The short answer: If your DoD contract or proposal mentions DFARS 252.204-7012, you are required to assess your cybersecurity posture against a federal standard called NIST SP 800-171 (110 security requirements), calculate a score, and post that score to a government database called SPRS before award. This article walks you through what that means in plain English, what the score actually measures, and exactly what you need to submit. You do not need an IT background to understand this. You do need to take it seriously.
Why You Are Reading This (and What Triggered the Requirement)
You received a DoD contract, an RFP, or a subcontract that includes language about DFARS 252.204-7012. Or a prime contractor told you that you need an SPRS score before they can award you a subcontract. Either way, you need a NIST 800-171 self-assessment checklist and plain English guidance on what to submit.
Start here. Three federal clauses work together to create this requirement:
- DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting): This clause appears in your contract when your work involves federal information called Controlled Unclassified Information (CUI). CUI is government data that is sensitive but not classified: think technical drawings for a defense system, certain research data, or personally identifiable information on federal employees. If this clause is in your contract, you must protect that data using NIST SP 800-171 and report any cybersecurity incidents to the DoD within 72 hours using a portal called DIBNet (dibnet.dod.mil).
- DFARS 252.204-7019 (Notice of NIST SP 800-171 DoD Assessment Requirements): This is a solicitation provision, meaning it appears in the RFP or solicitation before award. It requires you to represent that you have a current NIST SP 800-171 assessment score posted in SPRS. “Current” means assessed within the last three years. No score in SPRS when the contracting officer checks: no award.
- DFARS 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements): This is the contract clause, meaning it flows through the life of the award and down to your subcontractors. It requires your SPRS score to be on record and requires that any subcontractor you hire also has a current assessment posted. The flow-down requirement is at subsection (g).
The rule that requires you to post your SPRS score lives in DFARS 252.204-7019 (solicitation) and DFARS 252.204-7020 (contract). DFARS 252.204-7012 is the clause that defines what you must protect and what to do if you are hacked. They are related but distinct. Confusing them is the single most common mistake small contractors make when reading DoD cybersecurity requirements.
The requirement flows down through the supply chain. If a prime contractor’s contract includes these clauses, they must pass them to any subcontractor whose work touches CUI, even if that subcontractor has no direct DoD relationship.
What Is CUI and Do You Have It?
Controlled Unclassified Information (CUI) is government data that is sensitive enough to need protection but not classified. The question of whether your work involves CUI determines whether NIST 800-171 applies to you at all.
Common examples of CUI in defense contracting: technical specifications and engineering drawings for defense systems, certain export-controlled research data, personally identifiable information about military personnel, and procurement-sensitive contract data.
The practical test: look at your contract. If DFARS 252.204-7012 is in it, treat your work as involving CUI until you confirm otherwise. If you are selling purely commercial off-the-shelf products with no government-furnished technical data and no sensitive contract information, check with your contracting officer before assuming you are covered.
For a plain-language explanation of CUI categories and how to identify them, read our guide on what counts as Controlled Unclassified Information.
What NIST SP 800-171 Actually Is
NIST SP 800-171 is a federal security standard published by the National Institute of Standards and Technology (NIST), a U.S. government agency. The “SP” stands for Special Publication. “800-171” is the document number. The current version for DoD contracts is Rev 2, which contains 110 security requirements organized into 14 categories called families.
The standard tells you: “Here are the 110 things you need to have in place to protect CUI on your systems.” Each requirement covers a different area of security: controlling who has access, training your employees, keeping audit logs, protecting against malware, and so on. You do not need to implement all 110 to submit a score. You need to know which ones you have and which ones you do not, because your score is based on that gap.
NIST released a Rev 3 in 2024, but DoD has continued to use Rev 2 for contract requirements through a class deviation (DoD class deviation 2024-O0013). Check the specific clause in your contract to confirm which version applies before you start your assessment.
How Your SPRS Score Works
SPRS stands for Supplier Performance Risk System. It is a DoD database at sprs.csd.disa.mil where you post your self-assessed score. Contracting officers check it before awarding contracts. Think of it as your cybersecurity credit report for DoD work.
The scoring methodology is deductive. You start at 110 and lose points for every requirement you have not implemented:
- You start at a perfect score of 110.
- For each security requirement you have NOT implemented, you deduct the point value assigned to that requirement: either 5 points, 3 points, or 1 point depending on how critical the requirement is.
