For defense contractors, a Supplier Performance Risk System (SPRS) score is much more than a number—it’s a crucial indicator of your ability to secure and maintain Department of Defense (DoD) contracts. Every contractor handling Controlled Unclassified Information (CUI) must adhere to the stringent security controls of NIST SP 800-171, and your SPRS score reflects how well you’re doing. A high score not only showcases your compliance but also strengthens your competitive stance in the Defense Industrial Base. Conversely, a low score can signal significant risks to the DoD supply chain, potentially jeopardizing future contracts.

In this blog, we’ll dive into the essentials of SPRS scores, highlighting what they mean for your business and, most importantly, providing actionable insights on how to improve your score and protect your position in the marketplace.

Table of contents

#1: Why does my SPRS score matter?


SPRS scores hold critical importance for defense contractors for two key reasons:
 
First, DFARS 7020 mandates that prime contractors proactively verify the compliance of their subcontractors by ensuring they have a current SPRS score—no older than three years—on record. This score often becomes a deciding factor in subcontractor selection, with many primes setting specific SPRS score minimums as a requirement.
 
Second,  the significance of SPRS scores is set to increase with the impending rollout of the Cybersecurity Maturity Model Certification (CMMC). As organizations handling Controlled Unclassified Information (CUI) prepare for CMMC Level 2 assessments, achieving a minimum of 88 out of 110 on the NIST 800-171 controls becomes essential. Thus, your SPRS score not only reflects your current compliance status but will also be a pivotal factor in the CMMC certification process.

#2 SPRS Score Range

The Department of Defense (DoD) uses a precise methodology for evaluating SPRS scores, assigning each of the 110 NIST SP 800-171 controls a weight of one, three, or five points. Scoring begins at a base of -203, the lowest possible score. As contractors meet each control fully—partial fulfillment does not earn any points—their score increases, potentially reaching up to +110.

SPRS Score range

It’s important to note that negative scores are possible, with the scoring range spanning from +110 down to -203, a total spread of 313 points. First-time assessments often result in negative scores due to unmet controls, but these scores generally improve significantly under the guidance of an experienced professional team.

#3: What’s a good score?

With CMMC going into contracts in mid-2025, defense contractors seeking CMMC level 2 compliance  must meet a minimum threshold of 88 controls during their  initial C3PAO-led assessment.

Critically, they must meet:

  • All CMMC Level 1 controls
  • All 3 or 5 point controls (except SC.L2-3.13.11, if it is partially met—encryption is employed but is not FIPS validated—reducing a SPRS score by 3 points instead of 5.
  • The following 1 point controls:
    • AC.L2-3.1.20 – External Connections (CUI Data) 
    • AC.L2-3.1.22 – Control Public Information (CUI Data) 
    • PE.L2-3.10.3 – Escort Visitors (CUI Data) 
    • PE.L2-3.10.4 – Physical Access Logs (CUI Data) 
    • PE.L2-3.10.5 – Manage Physical Access (CUI Data)

If a contractor is unable to meet any of the controls not in this list, they will need to create a Plan of Action and Milestones (POA&M) that describes their process for remediation. POA&Ms will be time-bound. Organizations given CMMC Level 2 Conditional Certification are responsible for correcting all deficiencies listed in their POA&Ms within 180 days from the time of their Final Findings briefing with their C3PAO. If an organization has deficiencies remaining after 180 days, its Level 2 Conditional Certification will be revoked.

If you don’t meet these requirements in your first assessment, you’ll need to start the entire assessment process over – including paying for a new assessment. 

#4 How do I calculate my SPRS score?

Here’s what your organization needs to do to calculate and submit an SPRS score:

  • Develop a System Security Plan (SSP):   Your SSP details the policies and procedures your organization has in place to comply with NIST SP 800-171. The SSP is foundational for any self-assessment as well as consideration for any DoD contract.
  • Conduct a self-assessment:   Assess your organization according to the DoD’s NIST SP 800-171 Assessment Methodology.
  • Submit your self-assessment score:   Contractors must submit their self-assessment score to the DoD’s Supplier Performance Risk System (SPRS) by the time of contract award. The self-assessment must have been completed within the last three years and be maintained for the duration of the contract. 
  • Create your POA&Ms: If your organization’s SPRS score falls below 110, create a Plan of Action & Milestones (POA&M) for security controls not met, and indicate by what date those security gaps will be remediated and a score of 110 will be achieved.

