What is SPRS (Supplier Performance Risk System)?
SPRS is the Department of Defense's supplier performance risk evaluation system. It measures how well defense contractors implement cybersecurity controls, specifically the NIST 800-171 protection of controlled technical information (CTI). Your SPRS score is a quantitative measure of your organization's cybersecurity posture and risk to the DoD.
Unlike CMMC, which is a certification you pursue, SPRS is a risk score the DoD calculates on you. However, your SPRS score and CMMC certification are closely related: contractors with poor SPRS scores are flagged for closer scrutiny, while strong CMMC certification supports a higher SPRS score.
Key facts about SPRS:
- SPRS scores range from 0 to 110 points (higher is better)
- Contractors with controlled technical information (CTI) are automatically scored
- The DoD uses SPRS scores in contract evaluation and supplier risk assessment
- Your score is visible to contracting officers and can influence bid evaluations
- SPRS is automated—the DoD calculates it based on your CMMC certification, self-assessment, and other available data
How SPRS Scoring Works: The 110-Point System
SPRS uses a 110-point scale based on the 14 control families in NIST SP 800-171. Each control family can result in point deductions if not properly implemented. Your score starts at 110 and decreases based on gaps in your compliance.
The 14 Control Families and Deduction Points:
| Control Family | NIST 800-171 Area | Deduction if Non-Compliant | Risk If Missing |
|---|---|---|---|
| System & Communications Protection | SC (Boundary protection, cryptography) | -8 points | Unencrypted data in transit; no network segmentation |
| Access Control | AC (User access, privilege management) | -8 points | Shared accounts, weak password controls, over-privileged users |
| Identification & Authentication | IA (MFA, strong authentication) | -8 points | No multi-factor authentication; weak password enforcement |
| Audit & Accountability | AU (Logging, monitoring) | -8 points | No system logs; can't detect intrusions or unauthorized access |
| Configuration Management | CM (System baselines, change control) | -7 points | Unauthorized system changes; no baseline documentation |
| Incident Response | IR (Detection, response procedures) | -7 points | No incident response plan; delayed breach response |
| System & Information Integrity | SI (Malware protection, patching) | -8 points | Unpatched systems; no endpoint detection tools |
| Media Protection | MP (Data handling, disposal) | -7 points | USB drives not controlled; insecure data disposal |
| Physical & Environmental Protection | PE (Physical security, environmental) | -7 points | Unsecured server rooms; no access controls |
| Planning | PL (Security planning, risk assessment) | -6 points | No security plan; no risk assessments conducted |
| Personnel Security | PS (Background checks, training) | -6 points | No background checks; inadequate security training |
| Risk Assessment | RA (Ongoing risk evaluation) | -6 points | No regular risk assessments; unidentified vulnerabilities |
| Security Awareness & Training | AT (Staff training, phishing) | -6 points | Staff not trained on security; high phishing risk |
| Supplier Risk Management | SR (Third-party security) | -6 points | No vendor security assessments; sub-contractor risks unknown |
Interactive Calculator Below
Use the calculator to check each control family and see your real-time SPRS score. Start with where you are today and identify which controls will have the most impact.
Interactive SPRS Calculator
Check the boxes below for each control family your organization has fully implemented. Your score will calculate in real-time. This calculator gives you a quick snapshot—a formal SPRS assessment by the DoD may result in a different score.
What Your SPRS Score Means
Your SPRS score tells contracting officers and the DoD how much cybersecurity risk you represent. Here's what different score ranges indicate:
| Score Range | Risk Level | What It Means | Contractor Impact |
|---|---|---|---|
| 100-110 | Low Risk | Strong CMMC certification (L2 or L3); all major controls implemented | Preferred supplier; favorable bid evaluation; contract priority |
| 80-99 | Moderate Risk | Partial CMMC implementation; most controls in place but some gaps | Competitive bidder; may need risk mitigation in contracts |
| 60-79 | Elevated Risk | Basic CMMC compliance (L1); significant gaps in advanced controls | Higher scrutiny in evaluations; may be passed over for higher-scored competitors |
| Below 60 | High Risk | Minimal compliance; critical control gaps; no CMMC cert or failed assessment | Unfavorable evaluation; may be ineligible for some contracts; at risk of bid exclusion |
SPRS Score Thresholds for Different Contract Types
Different contracts require different SPRS thresholds. While SPRS is not a hard pass/fail system, the DoD uses it to evaluate contractor risk. Meeting or exceeding these thresholds strengthens your position:
- Advanced Weapons / Phase 1 Contracts: Target 95+ SPRS (CMMC Level 2 or 3 required)
- Critical Systems / Phase 2 Contracts: Target 85+ SPRS (CMMC Level 2 required)
- Broad Industrial Base / Phase 3 Contracts: Target 75+ SPRS (CMMC Level 1 minimum)
- General Contracts / Phase 4: Target 65+ SPRS (CMMC Level 1 minimum; SPRS verification)
- Small Business / Subcontracts: Target 60+ SPRS (varying CMMC requirements)
Ready to improve your SPRS score?