- A perfect score of 110 means all 110 requirements are fully in place.
- The lowest possible score is -203, which means every single requirement is unimplemented at its maximum deduction.
This is the most important thing to understand about the scoring: you start at 110 and deduct down, not at zero and build up. A contractor who starts at zero and adds points for what they have implemented will produce a wrong score that does not match what the DoD methodology computes.
Most small contractors land well below 110. That is normal. The DCMA Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), which oversees DoD contractor cybersecurity compliance, has reported that the average score across the defense industrial base is significantly below a perfect 110. A realistic score with a credible remediation plan is more defensible than an inflated score that does not reflect reality.
What you submit to SPRS: your numerical score, the date you completed the assessment, the scope of the assessment (which of your computer systems were covered), and a point of contact. You do not upload your SSP or your evidence. You keep those records yourself in case the government asks for them later.
The Four Questions a Scared Newcomer Actually Needs Answered
Question 1: What does my score mean for my ability to win contracts?
A missing score in SPRS can block contract award outright under DFARS 252.204-7019. A low score does not automatically disqualify you, but contracting officers can and do factor it in. A score of 88 with a documented remediation plan showing how you will close your gaps is generally treated more favorably than a suspiciously perfect 110 with no supporting evidence, or a missing score entirely.
The practical risk is not just award: DCMA’s DIBCAC can select any contractor for a medium or high assessment, where government assessors review your actual security posture against your submitted score. If your score says 95 and your systems show 60 worth of compliance, that gap is a problem. Accuracy matters more than a high number.
Question 2: What do I actually have to submit, and where?
You submit your score to SPRS at sprs.csd.disa.mil. You need a DoD-approved login credential to access the portal. Most small contractors use an ID.me-verified account or a DoD-issued PKI (Public Key Infrastructure) certificate. If you do not have portal access, start the account setup process immediately because it can take days to verify.
What goes into the submission: your score (the number you calculated), the date the assessment was completed, a description of the system scope (which computers and networks were assessed), and a point of contact name and email. The portal does not accept your evidence documents. Keep those on file.
Question 3: What if my score is low?
Build a Plan of Action and Milestones (POA&M). A POA&M is a document that lists every security requirement you have not yet implemented, explains the gap, and gives a realistic timeline for closing it. It shows the government that you know your gaps and have a plan. DFARS 252.204-7020 does not set a universal remediation deadline for self-assessed contractors. Your POA&M sets your own milestones.
Be honest with the timelines. A POA&M claiming every gap closes in 30 days is not credible. One with 90-day and 180-day timelines that reflect the actual cost and complexity of each fix is. DIBCAC has reviewed hundreds of these. They know what feasible looks like.
Question 4: Where do I get help?
Two free resources worth knowing:
- APEX Accelerators (apexaccelerators.us): A nationwide network of free technical assistance centers that help small businesses compete for federal contracts. Many APEX centers have staff who can walk you through SPRS registration and self-assessment basics at no charge.
- NIST’s free assessment tool (NIST SP 800-171A): Published free at csrc.nist.gov, this is the official assessment procedures document that describes exactly how to evaluate each of the 110 requirements. It is the scoring worksheet you need.
If your environment is complex (multiple offices, cloud systems, IT subcontractors, or a DoD contract that will soon require full CMMC Level 2 certification), consider a paid consultant or a Registered Practitioner Organization (RPO) listed in the CMMC marketplace at cyberwaiver.com/rpo. Paid help is not required for a basic self-assessment. It is worth it if the complexity exceeds what you can manage with free resources.
The 14 Families: Plain-Language Summary
The 110 requirements in NIST SP 800-171 Rev 2 are organized into 14 families (categories). Each family covers a different aspect of security. The table below gives you the family name, how many requirements are in it, and a plain-language description of what it asks for.
