How your NIST 800-171 self-assessment score impacts contract eligibility
Author: Leonard Esere | Senior Cybersecurity Engineer, CMMC Registered Practitioner
Credentials: DoD Secret Clearance | DoE Q Clearance | MITRE ATT&CK Practitioner | LANL Full ATO Lead
Date: April 2026
Organization: Aeolitech
Abstract
The Supplier Performance Risk System (SPRS) score is the Department of Defense's numerical measure of a contractor's NIST SP 800-171 compliance posture. Every defense contractor that processes, stores, or transmits Controlled Unclassified Information (CUI) under a DoD contract subject to DFARS 252.204-7012 has had to submit a self-assessment score to the SPRS portal. The score ranges from a maximum of 110—full implementation of all 110 security requirements—to a minimum of -203, representing zero controls implemented. The scoring methodology is subtractive: start at 110, deduct weighted points for each unimplemented control. High-impact controls cost 5 points, medium-impact controls cost 3 points, and standard controls cost 1 point. There are 42 five-point controls, 14 three-point controls, and 54 one-point controls. Contracting officers access SPRS scores during source selection, and a score significantly below 110 signals unmitigated risk to CUI—a business risk that translates directly to contract award decisions. This guide explains exactly how SPRS scoring works, how to maximize your score efficiently, how the POA&M interacts with your score, and how to submit through the official DoD process. Note that as of February 2026, DFARS 252.204-7020 was renumbered to 252.240-7997 and the basic self-assessment upload requirement was restructured under CMMC, but the underlying scoring methodology and SPRS system remain authoritative for CMMC Level 2 compliance.
Table of Contents
1. What Is SPRS and Why It Matters
2. The Scoring Methodology: How Points Are Calculated
3. Control Weight Distribution: 5-Point, 3-Point, and 1-Point Controls
4. Worked Scoring Scenario: A Mid-Tier Contractor
5. The POA&M's Role in Scoring
6. Strategies for Score Improvement: Highest ROI First
7. SPRS Submission Process Step by Step
8. How Contracting Officers Use SPRS Scores
9. Common Scoring Errors and How to Avoid Them
10. About the Author
11. References
1. What Is SPRS and Why It Matters
The Supplier Performance Risk System is a Department of Defense database managed by the Defense Information Systems Agency (DISA) that collects and stores contractor performance information—including NIST SP 800-171 self-assessment results. It is identified in DoD Instruction 5000.79 as "the authoritative source to retrieve supplier and product performance information assessments for the DoD acquisition community."
SPRS serves the DoD acquisition community by making contractor cybersecurity posture visible before contract award. A contracting officer can pull your SPRS score during source selection and use it as one data point in a best-value determination. A missing score, a stale score (more than three years old), or a very low score all send negative signals.
Why SPRS scores matter operationally:
| Score Range | Signal to Contracting Officer |
|---|---|
| 110 | Full NIST 800-171 compliance; no open gaps |
| 90–109 | Minor gaps; POA&M should show credible remediation timeline |
| 70–89 | Moderate gaps; increased scrutiny; POA&M required |
| 50–69 | Significant gaps; contracting officer may request explanation |
| Below 50 | Major systemic deficiencies; elevated risk of contract exclusion |
| Negative | Fundamental controls missing; potentially disqualifying for some contracts |
| Not submitted | Same as negative; indicates non-compliance with DFARS 7012 |
Regulatory context after February 2026: DFARS 252.204-7020 was renumbered to 252.240-7997 and the basic self-assessment requirement under DFARS 7019 was eliminated as a standalone requirement. However, CMMC Level 2 compliance—which applies to contractors handling CUI—still requires a self-assessment and SPRS submission as part of the CMMC affirmation process. The SPRS system at sprs.csd.disa.mil remains the official submission portal.
2. The Scoring Methodology: How Points Are Calculated
The SPRS scoring methodology is based on the DoD 800-171 Assessment Methodology (DoDAM), published by the Office of the Secretary of Defense. The mechanics are straightforward:
Starting score: 110
For each of the 110 NIST SP 800-171 requirements not fully implemented: subtract the weighted value (5, 3, or 1 point)
Minimum score: -203 (all 110 controls not implemented)
Mathematical derivation of the minimum score:
- 42 controls × 5 points = 210 deductions
- 14 controls × 3 points = 42 deductions
- 54 controls × 1 point = 54 deductions
- Total possible deductions = 306
- Maximum score (110) minus total possible deductions (306) = -196
Note: The published minimum of -203 reflects two controls (3.5.3 and 3.13.11) that have split scoring: they are worth 5 or 3 points depending on the degree of non-compliance. Full non-compliance with both at their maximum deduction, combined with all other controls, reaches -203.
