Home / Guides / SPRS Score Explained

SPRS Score Explained: How the 110 to -203 Scale Works

Focus: sprs score Veteran-run · practitioner guide Updated Jul 2026 ~9 min read
The short answer

Your SPRS score starts at 110 — one point for each fully implemented NIST SP 800-171 control — and you subtract the weighted value of every control you have not met. High-impact controls cost 5 points, mid-tier ones cost 3, and minor ones cost 1, which is how a score can fall all the way to a floor around -203. The number you submit to the Supplier Performance Risk System is what a prime or contracting officer sees before they decide whether to trust you with CUI.

The first time most contractors run their SPRS number, it comes back negative and they assume they've done something wrong. They usually haven't. A negative score just means the math is doing its job — you started at 110, and the controls you haven't stood up yet got subtracted. Once you understand how those deductions are weighted, the whole scale stops being scary and starts being a to-do list ranked by value.

This is the number the Department of Defense uses to gauge, at a glance, how close a supplier is to meeting the 110 controls in NIST 800-171. It's generated from a self-assessment you perform against the DoD Assessment Methodology, and it gets posted in SPRS with an assessment date and an affirmation. Let me walk you through exactly how the scale works, why one missed control can cost five points, what a negative number signals to the prime reading it, and the fastest honest way to raise it.

How the 110-point scale works

Start with the ceiling. There are 110 security requirements in NIST SP 800-171, spread across 14 control families — things like Access Control, Audit & Accountability, Identification & Authentication, System & Communications Protection, and so on. A perfect score of 110 means every one of those 110 controls is fully in place, documented, and provable. That's the top of the mountain.

You don't earn your way up to 110, though. You start there and lose points. The DoD Assessment Methodology takes your perfect 110 and subtracts a set value for each control you have not fully implemented. Get everything right, you keep the whole 110. Miss things, and the deductions stack up until you land wherever your real posture puts you — which for a shop that hasn't started is often a long way below zero.

That's the part that catches people off guard: the scale is not 0 to 110. It runs from 110 at the top down to roughly -203 at the bottom. The negative range exists because some controls are weighted heavily enough that missing enough of them pulls you well past zero. A score of -40 doesn't mean you have "negative security." It means the weighted deductions from your open gaps add up to 150 points off a starting 110.

The mental model Think of it as a bank account that opens with a balance of 110. Every control you haven't implemented is a withdrawal — 5, 3, or 1 point depending on how much risk it carries. Your SPRS score is just the balance after all the withdrawals clear. You raise it by making deposits: closing gaps, one weighted control at a time.

Why one control can cost 5 points

Not every control is worth the same, and that's the single most important thing to understand about this score. The methodology assigns each of the 110 requirements a point value based on how much risk it carries if it's missing. There are three tiers:

WeightWhat it meansExamples of what lives here
-5Highest-impact controls. The safeguards an attacker defeats first, or that protect the data directly.Multifactor authentication, FIPS-validated encryption of CUI, boundary protection.
-3Mid-tier controls. Important, but a partial or compensating measure blunts some of the risk.Session controls, certain audit and configuration requirements.
-1Lower-impact controls. Still required, but the risk of a single gap is smaller.Many administrative, documentation, and awareness requirements.

So when a 5-point control isn't implemented, you subtract the full 5. Skip multifactor authentication and encryption, and you've given up 10 points before you've touched anything else. String together six or seven unmet 5-pointers and you've already erased 30-plus points from your 110 — that's how shops end up staring at a deeply negative number after what feels like just a handful of gaps.

A few controls have a partial-credit wrinkle. For a small number of high-weight requirements — multifactor authentication and FIPS-validated cryptography are the usual examples — the methodology lets you take a smaller deduction if you've implemented part of the requirement rather than none of it. It's a narrow allowance, not a general rule, so don't count on partial credit to save a score. The reliable path is closing the control outright.

The trap Don't chase the 1-point controls first because they're easy. Ten of them fully closed only buys back 10 points. A single 5-point control does half that work in one move. Rank your open gaps by weight, not by how quick they look, or you'll spend a week of effort to move the needle a couple of points.

What a negative score signals to a prime

Here's why the number matters beyond your own paperwork. Your SPRS score isn't private. It sits in the Supplier Performance Risk System where contracting officers and — increasingly — prime contractors can pull it when they're deciding who to put on a team. When a prime is choosing between two subs to flow CUI down to, the one with the healthier score is the safer bet, and they know it.

A deep negative tells that reader one thing plainly: you have real, unclosed gaps and haven't finished your NIST 800-171 work. That's not a moral judgment — it's a risk signal, and primes are getting more disciplined about acting on it. A low score can quietly cost you a spot on a bid before anyone ever calls you, because you got filtered out on the number alone.