| Code | Family Name | Requirements | What It Covers in Plain English |
|---|---|---|---|
| AC | Access Control | 22 | Who can log in, what they can see, and how remote access is controlled |
| AT | Awareness and Training | 3 | Security training for everyone who touches your systems |
| AU | Audit and Accountability | 9 | Log files: what happened, when, and who did it |
| CM | Configuration Management | 9 | Approved system configurations and change control |
| IA | Identification and Authentication | 11 | Passwords, multi-factor login, and device verification |
| IR | Incident Response | 3 | Written plan for what to do when something goes wrong |
| MA | Maintenance | 6 | Controlling who fixes your systems and how remote maintenance is handled |
| MP | Media Protection | 9 | USB drives, hard drives, printed documents: marking, handling, and disposal |
| PE | Physical Protection | 6 | Physical access to the room or office where CUI systems live |
| PS | Personnel Security | 2 | Background checks before hire and account termination when people leave |
| RA | Risk Assessment | 3 | Periodic review of security risks and a process for scanning for vulnerabilities |
| CA | Security Assessment | 4 | Testing your controls, documenting gaps, and the System Security Plan |
| SC | System and Communications Protection | 16 | Network segmentation, encryption, and firewall controls |
| SI | System and Information Integrity | 7 | Antivirus, patching, and monitoring for threats |
The counts total 110 across all 14 families. Three families are most likely to produce large point deductions for small contractors with no dedicated IT staff: AC (Access Control, 22 requirements), SC (System and Communications Protection, 16 requirements), and IA (Identification and Authentication, 11 requirements). These three families together contain the highest-weighted requirements in the DoD scoring methodology.
The Most Common Gaps for Small Contractors (No IT Staff)
Shared passwords and admin accounts used for daily work (AC family). If two people share one login, or if the owner uses their administrator account to check email, those are failed requirements. Fix: give every person their own unique login and create a separate account for administrative tasks.
No multi-factor authentication (MFA) for remote access (IA family). Multi-factor authentication means you need two things to log in: your password plus something else, like a code sent to your phone. For anyone logging in from outside the office, MFA is not optional under NIST 800-171. This is a 5-point deduction in the DoD scoring methodology, meaning it alone drops your score from 110 to 105 if you have not implemented it.
No written Incident Response Plan (IR family). Three requirements in this family, all achievable in an afternoon. Write down: who gets called when something goes wrong, what information to preserve, and how to report to the DoD’s 72-hour reporting requirement under DFARS 252.204-7012(c). A two-page document qualifies for a small operation.
No System Security Plan (CA family). NIST SP 800-171 Rev 2 requirement 3.12.4 requires you to develop, document, and periodically update a System Security Plan (SSP). An SSP is a written document that describes your systems, the CUI they handle, and how each of the 110 requirements is addressed. You do not need to submit it to SPRS, but without it you cannot systematically score yourself, and DIBCAC will ask for it during any medium or high assessment. NIST provides a free SSP template at csrc.nist.gov.
Unencrypted USB drives and no disposal process (MP family). If CUI has ever been stored on a thumb drive, that drive needs encryption. If old computers have been thrown away or donated without a documented wipe, the Media Protection family has gaps. BitLocker (built into Windows) or an equivalent tool satisfies the encryption requirement for portable media.
What You Actually Have to Do: A Four-Step Overview
This is not a 14-to-20-hour ordeal if you are a small contractor with a single-office environment and a handful of computers. A focused effort over a long weekend is realistic. Here is the sequence:
Step 1: Write Your System Security Plan (Start Here)
Before you score anything, write down what your systems are and what CUI they handle. NIST provides a free SSP template (search “NIST 800-171 SSP template” or download directly from csrc.nist.gov). For each of the 110 requirements, write one to three sentences describing how you address it, or note that it is not yet implemented.
This document is your scoring worksheet. An accurate SSP with gaps is the foundation of a defensible program. An inflated SSP with false claims is fraud.
Step 2: Score Each Requirement
Use the DoD NIST SP 800-171 Assessment Methodology scoring spreadsheet, available at the SPRS website (sprs.csd.disa.mil under the NIST section). For each of the 110 requirements, mark it Met or Not Met. No partial credit: a requirement is either fully implemented or it is not. For every Not Met requirement, deduct the assigned point value from 110. Your running total is your score.
Step 3: Build Your POA&M
For every requirement you marked Not Met, create a row in your Plan of Action and Milestones. The row needs: what the gap is, who is responsible for fixing it, how you plan to fix it, when you expect it to be closed, and what resources (money, tools, outside help) it requires. Set realistic dates. A credible POA&M with gaps is more valuable than a falsely inflated score.
Step 4: Submit to SPRS
Log in to sprs.csd.disa.mil with your DoD-approved credentials (ID.me-verified account or DoD PKI certificate). Navigate to the NIST SP 800-171 assessment submission section. Enter your score, the date of assessment, the system scope, and a point of contact. Keep your SSP and evidence on file. You do not upload them to SPRS.
