If you work with Department of Defense primes or bid on federal contracts involving Controlled Unclassified Information (CUI), you've heard the acronym: SPRS. The Supplier Performance Risk System is the DoD-run database where your NIST SP 800-171 self-assessment score lives. Primes and contracting officers can look up your score, and increasingly they're gating contract awards on it. Here's how the number actually works.
Where the score comes from
The SPRS score is calculated from your NIST SP 800-171 Rev. 2 self-assessment. There are 110 security requirements in 800-171. Each requirement you haven't fully implemented subtracts points from a baseline of 110.
The catch: points aren't uniform. The DoD's NIST SP 800-171 Assessment Methodology weights requirements by criticality:
- 5-point deductions for the most impactful controls — things like MFA on privileged accounts, encryption of CUI, and system audit logging.
- 3-point deductions for moderate-impact controls.
- 1-point deductions for lower-impact controls that contribute to the defensive posture but aren't front-line risk reducers.
Start at 110 and subtract. A company that hasn't implemented MFA on its admin accounts, doesn't encrypt CUI at rest, and has no audit logging is already down 15+ points before any of the other 107 controls get evaluated. Scores can and do go negative — the math allows it, and a deeply under-controlled environment can easily land at −40 or lower.
What "fully implemented" actually means
A common mistake: assuming a control is implemented because you've bought the product. MFA deployed across email but not your VPN is not "MFA fully implemented." Encryption enabled on the file share but not on engineering workstations that download CUI locally is not "encryption at rest for all CUI." The assessment methodology requires full coverage of in-scope systems — partial coverage scores zero for that control.
Be honest in the self-assessment. An inflated SPRS score creates False Claims Act exposure if the DoD later finds out — which has happened. The 2023 Insight Global settlement (a $2.4M False Claims Act settlement for cybersecurity misrepresentation) told the industry how seriously this is being taken.
How primes and contracting officers use the score
A few patterns we see:
- Minimum score gates. Some primes now require subcontractors to post a score of 80 or better (or sometimes 110) before issuing a purchase order for CUI-touching work. Score below the gate? The PO doesn't come.
- Trend monitoring. Primes check SPRS before re-upping an annual subcontract. If your score dropped or didn't improve on a previously promised POA&M, that's a conversation.
- Negotiation leverage. A strong SPRS score is becoming a differentiator in bids. Two qualified subs with similar technical capability — the one with a posted 110 wins more often.
What goes into a defensible score
A credible self-assessment involves:
- A scoped environment with clear boundaries — you know what systems are "in scope" for NIST SP 800-171.
- Evidence files for each of the 110 requirements — policy documents, configuration screenshots, sample audit logs, training attestations.
- A System Security Plan (SSP) describing how each control is implemented.
- A Plan of Action and Milestones (POA&M) for anything not yet fully implemented — with owner and target date.
- A signed statement of the score by a senior official (not an IT contractor).
When to post, when to update
You post the score in SPRS when you first self-assess. You update it whenever your environment materially changes — big migration, new CUI-handling system, closed POA&M items that meaningfully improve the score. At minimum, re-evaluate annually. Primes checking SPRS see the date your score was posted or last updated — a score from 2023 looks dated in 2026.
Where CMMC 2.0 Level 2 fits
SPRS scores reflect a self-assessment. CMMC 2.0 Level 2 assessment is a formal evaluation by a certified third-party assessment organization (C3PAO). Most CUI-handling contracts will require CMMC 2.0 Level 2 assessment — your SPRS score is the self-assessed starting point, and the Level 2 assessment is the external verification. Expect both to be part of the workflow over the next 24 months.
Where we help
Gravity Networks walks Utah and Tennessee defense contractors through the NIST SP 800-171 gap assessment, builds the SSP and POA&M, stands up the control stack (EDR, SIEM, MFA, logging), and preps you for the C3PAO assessment when it's time. If you have a score posted that makes you uncomfortable or a prime asking questions you can't answer, start with a 30-minute scoping call.