Partial credit: The DoD Assessment Methodology generally does not award partial credit for partially implemented controls. A control is either fully implemented (no deduction) or not fully implemented (full weighted deduction). This is why SSP documentation is critical: you cannot claim a control as implemented without evidence that the implementation is complete.
Key exceptions:
- 3.5.3 (MFA): If MFA is used for privileged accounts but not for all network access to non-privileged accounts, the deduction is 3 points instead of 5.
- 3.13.11 (FIPS-validated cryptography): If encryption is employed but not FIPS-validated, the deduction is 3 points instead of 5.
3. Control Weight Distribution: 5-Point, 3-Point, and 1-Point Controls
5-Point Controls (42 Controls)
Five-point controls are those the DoD has determined have the greatest impact on network security and CUI protection. They include:
- The 17 basic safeguarding requirements from FAR 52.204-21 (required of all federal contractors handling FCI)
- Other controls identified as "would allow for exploitation of the network and its information" if not implemented
Selected 5-point controls by family:
| Family | Selected 5-Point Controls |
|---|---|
| 3.1 Access Control | 3.1.1 (Account management/access limits), 3.1.2 (Transaction type limits), 3.1.20 (External connections) |
| 3.3 Audit/Accountability | 3.3.1 (Create/retain audit logs), 3.3.2 (Trace to user) |
| 3.4 Config Management | 3.4.1 (Baseline configurations), 3.4.2 (Change control) |
| 3.5 Identification/Auth | 3.5.1 (Identify users/devices), 3.5.2 (Authenticate before access), 3.5.3 (MFA — up to 5) |
| 3.12 Security Assessment | 3.12.1 (Assess security controls), 3.12.3 (Monitor ongoing) |
| 3.13 System/Comm Protection | 3.13.1 (Monitor/control communications), 3.13.2 (Security engineering) |
| 3.14 System/Info Integrity | 3.14.1 (Flaw remediation), 3.14.2 (Malicious code protection), 3.14.6 (Monitor attacks) |
3-Point Controls (14 Controls)
Three-point controls have "a specific and confined effect on the security of the network and its data" if not implemented. They represent the medium tier of criticality.
Selected 3-point controls:
| Family | Selected 3-Point Controls |
|---|---|
| 3.1 Access Control | 3.1.3 (CUI flow control), 3.1.5 (Least privilege), 3.1.12 (Remote access monitoring) |
| 3.3 Audit/Accountability | 3.3.5 (Log correlation/review) |
| 3.5 Identification/Auth | 3.5.7 (Password complexity), 3.5.10 (Cryptographic password storage) |
| 3.13 System/Comm Protection | 3.13.8 (CUI encryption), 3.13.11 (FIPS cryptography — 3 if partial) |
1-Point Controls (54 Controls)
The remaining 54 controls each carry a 1-point deduction. While individually small, 54 unimplemented 1-point controls represent a 54-point deduction from your score. At scale, 1-point controls matter.
Selected 1-point controls by family:
| Family | Sample 1-Point Controls |
|---|---|
| 3.1 Access Control | 3.1.6 (Non-privileged account for non-privileged activity), 3.1.7 (Prevent privileged function on non-privileged), 3.1.8 (Unsuccessful logon limits), 3.1.9 (Privacy/security notices) |
| 3.2 Awareness/Training | 3.2.1, 3.2.2, 3.2.3 (all three AT controls) |
| 3.3 Audit/Accountability | 3.3.3 through 3.3.9 (most remaining AU controls) |
| 3.6 Incident Response | 3.6.1, 3.6.2, 3.6.3 (all IR controls) |
| 3.7 Maintenance | 3.7.1 through 3.7.6 (most MA controls) |
| 3.8 Media Protection | 3.8.1 through 3.8.9 (most MP controls) |
| 3.9 Personnel Security | 3.9.1, 3.9.2 (both PS controls) |
| 3.10 Physical Protection | 3.10.1 through 3.10.6 (most PE controls) |
4. Worked Scoring Scenario: A Mid-Tier Defense Contractor
Consider a 150-person defense engineering firm with an on-premises network, Microsoft 365 E3 (commercial—not GCC High), a mix of Windows 10/11 workstations, and no formal security program before beginning CMMC preparation. Their initial self-assessment reveals the following gaps:
