The short answer: Your SPRS (Supplier Performance Risk System) score is a number between -203 and +110 that grades how well your company protects controlled government information. Defense primes can see it before they pick a subcontractor. DCMA’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) has publicly indicated that the average SPRS score across the defense industrial base skews significantly below zero. The good news: most small contractors can make meaningful progress without hiring a vendor. This article explains what the score means, why it matters for your bids, and what areas to address first.
What SPRS Is and Why Your Prime Sees Your Score
SPRS stands for Supplier Performance Risk System. It is a Department of Defense (DoD) database that stores your self-assessed cybersecurity score under NIST Special Publication 800-171, the federal standard for protecting Controlled Unclassified Information (CUI). CUI is any sensitive government data that is not classified but still requires protection: contract drawings, technical specs, export-controlled designs, and similar materials.
DFARS 252.204-7020 requires every contractor handling CUI to complete a self-assessment against NIST SP 800-171 and submit the resulting score to SPRS. That clause took effect in November 2020 and was updated in November 2023. If you have a defense contract with a CUI requirement and no score in SPRS, you are out of compliance today.
Here is the key point for your bids: contracting officers and large primes can pull your SPRS score before awarding a subcontract. A deeply negative score signals unmanaged cyber risk. A score near or above zero signals a contractor who has done the work. As CMMC (Cybersecurity Maturity Model Certification) Phase 2 requirements take effect on November 10, 2026, DoD will increasingly use SPRS scores as an early filter. Primes who face their own CMMC obligations have every reason to screen out subs with poor scores before those subs become a liability.
Sources: SPRS NIST Assessment page | DFARS 252.204-7020
How the -203 to +110 Scale Works
Think of SPRS scoring as a deduction model, not a point-accumulation model. Points are not earned upward from nothing. You begin with a maximum of 110 points and lose points for every cybersecurity requirement you have not implemented.
NIST SP 800-171 Revision 2 contains 110 security requirements across 14 families, covering areas from access control and audit logging to system protection and physical security. The DoD Assessment Methodology assigns each requirement a point value based on how much risk the gap creates. The highest-risk gaps carry more weight than lower-risk ones. Implement all 110 requirements fully and your score is +110. Leave significant gaps unaddressed and you can go well below zero. The floor is -203 because some requirements have multiple sub-parts, each of which can reduce the score.
What this means practically: a score of zero does not mean you have done nothing. It means your implemented controls and your gaps roughly offset each other. A score well below zero means significant gaps remain. A score above zero means your implemented controls outweigh your gaps. No score on file at all is its own red flag to primes and contracting officers.
Source: NIST SP 800-171 Rev. 2 | DoD Assessment Methodology v1.2.1 (June 24, 2020) via Defense Pricing and Contracting
What the Average SPRS Score Looks Like Across the Industry
DCMA’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conducts high-confidence assessments of defense contractors and reports findings to program offices. Based on what DIBCAC has shared with industry groups, scores across the defense industrial base skew significantly below zero. Most contractors who have gone through a DIBCAC assessment score far lower than their own self-assessments suggested.
That gap matters for two reasons. First, primes and contracting officers see your submitted score. A low score puts you at a disadvantage before the proposal conversation starts. Second, CMMC Level 2 certification will require either a confirmed self-assessment or a third-party assessment, depending on what the solicitation specifies. A score built on gaps will not survive either review.
The practical takeaway: if you have not assessed your cybersecurity posture against NIST SP 800-171, your score is almost certainly lower than you think. The eight areas below are where most small contractors have the largest gaps and the most room to improve quickly.
Source: DCMA DIBCAC
The 8 Areas That Move Most Small Contractor Scores
These are the eight areas where small defense contractors most commonly have gaps. Addressing them will not require you to become a cybersecurity expert. Each area below explains what the requirement is, why it matters to your score and your bids, and what your IT resource or IT support firm needs to do. The technical specifics of implementation belong in your System Security Plan (SSP) and with whoever manages your IT environment.
1. Multi-Factor Authentication (MFA) for Accounts That Access CUI
This requirement covers every account with access to systems that store, process, or transmit CUI. That includes administrators, IT staff, and anyone who can log in to those systems with elevated access.
Why it matters for your score: MFA is one of the highest-weighted requirements in the DoD Assessment Methodology. Failing it reduces your score significantly. It is also one of the most visible gaps a prime or assessor checks first.
What needs to happen: your IT resource enables multi-factor authentication through your identity platform. Users verify their identity with a second method (an app or a hardware token) in addition to their password. Document the policy in writing: who requires MFA, what method is approved, and who verifies compliance.
