline score (the “true SPRS” you can rely on)
- Identifies the specific controls not met and why
- Produces a remediation roadmap sequenced by control weight (highest-impact gaps first)
- Generates the data you need to build an accurate CMMC budget and timeline
This is why gap assessment is the logical first step in any CMMC program — not because it’s a revenue-generating service for consultants, but because you cannot make accurate decisions about remediation investment, timeline, or C3PAO scheduling without knowing your true starting posture.
Get Your SPRS Score Reviewed
If you submitted a SPRS self-assessment and you’re not confident it was calculated correctly — or if your score seems optimistic compared to what your IT team has told you about your security environment — a professional review before your CMMC assessment is the highest-value action you can take.
CMMC First’s free readiness assessment includes a preliminary review of your SPRS posture. We’ll identify the most common scoring errors for your environment type and give you an honest assessment of whether your current SPRS submission is defensible before a C3PAO walks in.
Schedule your free CMMC readiness assessment →
Frequently Asked Questions
What is a good SPRS score for CMMC?
There is no official minimum SPRS score for CMMC Level 2 certification — the C3PAO assessment is the certification event, not the SPRS score. However, a practitioner-verified score above +88 indicates strong posture and typically correlates with a shorter, lower-cost path to CMMC certification. Most contractors in the 10–200 employee range with active IT management score between +30 and +75 on honest self-assessment.
Do I need to update my SPRS score before a CMMC assessment?
You are required to submit annual SPRS self-assessment updates under DFARS 252.204-7019/7020. Before a C3PAO assessment, your SPRS submission should reflect your current actual posture — not your aspirational posture. A SPRS score that is materially higher than what the C3PAO finds creates compliance risk independent of the CMMC outcome.
What happens if my SPRS score is negative?
A negative SPRS score means more than 110 control-points are not implemented — which is possible because the point-deduction system is weighted and some controls are worth more than 1 point. A negative score indicates significant security program gaps. It does not disqualify you from CMMC pursuit, but it does mean remediation will be a substantial investment. A contractor with a score of -60 can still achieve CMMC Level 2 — the question is timeline and budget.
Can my MSP or IT provider submit my SPRS score for me?
Your MSP or IT provider can assist with the assessment, but DFARS 252.204-7019/7020 requires the contractor (your company) to make the representation in SPRS. You own the accuracy and liability for the submission. If your MSP is conducting the self-assessment, you should be reviewing and challenging their methodology before you submit.
How often does my SPRS score need to be updated?
DFARS 252.204-7019/7020 requires annual resubmission of NIST SP 800-171 self-assessment scores for contracts that include the clause. Additionally, you must update your SPRS score within 30 days of any significant change to your security posture. Under CMMC 2.0 triennial assessment requirements, your C3PAO assessment results will update your SPRS record directly.
Related reading:
- How Much Does CMMC Certification Cost? 2026 Budget Guide
- CMMC Level 2 Certification Timeline: A Realistic Planning Guide for 2026
- The C3PAO Assessment Backlog: What Defense Contractors Need to Know in 2026
References: NIST SP 800-171 | CMMC program | 32 CFR Part 170
This content is for informational purposes only and does not constitute legal, compliance, or cybersecurity advice. Consult qualified professionals for guidance specific to your organization.