| Control | Description | Weight | Gap Status |
|---|---|---|---|
| 3.5.3 | MFA not deployed for any accounts | 5 | Not implemented |
| 3.13.11 | Commercial TLS only, not FIPS-validated | 3 | Partial (-3) |
| 3.3.1 | No centralized audit logging | 5 | Not implemented |
| 3.14.2 | Defender enabled but signatures outdated by 48+ hrs | 5 | Not implemented |
| 3.4.1 | No documented baseline configurations | 5 | Not implemented |
| 3.12.4 | SSP exists but is 3 years out of date | 5 | Not implemented |
| 3.11.2 | No vulnerability scanning program | 5 | Not implemented |
| 3.5.7 | Password complexity not enforced (AD default) | 3 | Not implemented |
| 3.1.5 | Least privilege not enforced; most users are local admins | 5 | Not implemented |
| 3.8.3 | No documented media sanitization | 1 | Not implemented |
| 3.2.1–3.2.3 | No security awareness training program | 1 each | Not implemented (×3) |
| 3.9.1 | Background checks informal, not documented | 1 | Not implemented |
| 3.7.3 | No MFA for remote maintenance (TeamViewer uncontrolled) | 5 | Not implemented |
| 3.1.12 | No remote access monitoring | 3 | Not implemented |
| 3.6.3 | IR plan exists but never tested | 1 | Not implemented |
Calculation:
- Start: 110
- Deductions: (5+3+5+5+5+5+5+3+5+1+3+1+5+3+1) = -55
- Initial SPRS score: 110 - 55 = 55
A score of 55 would raise immediate concern in any source selection review. The firm's contracting officer would see a 50% compliance rate on a foundational standard. This is not uncommon for first-time self-assessments—most contractors discover their initial scores are well below expectations.
Post-remediation projection: After deploying MFA (Azure AD MFA via M365 E3), enabling Defender for Business with cloud-managed updates, establishing baseline configurations via Group Policy, implementing Log Analytics, and documenting an SSP, the score increases to approximately 90–95. The remaining gaps (media sanitization documentation, background check records, IR testing) are documented in a POA&M with completion dates.
5. The POA&M's Role in Scoring
The Plan of Action and Milestones is not a way to avoid scoring penalties—it is a way to demonstrate that you have a credible remediation path for genuine gaps. The SPRS score must reflect your current implementation state, not your planned state.
How POA&M interacts with scoring:
1. A control in the POA&M is counted as not implemented for scoring purposes until the corrective action is complete and validated.
2. Closing a POA&M item requires updating the SSP to reflect the completed implementation, gathering evidence, and updating the SPRS score.
3. POA&M items should be updated at minimum annually (or when significant changes occur), and the SPRS score must be refreshed correspondingly.
Required POA&M fields per control gap:
| Field | Description |
|---|---|
| Control ID | NIST 800-171 requirement number (e.g., 3.5.3) |
| Weakness description | Clear description of the gap |
| Responsible party | Name or role of owner |
| Planned remediation | Specific corrective action steps |
| Scheduled completion date | Realistic date based on resources available |
| Milestone schedule | Intermediate milestones for multi-phase remediations |
| Interim mitigations | Compensating controls in place while gap remains open |
| Resources required | Budget, personnel, tooling |
False Claims Act risk: Willful misrepresentation of your SPRS score—claiming controls are implemented when they are not—constitutes a potential False Claims Act violation. The DoJ has actively pursued FCA cases against defense contractors who overstated NIST 800-171 compliance. Accuracy is both a legal and ethical requirement.