2. Encrypted Transmission of CUI
Any CUI moving across a network must use cryptographic protection that meets federal standards (FIPS 140-2 or 140-3 validated). This covers email, file transfers, and remote access connections to CUI systems.
Why it matters for your score: this is another high-weighted requirement. Unencrypted CUI transmission is a significant gap that carries a meaningful point deduction.
What needs to happen: your IT resource confirms that remote access, email, and file transfer systems use current, federally validated encryption protocols. Older encryption versions are not acceptable. Your IT support can verify whether your current tools meet this standard and upgrade what does not.
3. Audit Logs on Systems That Touch CUI
Your systems need to generate records of logins, privileged actions, file access, and configuration changes. Then someone needs to review those records regularly.
Why it matters for your score: the DoD methodology assigns points for both generating logs and reviewing them. Two separate requirements, two separate point values. Many small contractors have logging enabled by default but no review process. The review gap alone costs points.
What needs to happen: confirm log collection is active on CUI systems and set retention to at least 90 days. Designate someone to review logs on a regular schedule, even briefly. Document every review with a date and the name of the reviewer. The written procedure is as important as the technical setup.
4. Configuration Baselines and Change Logs
A configuration baseline is a written record of what each CUI-handling system is supposed to look like: operating system version, installed software, enabled services, firewall rules, and authorized user accounts. When anything changes, log it.
Why it matters for your score: this requirement demonstrates that you control your own environment. Without a baseline, you cannot show an assessor what the intended state is or detect when it changes.
What needs to happen: document the baseline for each system, store it somewhere version-controlled, and record every change with who made it, when, and why. A shared document works for a small business. The requirement is discipline, not a specific tool.
5. Vulnerability Scanning and Remediation
You need to periodically scan CUI systems for known security weaknesses and fix what you find.
Why it matters for your score: this is a direct requirement under NIST SP 800-171. Assessors will ask to see scan outputs and evidence of remediation. No scan history means no evidence.
What needs to happen: run a vulnerability scan against CUI systems, document the findings, fix critical and high-severity issues first, and keep a record of what was remediated and when. This record also forms the foundation of your Plan of Action and Milestones (POA&M). Several tools suitable for small businesses are available at low or no cost; your IT support can identify the right one for your environment.
6. Personnel Screening Before CUI Access
Verify the background of employees and contractors before they can access CUI. Document the screening process and keep the records.
Why it matters for your score: this requirement is often missed because it looks like an HR function rather than a cybersecurity function. It is both. The gap costs points and can surprise contractors during an assessment.
What needs to happen: run a background check before onboarding anyone who will touch defense information. Write a brief policy covering who requires screening, what check is performed, who reviews results, and what disqualifies someone from CUI access. If you already run background checks for HR purposes, extend that documentation explicitly to CUI access decisions.
7. Physical Access Controls for CUI Locations
Control and log physical access to any space or device where CUI is stored or processed. Lock the room, cabinet, or workstation area and keep a record of who enters.
Why it matters for your score: physical security requirements are frequently overlooked on small business self-assessments. They carry real point values. An assessor will ask about the physical boundary of your CUI environment.
What needs to happen: identify which spaces contain CUI, control access to those spaces with a lock or badge system, and maintain a log of access. For a small office or home-based contractor, a key log and a locked room are acceptable. Write down the boundary, how access is controlled, and how access is logged.
8. Incident Response Plan, Tested at Least Annually
Write a plan that documents what your business does when a cybersecurity incident occurs. Test it at least once per year and document the test.
Why it matters for your score: DFARS 252.204-7012(c) requires you to report certain cyber incidents to DoD within 72 hours of discovery. Without a plan, you will not be ready when something happens. The plan also demonstrates compliance maturity during assessments.
What needs to happen: write a plan covering who gets notified first, how you contain the problem, what you report to DoD and how, and how you recover. Four to six pages is sufficient for most small businesses. Testing means walking your team through a scenario, confirming everyone knows their role, and recording that the exercise happened with a date. Keep that record.
Your Next Steps: From Score to Submission
Before you address any of the eight areas above, take this step first: complete a formal self-assessment against all 110 NIST SP 800-171 requirements using the DoD Assessment Methodology. Download the scoring spreadsheet from the NIST website. Work through each control and mark it implemented, partially implemented, or not implemented. Calculate your starting score. Submit it to SPRS.
