If your SPRS score is in the red, the fastest way out isn't to grind through all 110 requirements in order — it's to attack the 5-point controls first. The Department of War's scoring methodology doesn't treat every requirement equally: each one carries a weight of 5, 3, or 1, and a single 5-point gap costs you as much as five 1-point gaps. Close the heavy ones and your number moves five times faster.
Why the weighting matters
Your SPRS score starts at 110 and the assessment subtracts the weight of every requirement you don't fully meet. The math runs all the way down to −203 if nothing is implemented. Of the 110 requirements, 42 are worth 5 points each — these are the controls the government considers highest-risk, the ones that "would allow for exploitation of the network and its information" if left open.
The lesson in one line: a 5-point control fixed is worth five 1-point controls fixed. If you have limited hours, spend them on the heavy items first — your score (and your real-world security) improves the fastest.
A few that score even when partly done
Two of the highest-value requirements give partial credit, which makes them especially worth your attention:
- 3.5.3 (multifactor authentication) — normally a 5-point loss, but only 3 points if you've enabled MFA for remote and privileged accounts but not yet for general users on the local network.
- 3.13.11 (FIPS-validated cryptography) — also scored partially, and notably the #1 most commonly failed control the government's assessors (DIBCAC) cite.
Getting these to "fully implemented" turns a partial deduction into full credit — a quick swing in your favor.
The 5-point controls to tackle first
Below are high-impact, frequently-missed 5-point requirements, in plain English, each with the practical fix. (Requirement text is from NIST SP 800-171 Revision 2.)
3.5.3 — Multifactor authentication5 pts
"Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts."
Fix: Turn on MFA in your identity provider (Entra ID / Microsoft 365, Google, Okta) for every account — admins everywhere, and all users over the network. Use an authenticator app or a FIDO2 key, not SMS. This is the single biggest, fastest score mover most small shops have.
3.13.11 — FIPS-validated cryptography5 pts
"Employ FIPS-validated cryptography when used to protect the confidentiality of CUI."
Fix: It's not enough to encrypt — the encryption must be FIPS 140-validated. Enable BitLocker (Windows) or FileVault (Mac) in FIPS mode, use TLS 1.2+ for data in transit, and confirm your cloud platform's CUI environment (e.g., Microsoft 365 GCC High) uses validated modules. This is the most commonly failed control in real assessments — don't assume "we encrypt" passes.
3.5.1 / 3.5.2 — Identify & authenticate5 pts each
"Identify system users, processes acting on behalf of users, and devices." · "Authenticate (or verify) the identities of users… as a prerequisite to allowing access."
Fix: Give every person and device a unique identity and kill shared/generic logins ("frontdesk", "admin"). Require authentication before any access. Two 5-point controls, one clean-up project.
3.1.1 / 3.1.2 — Authorized access & least function5 pts each
"Limit system access to authorized users…" · "Limit system access to the types of transactions and functions that authorized users are permitted to execute."
Fix: Maintain an approved-user list with a documented request/approval step, and use role-based access so people can only do what their job needs. Over-privileged users and undocumented access are among the most common findings.
3.1.12 / 3.1.13 — Remote access5 pts each
"Monitor and control remote access sessions." · "Employ cryptographic mechanisms to protect the confidentiality of remote access sessions."
Fix: Funnel remote work through a managed, logged path (VPN or a cloud identity gateway) with device-compliance and MFA checks, and make sure it's encrypted (TLS 1.2+ / IPsec). If you genuinely allow no remote access, you can mark these Not Applicable — but document that in your SSP.
3.5.10 — Protect passwords5 pts
"Store and transmit only cryptographically-protected passwords."
Fix: Never store or send passwords in plain text. A managed identity provider handles this (salted hashing at rest, TLS in transit) automatically — the risk is usually a homegrown app or spreadsheet holding credentials. Find and eliminate those.
3.1.16 / 3.1.17 / 3.1.18 — Wireless & mobile5 pts each
"Authorize wireless access prior to allowing such connections." · "Protect wireless access using authentication and encryption." · "Control connection of mobile devices."
Fix: Lock Wi-Fi to WPA2/WPA3-Enterprise (not a shared password), approve wireless before devices connect, and bring phones/tablets under MDM (Intune) before they touch CUI. If you use none of these for CUI, each can be Not Applicable — with the justification documented.
That's eleven 5-point requirements right there. There are 42 in total across all fourteen families — audit logging (3.3) and configuration management (3.4) carry several more heavy items, and they're also among the most commonly missed. The fastest way to see your 5-pointers is to run the calculator.
See your exact 5-point gaps — free
The SPRS calculator scores all 110 requirements and shows you precisely which heavy controls are costing you the most points right now.
Calculate your SPRS score →
How to work the list
- Score yourself first. Run the SPRS calculator so you know which 5-pointers are open and what your current number is.
- Sort by weight, then by effort. Knock out 5-point controls you can fix this week (MFA, killing shared accounts, Wi-Fi encryption) before touching 1-pointers.
- Document as you go. Every control you implement needs to be written into your System Security Plan, and every gap needs a POA&M with a date. Points you can't claim yet still count toward your plan.
- Re-score and repeat. Watch the number climb as the heavy items close.
A 5-point control you've
planned (with a POA&M) doesn't give you the points back yet — only full implementation does. But documenting the plan is required, and it's what lets you legitimately report your score and finish an assessment.
More on the SSP and POA&M →Start with your number
Don't guess which controls matter most — let the math tell you. Calculate your SPRS score to see your 5-point gaps in priority order, then document your plan as you close them. Both tools are free and run in your browser.