6. Strategies for Score Improvement: Highest ROI First
Not all remediation actions are equal. The following prioritization framework maximizes SPRS score improvement for a given remediation budget:
Tier 1: Quick Wins with Maximum Score Impact (5-Point Controls)
| Remediation Action | Controls Addressed | Score Impact | Estimated Effort |
|---|---|---|---|
| Deploy Azure AD MFA (Conditional Access) | 3.5.3 | +5 | Low — 1–2 days |
| Enable + configure centralized audit logging (Log Analytics) | 3.3.1, 3.3.2 | +10 | Medium — 1 week |
| Update and enforce AV/EDR policy with cloud updates | 3.14.2, 3.14.4 | +10 | Low — 1 day |
| Document and enforce baseline configurations | 3.4.1 | +5 | Medium — 1–2 weeks |
| Write/update SSP (required prerequisite for any score) | 3.12.4 | +5 | Medium-High — 2–4 weeks |
| Implement vulnerability scanning (Tenable/Qualys) | 3.11.2 | +5 | Medium — 1 week |
| Enforce least privilege (remove local admin rights) | 3.1.5 | +5 | Medium — 1–2 weeks |
| Require MFA for all remote maintenance sessions | 3.7.3 | +5 | Low — 1–2 days |
Tier 2: Medium-Impact Remediations (3-Point Controls)
| Remediation Action | Controls Addressed | Score Impact | Estimated Effort |
|---|---|---|---|
| Enable FIPS-validated encryption (BitLocker, TLS 1.2+) | 3.13.11 | +3 to +5 | Medium — 1–2 weeks |
| Enforce password complexity via Group Policy / Entra | 3.5.7 | +3 | Low — 1 day |
| Implement cryptographic password storage | 3.5.10 | +3 | Low — config change |
| Configure remote access monitoring (conditional access logs) | 3.1.12 | +3 | Low-Medium |
| Implement DLP for CUI flow control | 3.1.3 | +3 | Medium |
Tier 3: Documentation-Driven Wins (1-Point Controls)
Many 1-point controls can be addressed primarily through policy documentation with minimal technical work:
- Security awareness training program (3.2.1–3.2.3): +3 points for deploying any LMS with documented completion records
- Background check policy documentation (3.9.1): +1 point
- Media sanitization procedures (3.8.3): +1 point
- Physical access logs (3.10.4): +1 point
- Visitor escort policy (3.10.3): +1 point
Score improvement by priority tier:
| Tier | Controls | Max Points Recoverable | Effort |
|---|---|---|---|
| Tier 1 (5-pt controls) | 8 controls | 40 points | 4–8 weeks |
| Tier 2 (3-pt controls) | 5 controls | 15 points | 2–4 weeks |
| Tier 3 (1-pt controls) | 15+ controls | 15+ points | 2–3 weeks |
| Combined | 28 controls | 70+ points | 2–3 months |
An organization starting at a score of 40 can realistically reach 90+ within 3 months by focusing on Tier 1 and Tier 2 items with a structured remediation plan.
7. SPRS Submission Process Step by Step
The SPRS system is accessible via the Procurement Integrated Enterprise Environment (PIEE) at https://piee.eb.mil. The official SPRS NIST portal is at https://www.sprs.csd.disa.mil.
Prerequisites:
- Active CAGE code registered in SAM.gov (https://sam.gov)
- Completed NIST 800-171 self-assessment with documented score
- System Security Plan (required; no SSP = no valid score)
- POA&M for any gaps
Step 1: Register/Access PIEE
Navigate to https://piee.eb.mil. If your organization does not have a PIEE account, register and request the role of SPRS Cyber Vendor User. You will need your CAGE code during registration. The Electronic Business Point of Contact (EB POC) listed in SAM.gov must authorize the account. If the EB POC is unavailable, a Contractor Administrator (CAM) role can be requested as an intermediary.
Step 2: Access SPRS from PIEE
Once PIEE access is established, locate and click the SPRS icon from the PIEE landing page. Navigate to the Cyber Reports (NIST) section.
Step 3: Create a Header (First-Time Submission)
First-time submitters must create a "header" in the SPRS reporting interface before entering score data. This header links your CAGE code(s) to the assessment record.
Step 4: Enter Assessment Data
Submit the following information for each System Security Plan:
| Field | Description |
|---|---|
| System Security Plan Name | Name of the SSP |
| CAGE Code(s) | All CAGE codes covered by this SSP |
| SSP Architecture Description | Brief description (one paragraph) if multiple plans |
| Assessment Date | Date the self-assessment was completed |
| Total Score | Summary level score (e.g., 95 out of 110) |
| Projected 110 Date | Date full compliance (score of 110) is expected |
| Assessment Scope | Enterprise, Enclave, or Contract-specific |
Important: Enter the summary-level score, not individual control scores. SPRS stores the aggregate score and metadata, not the line-item assessment worksheet.
Step 5: CMMC Affirmation (for Level 2)
Under CMMC, Level 2 organizations must have a senior company official (the Affirming Official) affirm the accuracy of the assessment results when entering data into SPRS. This is not a notarial act—it is a digital affirmation within the SPRS interface—but it carries legal weight. The Affirming Official attests that the score accurately reflects the organization's current implementation state.
Alternative submission method: If PIEE access cannot be established, scores can be submitted via encrypted email to webptsmh@navy.mil. An External Certification Authority (ECA) certificate is required for this method. This pathway typically adds 30 days for DoD to post the score manually.
Step 6: Maintain Currency
SPRS scores must not be more than three years old. Scores must also be updated following significant security changes to the assessed environment. Establish a calendar reminder to reassess annually and update SPRS whenever POA&M items are closed (improving the score) or when new systems are added to scope.
8. How Contracting Officers Use SPRS Scores
Understanding how contracting officers (KOs) actually interpret SPRS data is essential for contextualizing the business stakes.
