Your SPRS score starts at 110 — one point for each fully implemented NIST SP 800-171 control — and you subtract the weighted value of every control you have not met. High-impact controls cost 5 points, mid-tier ones cost 3, and minor ones cost 1, which is how a score can fall all the way to a floor around -203. The number you submit to the Supplier Performance Risk System is what a prime or contracting officer sees before they decide whether to trust you with CUI.
The first time most contractors run their SPRS number, it comes back negative and they assume they've done something wrong. They usually haven't. A negative score just means the math is doing its job — you started at 110, and the controls you haven't stood up yet got subtracted. Once you understand how those deductions are weighted, the whole scale stops being scary and starts being a to-do list ranked by value.
This is the number the Department of Defense uses to gauge, at a glance, how close a supplier is to meeting the 110 controls in NIST 800-171. It's generated from a self-assessment you perform against the DoD Assessment Methodology, and it gets posted in SPRS with an assessment date and an affirmation. Let me walk you through exactly how the scale works, why one missed control can cost five points, what a negative number signals to the prime reading it, and the fastest honest way to raise it.
Start with the ceiling. There are 110 security requirements in NIST SP 800-171, spread across 14 control families — things like Access Control, Audit & Accountability, Identification & Authentication, System & Communications Protection, and so on. A perfect score of 110 means every one of those 110 controls is fully in place, documented, and provable. That's the top of the mountain.
You don't earn your way up to 110, though. You start there and lose points. The DoD Assessment Methodology takes your perfect 110 and subtracts a set value for each control you have not fully implemented. Get everything right, you keep the whole 110. Miss things, and the deductions stack up until you land wherever your real posture puts you — which for a shop that hasn't started is often a long way below zero.
That's the part that catches people off guard: the scale is not 0 to 110. It runs from 110 at the top down to roughly -203 at the bottom. The negative range exists because some controls are weighted heavily enough that missing enough of them pulls you well past zero. A score of -40 doesn't mean you have "negative security." It means the weighted deductions from your open gaps add up to 150 points off a starting 110.
Not every control is worth the same, and that's the single most important thing to understand about this score. The methodology assigns each of the 110 requirements a point value based on how much risk it carries if it's missing. There are three tiers:
| Weight | What it means | Examples of what lives here |
|---|---|---|
| -5 | Highest-impact controls. The safeguards an attacker defeats first, or that protect the data directly. | Multifactor authentication, FIPS-validated encryption of CUI, boundary protection. |
| -3 | Mid-tier controls. Important, but a partial or compensating measure blunts some of the risk. | Session controls, certain audit and configuration requirements. |
| -1 | Lower-impact controls. Still required, but the risk of a single gap is smaller. | Many administrative, documentation, and awareness requirements. |
So when a 5-point control isn't implemented, you subtract the full 5. Skip multifactor authentication and encryption, and you've given up 10 points before you've touched anything else. String together six or seven unmet 5-pointers and you've already erased 30-plus points from your 110 — that's how shops end up staring at a deeply negative number after what feels like just a handful of gaps.
A few controls have a partial-credit wrinkle. For a small number of high-weight requirements — multifactor authentication and FIPS-validated cryptography are the usual examples — the methodology lets you take a smaller deduction if you've implemented part of the requirement rather than none of it. It's a narrow allowance, not a general rule, so don't count on partial credit to save a score. The reliable path is closing the control outright.
Here's why the number matters beyond your own paperwork. Your SPRS score isn't private. It sits in the Supplier Performance Risk System where contracting officers and — increasingly — prime contractors can pull it when they're deciding who to put on a team. When a prime is choosing between two subs to flow CUI down to, the one with the healthier score is the safer bet, and they know it.
A deep negative tells that reader one thing plainly: you have real, unclosed gaps and haven't finished your NIST 800-171 work. That's not a moral judgment — it's a risk signal, and primes are getting more disciplined about acting on it. A low score can quietly cost you a spot on a bid before anyone ever calls you, because you got filtered out on the number alone.
But the number is only half the story, and this is the part worth internalizing. A less-than-perfect score paired with a dated Plan of Action & Milestones (POA&M) — a document that lists each open control and when you'll close it — reads very differently than a low score with nothing behind it. One says "we know exactly where we stand and here's the plan." The other says "we haven't looked." Given the choice, a prime will take the honest, in-progress supplier over the silent one every time.
Raising the number isn't complicated once you accept the ranking. You attack the heaviest gaps first, you implement them for real, and you document them well enough to survive scrutiny. Here's the order that actually moves the score.
You don't have to hand-calculate 110 weighted deductions on a spreadsheet to know where you stand. Our free SPRS score calculator walks you through the controls, applies the correct point weights, and hands you an estimated score plus the gaps dragging it down — in about two minutes, no email required. It's the fastest way to turn "I think we're behind" into an actual number and a ranked list.
Once you have that number, the next question is what it costs to close the gap. Our breakdown of CMMC compliance cost for small business lays out the real line items, and if your contract raises the question of who has to assess you, C3PAO vs self-assessment explains exactly which path your contract requires.
Knowing your SPRS number is step one. Raising it means implementing controls and — the part that actually holds up — documenting them. The CMMC Level 2 DIY Compliance Kit is the System Security Plan, the 20 required policies, a POA&M template, and a per-control SPRS scorer, all editable and built for a small shop doing this itself.
The highest possible SPRS score is 110, which means every NIST SP 800-171 control is fully implemented. There is no official passing threshold — a prime or contracting officer simply sees the number you submitted. Practically, the closer you are to 110 the more credible you look, and a score in the double-negative range signals that most of your security program is still missing.
The DoD Assessment Methodology weights each of the 110 controls by risk. High-impact controls — the ones an attacker exploits first, like multifactor authentication or FIPS-validated encryption — are worth 5 points, mid-tier controls are worth 3, and lower-impact ones are worth 1. If a 5-point control is not implemented, you subtract the full 5. That is why a handful of gaps can drag your score deeply negative.
The floor is roughly -203. If you started at 110 and had not implemented a single one of the 110 controls, the weighted deductions total to that bottom number. A negative score is normal for a shop that has not started remediation yet, but it is not a number you want visible to a prime when award decisions are being made.
It tells them you have real, unclosed gaps in your NIST 800-171 implementation and that flowing CUI down to you carries risk. Primes increasingly filter subcontractors by SPRS score, so a deep negative can quietly cost you a spot on a team before anyone calls you. A positive score with a dated POA&M is a far better story than a low number with no plan.
Prioritize the 5-point controls first, because each one you close is worth five times a 1-point item. Implement the control for real, document it in your System Security Plan, gather the evidence, then update your score in SPRS. Attack the highest-weighted gaps in order and your number climbs fast — a few 5-point fixes often move you from negative into positive territory.
Yes. A Level 2 self-assessment is exactly that — you score yourself against the 110 controls using the DoD Assessment Methodology, then enter the result in the Supplier Performance Risk System with an assessment date and a senior official's affirmation. A C3PAO is only involved when your contract requires third-party certification rather than a self-assessment.