But the number is only half the story, and this is the part worth internalizing. A less-than-perfect score paired with a dated Plan of Action & Milestones (POA&M) — a document that lists each open control and when you'll close it — reads very differently than a low score with nothing behind it. One says "we know exactly where we stand and here's the plan." The other says "we haven't looked." Given the choice, a prime will take the honest, in-progress supplier over the silent one every time.

How to raise your SPRS score

Raising the number isn't complicated once you accept the ranking. You attack the heaviest gaps first, you implement them for real, and you document them well enough to survive scrutiny. Here's the order that actually moves the score.

  1. Score yourself honestly first.You can't fix what you haven't measured. Run the full 110 against the DoD Assessment Methodology and write down which controls are open and what each one is worth. This baseline is the map for everything after it.
  2. Sort every open gap by weight.Put all your unmet 5-point controls at the top of the list, then the 3s, then the 1s. This single sort tells you where every hour of remediation buys the most score.
  3. Close the 5-pointers, in order.Stand up multifactor authentication, get FIPS-validated encryption around your CUI, lock down the boundary. Each one you genuinely close adds 5 points back — a few of these often flip a negative score into positive territory on their own.
  4. Document as you go and update SPRS.An implemented control you can't prove doesn't count. Write it into your System Security Plan, capture the evidence, then update your score in SPRS with a current assessment date and affirmation. The number is only real when the paperwork backs it.
The deadline that makes this urgent November 10, 2026 starts Phase 2 of the CMMC rollout, when Level 2 C3PAO third-party certification becomes a required condition of award on applicable DoD contracts. Self-assessment and SPRS affirmation language is already appearing in solicitations today. A healthy, documented score isn't a year-end project — it's what keeps you eligible for the work you're bidding right now.

Get your number in two minutes

You don't have to hand-calculate 110 weighted deductions on a spreadsheet to know where you stand. Our free SPRS score calculator walks you through the controls, applies the correct point weights, and hands you an estimated score plus the gaps dragging it down — in about two minutes, no email required. It's the fastest way to turn "I think we're behind" into an actual number and a ranked list.

Once you have that number, the next question is what it costs to close the gap. Our breakdown of CMMC compliance cost for small business lays out the real line items, and if your contract raises the question of who has to assess you, C3PAO vs self-assessment explains exactly which path your contract requires.

Know the score, then close it

The calculator shows the gap. This closes it.

Knowing your SPRS number is step one. Raising it means implementing controls and — the part that actually holds up — documenting them. The CMMC Level 2 DIY Compliance Kit is the System Security Plan, the 20 required policies, a POA&M template, and a per-control SPRS scorer, all editable and built for a small shop doing this itself.

$2,995
one-time · lifetime updates · a fraction of a consultant's retainer
Audit-ready preparation for a fraction of consultant fees — not a substitute for your C3PAO assessment. Not legal advice.

Frequently asked questions

What is a good SPRS score?

The highest possible SPRS score is 110, which means every NIST SP 800-171 control is fully implemented. There is no official passing threshold — a prime or contracting officer simply sees the number you submitted. Practically, the closer you are to 110 the more credible you look, and a score in the double-negative range signals that most of your security program is still missing.

Why does one missed control cost 5 points?

The DoD Assessment Methodology weights each of the 110 controls by risk. High-impact controls — the ones an attacker exploits first, like multifactor authentication or FIPS-validated encryption — are worth 5 points, mid-tier controls are worth 3, and lower-impact ones are worth 1. If a 5-point control is not implemented, you subtract the full 5. That is why a handful of gaps can drag your score deeply negative.

How low can an SPRS score go?

The floor is roughly -203. If you started at 110 and had not implemented a single one of the 110 controls, the weighted deductions total to that bottom number. A negative score is normal for a shop that has not started remediation yet, but it is not a number you want visible to a prime when award decisions are being made.

What does a negative SPRS score tell a prime contractor?

It tells them you have real, unclosed gaps in your NIST 800-171 implementation and that flowing CUI down to you carries risk. Primes increasingly filter subcontractors by SPRS score, so a deep negative can quietly cost you a spot on a team before anyone calls you. A positive score with a dated POA&M is a far better story than a low number with no plan.

How do I raise my SPRS score?

Prioritize the 5-point controls first, because each one you close is worth five times a 1-point item. Implement the control for real, document it in your System Security Plan, gather the evidence, then update your score in SPRS. Attack the highest-weighted gaps in order and your number climbs fast — a few 5-point fixes often move you from negative into positive territory.

Do I submit my SPRS score myself?

Yes. A Level 2 self-assessment is exactly that — you score yourself against the 110 controls using the DoD Assessment Methodology, then enter the result in the Supplier Performance Risk System with an assessment date and a senior official's affirmation. A C3PAO is only involved when your contract requires third-party certification rather than a self-assessment.