If you are a defense contractor and you have never heard of your SPRS score, you are already behind. The Supplier Performance Risk System score is the number that the Department of Defense uses to evaluate your cybersecurity posture before awarding contracts. It ranges from negative 203 to positive 110. Most small contractors, when they first assess themselves honestly, discover they are significantly in negative territory.
The good news: you can fix it. The first step is understanding what the score actually means and how it is calculated.
What's in This Guide
- What Is the SPRS Score?
- How the Point Values Work
- The Three Steps to Calculate Your Score
- What a Good Score Actually Looks Like
- The Fastest Way to Improve Your Score
What Is the SPRS Score?
SPRS stands for Supplier Performance Risk System. Your SPRS score is a numerical representation of how well your organization implements the 110 security controls specified in NIST Special Publication 800-171, Revision 2. Every control has a point value. When you implement a control fully, you get the points. When you do not, the points are subtracted from your score.
The maximum possible score is 110 — meaning you have fully implemented all 110 controls. The minimum score is negative 203 — meaning you have implemented nothing. The average score for a small defense contractor who has never formally assessed themselves tends to be somewhere between negative 50 and negative 120.
Key Insight
Zero is not the goal. 110 is the goal. But moving from negative 80 to positive 50 can be the difference between winning a contract and losing it.
How the Point Values Work
Not all 110 controls are weighted equally. NIST assigns different point values based on the criticality of the control. The most critical controls — multi-factor authentication, access control, incident response — carry higher point values. Missing these is not just a compliance problem. It is a significant score problem.
| Control Family | # of Controls | Point Impact | Priority |
|---|---|---|---|
| Access Control (AC) | 22 | High | Critical -- tackle first |
| Identification & Authentication (IA) | 11 | Very High | Critical -- MFA lives here |
| Incident Response (IR) | 3 | High | High priority |
| Configuration Management (CM) | 9 | Medium | Important |
| Audit & Accountability (AU) | 9 | Medium | Important |
| Risk Assessment (RA) | 3 | Medium | Moderate |
| System & Comm Protection (SC) | 16 | High | Critical |
| System & Info Integrity (SI) | 7 | High | High priority |
The Three Steps to Calculate Your Score
Step 1: Inventory Your CUI Environment
Before you can assess your controls, you need to know what systems handle Controlled Unclassified Information. Every laptop, server, cloud service, and application that touches CUI is in scope for your assessment. Start by mapping your CUI flow — where does it come in, where does it live, where does it go out?
Step 2: Assess Each Control Honestly
For each of the 110 controls, you need to answer honestly: is this control fully implemented, partially implemented, or not implemented? Partial implementation does not get partial credit in most scoring methodologies — if a control is not fully implemented and documented, it is scored as not met.
This is where most contractors underestimate their gaps. It is not enough to be doing something. It has to be documented, consistent, and fully implemented. An assessor will not take your word for it. They will ask for evidence.
Step 3: Submit Your Score to SPRS
Once you have assessed all 110 controls and calculated your score, you are required to submit that score to the SPRS system at sprs.army.mil. This is your self-attestation. It is a legal declaration. It carries the weight of a federal contract compliance statement. Make sure it is accurate.
What a Good Score Actually Looks Like
There is no universally required minimum SPRS score for all contracts — the requirements vary by contract. But in practice, a score below zero raises immediate red flags with contracting officers and prime contractors. A score above 80 puts you in a competitive position. A score of 110 demonstrates full implementation — which is what CMMC Level 2 certification ultimately verifies.
Real Contractor Result — From -120 to +87 in Four Months
Mike R., CEO of a defense manufacturing company, used DynamoDefense to:
- Identify his 23 most impactful control gaps in the first week
- Implement MFA across all CUI-handling systems in week two
- Generate a complete SSP and POA&M in week three
- Systematically close gaps over four months with Winston's guidance
Result: SPRS score improved from -120 to +87
"Winston walked me through every control like I had a consultant on staff, except it was available at 2 AM when I actually had time to work on it."
The Fastest Way to Improve Your Score
Not all controls are equal in terms of implementation effort versus score impact. The highest-leverage moves for small contractors are typically: implementing multi-factor authentication across all CUI-handling accounts, establishing a formal incident response plan, implementing access control policies that limit CUI access to authorized users only, and enabling audit logging on systems that handle CUI.
These four categories alone can move a score from deeply negative to competitive — and none of them require expensive infrastructure investments. They require process, documentation, and consistent implementation.
DynamoDefense's SPRS Score Simulator lets you model score improvements before you commit to implementation changes. See the impact before you invest the effort. Start with what moves the needle most.
Simulate Your SPRS Score Improvement — Free
See exactly where you stand and what moves the needle most. No credit card required.
Disclaimer: This article is for informational purposes only and does not constitute legal or professional cybersecurity advice. SPRS score calculations are based on the DoD Assessment Methodology and may vary based on specific contract requirements.