If your organization hasn’t yet submitted an SPRS score to the DoD, now is the time to move on getting that done. Alternatively, you may have an SPRS score on file that doesn’t accurately reflect your cybersecurity levels. If that’s the case, it’s time to update your score. Fraudulent scores—intentional or not—could result in serious consequences ranging from fines to cancellation of your contract.
 

how to calculate your SPRS score

#5: How can I improve my organization’s SPRS score?

Your organization’s SPRS score is based on the results of an assessment of compliance with NIST SP 800-171, which was created specifically to protect CUI. The more you can improve your cybersecurity and protect CUI, the higher your SPRS score will go.
 
PreVeil suggests a three-step roadmap to raise your SPRS score:

  1. Adopt a platform that securely stores, processes and transmits CUI.
     
    File sharing and email is how CUI is most frequently transmitted. You’ll need to assess platforms and choose one that enables compliance with NIST SP 800-171. Know that the responsibility for choosing a compliant platform rests squarely on the shoulders of defense contractors. Don’t simply accept a provider’s self-attestation that they support NIST SP 800-171 standards. Ask for documented evidence.
     
    Over a dozen PreVeil customers have achieved CMMC compliance- validated by a perfect 110 score on their C3PAO or DoD assessment.
  2. Use prepared documentation to show compliance and save time and money.
     
    Defense contractors have to do more than implement technology and policies to comply with NIST SP 800-171. They also need detailed, evidence-based documentation to prove it. This can be a daunting, time-consuming and costly task.
     
    PreVeil offers its customers a compliance documentation package that gives them a huge head start on this essential documentation. The package includes a System Security Plan (SSP) template with detailed language that explains how a customer will be able to meet each of the NIST SP 800-171 controls and objectives that PreVeil supports; policy documents; POA&M templates; and more. (Note that your SSP will be the first document that your C3PAO will ask for when you kick off your C3PAO Level 2 assessment).
  3. Identify certified consultants that are familiar with your technology.
     
    It’s understandable that many organizations lack the internal security expertise to conduct their NIST SP 800-171 self-assessment accurately and cost effectively. If you get stuck and need help, outside partners can save you time and money.
     
    To facilitate connections to the specialized help many small to midsize businesses need, PreVeil has built a partner network of C3PAOs, Registered Practitioners, MSPs and other consultants and organizations—all with expert knowledge of DFARS, NIST, CMMC and PreVeil. The partners’ expert knowledge of PreVeil significantly streamlines your engagement because no time is spent learning how PreVeil supports compliance with NIST SP 800-171. This efficiency accelerates your path to a higher SPRS score.

Read our Guide to CMMC, used by over 5,000 defense contractors

#6 How PreVeil can help

PreVeil is trusted by more than 1,200 small and midsize defense contractors and has enabled numerous organizations achieve a perfect 110 score on their SPRS. These organizations have been successful in their compliance efforts because they relied on:

  • PreVeil’s Email and Drive Platform: Enables organizations to quickly secure their CUI data and support 102/110 controls
  • Compliance Accelerator: A proven toolkit with C3PAO-validated videos, prefilled documentation (Standard Operating Procedure, System Security Plan, etc.) and 1×1 support from our compliance experts if you get stuck
  • Preferred Partner Network: Support through your entire compliance journey – from prep to assessment – through our network of CMMC consultants & auditors.

Learn more about how PreVeil can help you raise your SPRS score and achieve CMMC Level 2 certification faster and more affordably:

  • Sign up for a free 15-minute consultation with our compliance team
  • Check out our case study on Kokosing Construction Company to learn how they used PreVeil to achieve a perfect 110/110 score.