If you're a defense contractor handling Controlled Unclassified Information (CUI), you're required to self-assess against NIST SP 800-171 and report a score to the Department of War's Supplier Performance Risk System (SPRS). This guide explains exactly how that score is calculated, in plain English — no jargon, no sales pitch.
What is an SPRS score?
Your SPRS score is a single number that represents how completely you've implemented the 110 security requirements of NIST SP 800-171 Revision 2. It ranges from −203 (nothing in place) to +110 (everything fully implemented). A perfect score means all 110 requirements are met; a negative score simply means a lot of the core protections aren't in place yet — which is where many small contractors honestly start.
The scoring math
The score is calculated using the NIST SP 800-171 DoD Assessment Methodology. The logic is straightforward:
- You start at 110 (as if everything were implemented).
- For every requirement you have not fully implemented, you subtract that requirement's point weight.
- Each requirement is weighted 5, 3, or 1 point based on its security impact.
| Point weight | What it means |
|---|---|
| 5 points | Highest-impact controls (e.g., MFA, FIPS-validated encryption, boundary protection). Missing these costs the most. |
| 3 points | Moderate-impact controls. |
| 1 point | Lower-impact controls — still required, but each one moves your score the least. |
So if you've implemented everything except a single 5-point requirement, your score is 105. Implement nothing, and you bottom out at −203 (the sum of all 313 deduction points subtracted from 110).
The one requirement that isn't about points: your SSP
Requirement 3.12.4 — the System Security Plan (SSP) — carries no point value, but it's a hard prerequisite. Without a current SSP describing your system and how you meet each requirement, an assessment cannot be completed at all, and you can't legitimately submit a score. If you don't have an SSP yet, that's priority zero — ahead of chasing points.
How to actually do it (step by step)
- Define your scope. Identify the system(s) that store, process, or transmit CUI. That's your assessment boundary.
- Go requirement by requirement. For each of the 110 requirements, decide honestly: is it fully implemented and documented, or not? A requirement only counts if it's fully in place.
- Subtract the weights of everything that isn't implemented from 110.
- Prioritize the 5-pointers. They move your number fastest and represent the protections the Department of War weighs most heavily.
- Document everything in your SSP, and submit your score to SPRS at sprs.csd.disa.mil.
Skip the spreadsheet — score yourself in 10 minutes
Our free SPRS Score Calculator walks you through all 110 requirements, applies the exact DoD weights, and ranks your highest-impact gaps automatically.
Calculate your SPRS score →The gaps that cost most contractors the most
Across small defense contractors, a handful of 5-point requirements come up missing again and again:
- 3.5.3 — Multifactor authentication for admins and network access. Often the single biggest, most achievable jump.
- 3.13.11 — FIPS-validated encryption for CUI (not just "encrypted" — the modules must be FIPS 140-validated).
- 3.4.1 / 3.4.2 — Asset inventory and secure baselines.
- 3.1.12 / 3.1.13 — Monitoring and encrypting remote access.
A few things worth knowing in 2026
- SPRS scoring still runs on NIST SP 800-171 Revision 2 — the Department of War has not moved SPRS or CMMC to Revision 3 for scoring.
- DFARS 252.204-7019 was deleted and 252.204-7020 renumbered as of February 1, 2026 (the FAR Overhaul); self-assessment score submission now flows through CMMC under DFARS 252.204-7021.
Next step: turn your score into a System Security Plan
Knowing your score is half the job. The other half is documenting it. Once you've scored yourself, our free SSP Section Generator turns those same requirements into assessor-ready System Security Plan narrative, plus draft POA&M entries for your gaps.