Identify your biggest compliance gaps with a full gap analysis, then prioritize the controls that will have the most impact on your score.
Start a Gap AnalysisHow to Submit Your SPRS Score to the DoD SPRS Portal
After you obtain CMMC certification or complete a self-assessment, you can register your score in the DoD SPRS portal (SPRS.csd.disa.mil). This ensures contracting officers can access your official SPRS score.
Steps to register:
- Log in to SPRS portal with your company's DoD credentials (Common Access Card or user ID)
- Navigate to "Register CMMC Assessment" or "Submit Self-Assessment"
- Enter your C3PAO assessment details, certificate number, and expiration date (if applicable)
- The system automatically calculates your SPRS score based on CMMC data
- Confirm the score and submit
- Your SPRS score is now visible to all contracting officers in real-time
If you're pursuing CMMC, the C3PAO automatically registers your certificate in the CMMC portal, and the DoD pulls that data to update your SPRS score. You don't need to manually register CMMC assessments—it happens automatically.
SPRS Score Improvement Strategies
Your score improves when you implement controls. Here's how to prioritize for maximum impact:
Phase 1 Priority (Highest Impact, 8-Point Deductions Each):
- System & Communications Protection (SC) — encryption, network segmentation
- Access Control (AC) — user account management, privilege levels
- Identification & Authentication (IA) — multi-factor authentication
- Audit & Accountability (AU) — system logging, event tracking
- System & Information Integrity (SI) — malware protection, patching
Implementing these five controls alone jumps your score from 110 to 60 points and removes your most critical vulnerabilities.
Phase 2 Priority (Mid-Impact, 7-Point Deductions Each):
- Configuration Management (CM) — change control, baselines
- Incident Response (IR) — detection, response procedures
- Media Protection (MP) — data handling, disposal
- Physical & Environmental Protection (PE) — facility security
Phase 3 Priority (Foundational, 6-Point Deductions Each):
- Planning, Personnel Security, Risk Assessment, Security Awareness, Supplier Risk Management
- These are essential but can often be implemented with policy and process changes
Common SPRS Scoring Mistakes
Many contractors misunderstand SPRS and leave points on the table. Avoid these mistakes:
- Confusing SPRS with CMMC: SPRS is a score; CMMC is a certification. You need CMMC cert, but your SPRS score is calculated automatically by the DoD.
- Not registering your CMMC cert: If you obtain CMMC certification but don't register it in the CMMC portal, the DoD won't include it in your SPRS calculation. Always register immediately after certification.
- Partial control implementation: SPRS is binary per control—you either meet it or you don't. Implementing 90% of a control still counts as a gap. Complete controls fully.
- Forgetting to include sub-contractors: Your SPRS score includes your supply chain's security posture. If subs aren't secure, your score suffers.
- Letting certification lapse: CMMC certs are valid 3 years. If yours expires, your SPRS score resets to your self-assessment (usually lower). Plan your re-assessment well in advance.
- Only pursuing Level 1: CMMC Level 1 is often not enough for Phase 1-2 contracts. Target Level 2 to stay competitive.
Frequently Asked Questions
Is SPRS the same as CMMC?
No. CMMC is a certification you pursue through a C3PAO assessment. SPRS is a score the DoD calculates on you. However, they're related: your CMMC certification drives your SPRS score. A strong CMMC cert results in a high SPRS score.
Can I improve my SPRS score without CMMC certification?
Yes. The DoD accepts self-assessments of NIST 800-171 compliance. You can submit a self-assessment and receive an SPRS score without formal CMMC certification. However, CMMC certification results in a higher, more credible score that gives you a competitive advantage.
How often is my SPRS score updated?
Your SPRS score updates when you submit new assessment data (CMMC cert, self-assessment update, etc.) to the SPRS portal. The DoD checks the CMMC registry daily for new certifications, so CMMC certs are reflected in SPRS within 24 hours of registration.
What if I disagree with my calculated SPRS score?
You can dispute your SPRS score by submitting evidence of control compliance to the SPRS portal. If the DoD disagrees with your initial score, the official CMMC assessment by a C3PAO is the most authoritative way to correct it. A formal CMMC cert will override self-assessment data.
Do all contractors need an SPRS score?
Only contractors with controlled technical information (CTI) or federal contract information (FCI) are automatically scored in SPRS. If you don't handle CTI/FCI, you may not have an active SPRS score. Check with your contracting officer if CMMC/SPRS applies to you.
Can my SPRS score hurt me in contract bids?
Yes. Many contracting officers now use SPRS scores as an evaluation criterion. A low SPRS score can result in a downgrade in technical evaluation, loss of contract awards, or requirement to implement risk mitigation measures. A strong SPRS score is a competitive advantage.