You cannot improve a score you have not measured. The baseline also creates your POA&M (Plan of Action and Milestones), which documents what remains unimplemented and by when you plan to address it. DoD requires a POA&M alongside your score. A clear POA&M with realistic dates signals compliance maturity even when your score is still negative.
Once you have a baseline score, work through the eight areas in order. Address the highest-weighted gaps first. As you implement each control, update your self-assessment and resubmit your score to SPRS at sprs.csd.disa.mil. Your score is not a one-time filing. It reflects your current posture and should be updated as your posture improves.
For a small business with one IT resource or a motivated owner-operator, getting from a significantly negative score to a positive or near-positive score with a documented POA&M is achievable in 60 to 90 days. The documentation-heavy requirements (configuration baselines, incident response plan, personnel screening policy) take time but not technical expertise. The technical controls (MFA, encryption, logging) require IT support but are not exotic implementations for a small environment.
When You Still Need a C3PAO Assessment
Self-assessment under DFARS 252.204-7020 is where you start, and it is the right place for most small contractors right now. It is not a substitute for third-party assessment when your specific contract requires one.
CMMC Level 2 covers most contractors handling CUI. Under DFARS 252.204-7021, some Level 2 contracts permit a self-assessment pathway while others require an assessment by a C3PAO (Certified Third-Party Assessment Organization). The contracting officer specifies which pathway applies in the solicitation. A C3PAO is an independent firm accredited by the Cyber AB to perform official CMMC assessments. If the solicitation specifies CMMC Level 2 (C3PAO), a self-assessment does not satisfy the requirement.
The eight areas in this article prepare you for a C3PAO assessment. A contractor who arrives with MFA deployed, logs running, a current POA&M, and documented policies completes a third-party assessment faster and at lower cost than one starting from scratch. Think of the eight areas as your pre-assessment foundation.
For more on what CMMC Level 2 requires and what third-party assessment costs, read CMMC Certification for Small Businesses. If you are new to federal contracting and need the full compliance picture, the FAR compliance guide for small business contractors covers the foundational requirements before DFARS-specific rules layer on top.
Frequently Asked Questions
What is a good SPRS score for a defense contractor?
Any positive score means your implemented controls outweigh your gaps. A score above zero, combined with a documented POA&M showing a credible completion plan for remaining items, is the practical threshold most primes and contracting officers look for. The higher your score, the more clearly you signal compliance maturity to primes who check before awarding subcontracts.
How do I submit my SPRS score?
Complete your self-assessment using the DoD Assessment Methodology spreadsheet, calculate your score, then log in to the SPRS portal at sprs.csd.disa.mil with a CAC, PIV credential, or SPRS system account. Enter your score, assessment date, and plan of action completion date. Keep a copy of your assessment worksheet as your documentation record. For a Basic Assessment, DFARS 252.204-7020 also permits submission via encrypted email to the Navy’s SPRS posting address.
Can a prime contractor see my SPRS score without my permission?
Yes. SPRS is a DoD acquisition database. Authorized contracting officers and prime contractors with a SPRS account can view supplier scores as part of acquisition and subcontracting decisions. You receive no notification when someone pulls your score.
What is a POA&M and do I need one?
A Plan of Action and Milestones (POA&M) documents every NIST SP 800-171 requirement not yet fully implemented, with a target date and responsible party for each item. DoD requires a POA&M alongside your SPRS score submission. A score with no POA&M for identified gaps is an incomplete submission. A clear POA&M with realistic dates signals compliance maturity even when your score is still negative.
How often do I need to update my SPRS score?
DFARS 252.204-7020 requires an annual affirmation of continuous compliance. Update your score any time you make significant changes to your environment or controls. If a C3PAO conducts an official CMMC assessment, the assessed score replaces your self-assessed score in SPRS for the period the assessment covers.
Does NIST SP 800-171 Rev. 3 change my SPRS score?
Not yet. NIST published SP 800-171 Revision 3 in May 2024, which reorganized the requirements. DoD is currently assessing against Revision 2 for SPRS scoring purposes. Until DoD updates the Assessment Methodology to reflect Rev. 3, contractors should assess against Rev. 2. Watch for DoD guidance on any transition timeline.
An SPRS score is one of the first things a prime checks before starting a subcontracting conversation. A positive score with a documented POA&M tells them you take cybersecurity seriously. A deeply negative score, or no score at all, raises questions you will have to answer before any conversation about work gets started.
Complete your self-assessment, submit your score, and start working through the eight areas above. For the broader CMMC picture, read CMMC Certification for Small Businesses.
