SPRS Scoring: Calculating and Improving Your NIST 800-171 Posture

Overview

The Supplier Performance Risk System (SPRS) score represents how the Department of Defense views a contractor’s implementation of NIST 800-171. Under DFARS 252.204-7019 and 7020, contractors handling Covered Defense Information must self-assess against 110 controls, calculate scores using DoD Assessment Methodology, and post results to SPRS. Since November 2020, this score has functioned as a critical gate for DoD contract awards.

The Scoring Methodology

The DoD Assessment Methodology assigns each of the 110 NIST 800-171 controls a point value (either 1, 3, or 5) reflecting relative criticality. Scoring begins at 110 points and subtracts point values for unimplemented controls. Maximum score is 110; minimum approaches -203 under worst-case scenarios.

Three implementation statuses exist:

• IMPLEMENTED: Control fully meets requirements; no deduction.
• NOT IMPLEMENTED: Control absent or partially implemented without meeting all objectives; full point value deducted.
• Partial-credit deductions: Specific controls (particularly in Identity and Access and System and Communications Protection families) allow partial credit when substantially implemented but missing specific objectives.

High-value 5-point controls include MFA requirement (3.5.3), access control requirements, FIPS-validated cryptography (3.13.11), and maintenance MFA (3.7.5).

Common Control Deduction Patterns

3.5.3 (5 points) — Multi-factor authentication

The largest source of point deductions across DIB engagements. Common failures include: MFA enforced on cloud sign-in but not VPN; legacy authentication not blocked; service accounts excluded without compensating controls; weak MFA factors like SMS.

3.13.11 (5 points) — FIPS-validated cryptography

Frequently misinterpreted. The requirement mandates “FIPS-validated cryptography when used to protect the confidentiality of CUI.” For Microsoft 365 commercial, GCC, and GCC High environments, underlying encryption modules carry FIPS 140-2/140-3 validation with public certificate listings. For on-premises file shares, BitLocker satisfies requirements when running in FIPS mode via Group Policy.

3.4.1 / 3.4.2 (1 point each) — Configuration baselines

Low point value but frequently unimplemented. Requirement: established and maintained baseline configuration. Intune compliance baselines satisfy this when documented, version-controlled, and enforced.

3.6.1 / 3.6.2 (3 points each) — Incident response

Requires incident response capability and documented procedures. DFARS 7012’s 72-hour reporting requirement flows from this. An established, tested IR plan with documented reporting workflow is necessary. Tabletop exercise records serve as evidence.

3.11.1 / 3.11.2 (3 points each) — Risk assessment

Periodic risk assessment of organizational systems and processed information. Annual cadence with documented methodology is typical. Vulnerability scanning programs feed this process.

3.12.1 / 3.12.3 / 3.12.4 (1 point each) — Security assessment

Periodic control assessment (3.12.1), ongoing control monitoring (3.12.3), and System Security Plan development/implementation (3.12.4). The SSP and assessment program artifacts provide evidence.

Calculating the Score

The process involves:

1. Evaluate all 110 controls against actual implementation; mark each as IMPLEMENTED, NOT IMPLEMENTED, or partially implemented.
2. Subtract assigned point values (1, 3, or 5) from 110 for each NOT IMPLEMENTED control.
3. Apply partial deductions for partially implemented controls eligible for partial credit.
4. Sum the result for the SPRS score.

Assessment levels include Basic (self-assessment), Medium, and High (on-site, evidence-verified by DCMA DIBCAC). Most contractors post Basic self-assessment scores; some post DIBCAC Medium or High scores, which carry greater weight in contract award decisions.

Posting and Renewal

Under DFARS 7019, contractors must maintain a current self-assessment on SPRS not exceeding 3 years old to remain eligible for new DoD awards. Required data fields include:

• Confidence level (Basic, Medium, or High) and assessment conductor.
• Score.
• Assessment date.
• Plan-of-action completion date.
• Covered CAGE codes.

Posting requires a Procurement Integrated Enterprise Environment (PIEE) account with SPRS Cyber Vendor User role. Initial posting workflows typically require a week or more for account provisioning, hierarchy verification, and CAGE-code association. Renew access annually before assessment refresh deadlines.

CMMC’s Impact on SPRS

Under CMMC Level 2, third-party assessment displaces SPRS self-attestation for contracts requiring Level 2 certification. While SPRS posting remains mandatory under DFARS 7019/7020, the contractual gate shifts to CMMC certification rather than score alone.

Notably, SPRS scores and CMMC assessment outcomes can diverge. A contractor with a 92 SPRS score may pass Level 2 assessment if unimplemented practices qualify for Plan-of-Action & Milestones (POA&M) closure within 180 days. The same 92 score may result in Level 2 failure if unimplemented practices cannot be POA&M’d (such as non-POA&M-eligible 1-point controls).

Remediation Priority Order

For contractors significantly below 110, remediation leverage varies. Effective priority sequencing:

1. Close 5-point gaps first (MFA, FIPS cryptography, other 5-point controls). Maximum score impact per control.
2. Address non-POA&M-eligible 1-point gaps next. These block CMMC certification regardless of score.
3. Work 3-point controls by score impact.
4. Address remaining 1-point controls.
5. Re-assess and re-post SPRS scores as gaps close; avoid waiting for complete remediation. Improvement trajectories signal commitment to contracting officers.

Recommended Next Steps

• Retrieve current SPRS posting and verify score accuracy, assessment date, and POA&M completion date.
• Map deductions to underlying NOT IMPLEMENTED controls; validate partial-credit assignments match methodology requirements.
• Sequence remediation by point value, prioritizing non-POA&M-eligible practices for CMMC readiness.
• Re-post quarterly during remediation; contracting officers observe posting history trends.