Source selection: DFARS 204.7603 states that contracting officers "shall consider price risk and supplier risk, if available in SPRS, as a part of the award decision." SPRS cybersecurity scores are one component of that supplier risk assessment.
Practical KO perspectives:
- A score of 110 means the contractor has self-attested to full compliance. KOs understand that self-attestation is subject to audit; they use it as a baseline risk indicator.
- A score significantly below 110 (e.g., below 70) may prompt a KO to request an explanation or evidence of a credible remediation plan.
- A negative score is a red flag that some KOs treat as a threshold disqualifier for sensitive programs.
- A missing score indicates non-compliance with DFARS 7012 reporting requirements—itself a potential contract violation.
- Once CMMC Level 2 becomes mandatory for a contract (Phase 2 begins November 2026), a C3PAO certification replaces self-attestation for most CUI-handling contractors. But the SPRS system continues as the record of assessment results.
Program Office use: Beyond KO source selection, program offices use SPRS to monitor the cybersecurity posture of their supplier base. A low score across multiple suppliers on a program signals systemic risk that program managers may escalate through the acquisition process.
9. Common Scoring Errors and How to Avoid Them
| Error | Description | Consequence | Prevention |
|---|---|---|---|
| Scoring without an SSP | Submitting a score before the SSP is complete | No valid score possible; assessment cannot be verified | Complete SSP before any scoring |
| Over-claiming partial implementations | Marking a control implemented when only partially done | Inflated score; FCA exposure; likely C3PAO finding | Apply full/not-implemented binary except for 3.5.3 and 3.13.11 |
| Ignoring cloud providers in scope | Not counting cloud systems in CUI boundary | Under-scoped assessment; C3PAO will find the gap | Map all systems touching CUI including SaaS/IaaS |
| Stale scores | Score not updated after significant changes | Score does not reflect current posture; contractual non-compliance | Annual reassessment calendar; update after POA&M closure |
| Missing POA&M dates | POA&M entries without projected completion dates | Assessors cannot evaluate remediation credibility | Every POA&M entry must have a realistic, resource-backed completion date |
| Score inflation by a third party | MSP or consultant inflates score to win business | FCA exposure for contractor; MSP liability | The contractor's senior official is responsible for accuracy |
| Not flowing down to subcontractors | Prime contractor fails to require SPRS from subs | DFARS 7020 violation; supply chain CUI risk | Include SPRS requirement in subcontract clauses |
About the Author
Leonard Esere is a senior cybersecurity engineer and CMMC Registered Practitioner with over a decade of experience securing defense and national laboratory environments. He holds a DoD Secret clearance and a Department of Energy Q clearance—the equivalent of Top Secret in the intelligence community—and has served as the lead systems engineer on a full Authority to Operate (ATO) engagement at Los Alamos National Laboratory (LANL), one of the most complex classified computing environments in the federal government. His work spans MITRE ATT&CK-based threat modeling, CMMC gap assessments for Defense Industrial Base (DIB) contractors, and cloud security architecture for Azure GCC High and AWS GovCloud environments. Leonard advises organizations from pre-assessment readiness through C3PAO engagement and remediation.
For a complimentary CMMC gap assessment and accurate SPRS score calculation, visit /services/cmmc-gap-assessment.
References
1. NIST SP 800-171 Rev 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations — https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
2. DoD 800-171 Assessment Methodology (DoDAM) Version 1.2.1 — https://www.acq.osd.mil/dpap/pdi/cyber/docs/NIST%20SP%20800-171%20Assessment%20Methodology%20Version%201.2%20%209.24.2020.pdf
3. DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting — https://www.acquisition.gov/dfars/252.204-7012
4. DFARS 252.204-7019 and 7020 (renumbered to 252.240-7997 as of Feb 2026) — https://www.acquisition.gov/dfars/part-252-solicitation-provisions-and-contract-clauses
5. 32 CFR Part 170, CMMC Final Rule (October 2024) — https://www.federalregister.gov/documents/2024/10/15/2024-22905/cybersecurity-maturity-model-certification-cmmc-program
6. SPRS Official Portal — https://www.sprs.csd.disa.mil/nistsp.htm
7. PIEE Registration for SPRS Access — https://piee.eb.mil
8. DoD SPRS NIST SP 800-171 Quick Entry Guide — https://www.sprs.csd.disa.mil/pdf/NISTSP800-171QuickEntryGuide.pdf
9. CMMC Toolkit Wiki, DoD Assessment Methodology — https://cmmcwiki.org/index.php/DoD_Assessment_Methodology
10. DoD Inspector General, Evaluation of DoD Contractors' Implementation of CMMC Practices — https://www.dodig.mil/Reports/Audit-Reports/Article/3223985/