Cloud Storage: A Common Trap
Many small contractors store work files on standard commercial cloud services: a regular Microsoft 365 subscription, Google Drive, or Dropbox. If any of those files contain CUI, that storage arrangement may not comply with DFARS 252.204-7012(b)(2)(ii)(D), which requires cloud environments used for CUI to meet the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline or equivalent.
FedRAMP is a government certification program for cloud service providers. A standard Microsoft 365 Business or Google Workspace subscription is not FedRAMP authorized for CUI storage. Microsoft 365 Government Community Cloud (GCC) and Google Workspace for Government are. Confirm your cloud provider’s authorization at marketplace.fedramp.gov before storing any CUI in the cloud.
What This NIST 800-171 Self-Assessment Checklist Is Not
- It is not CMMC Level 2 certification. The Cybersecurity Maturity Model Certification (CMMC) program, governed by 32 CFR Part 170, requires that certain DoD contracts be assessed by an accredited Certified Third-Party Assessment Organization (C3PAO), not just by the contractor themselves. A self-assessment satisfies DFARS 252.204-7020 and the SPRS posting requirement. It does not satisfy a CMMC Level 2 certification requirement. If your upcoming contract will require CMMC Level 2, read our companion guide on what CMMC certification costs and requires.
- It is not permanent. SPRS scores must be updated when your security posture changes materially. The DoD assessment validity window is three years per DFARS 252.204-7019. Treat this as a regular process, not a one-time event.
- It is not optional if DFARS 252.204-7012 is in your contract. A missing SPRS score can block contract award. A false score is fraud.
Frequently Asked Questions
Do I need to hire a consultant to complete a NIST 800-171 self-assessment?
No. The assessment instrument (NIST SP 800-171A) is published free at csrc.nist.gov. The DoD scoring spreadsheet is available at sprs.csd.disa.mil. A small business owner with basic IT literacy and a few days of focused work can complete a self-assessment without paid help. A consultant adds value when your environment is complex (multiple offices, cloud environments, IT subcontractors) or when you want an independent review before submission. APEX Accelerators (apexaccelerators.us) provide free guidance and can help you understand the process at no charge.
What happens if I submit a low score to SPRS?
A low score does not automatically disqualify you. Contracting officers have discretion in how they weigh SPRS data. A realistic score with a credible POA&M showing your remediation plan is generally treated more favorably than a missing score. A missing score, however, can block contract award outright under DFARS 252.204-7019. The real risk of a low score is being selected for a DIBCAC medium or high assessment, where government assessors verify that your actual security posture matches your submitted number.
How long do I have to fix gaps after submitting my score?
DFARS 252.204-7020 does not set a universal remediation deadline for self-assessed contractors. Your POA&M sets your own milestones. The practical risk is that DCMA’s DIBCAC may select your company for review, at which point they evaluate whether your actual posture matches your score. Set milestones that are ambitious enough to show progress but realistic enough that you can actually meet them.
Is NIST 800-171 the same as CMMC?
No, but they are tightly connected. NIST SP 800-171 is the set of 110 security requirements. CMMC is the government’s certification framework for verifying whether those requirements are implemented. CMMC Level 2 requires all 110 NIST SP 800-171 Rev 2 requirements to be met. For contracts that require CMMC Level 2 certification, a third-party C3PAO assessment is required, not a self-assessment. Completing a self-assessment is preparation for CMMC, not a substitute for it. See our guide on CMMC certification for small businesses for the full picture.
What is a System Security Plan and do I really need one?
A System Security Plan (SSP) is a written document that describes your information systems, the CUI they handle, and how each of the 110 security requirements is addressed. NIST SP 800-171 Rev 2 requirement 3.12.4 requires you to develop, document, and periodically update it. You need one. For a small contractor with a single office and a handful of computers, a credible SSP can be completed in a day using NIST’s free template. Without an SSP, you cannot systematically score yourself or demonstrate a real compliance program to DIBCAC if they audit you.
Does the CUI I handle determine whether NIST 800-171 applies to me?
Yes. NIST SP 800-171 applies to systems that process, store, or transmit CUI. If your contract work does not involve CUI, DFARS 7012 may not apply and the 800-171 requirement may not flow to you. Read the specific clauses in your contract. If DFARS 252.204-7012 is present, treat the requirement as applicable until you confirm otherwise with your contracting officer. For a plain-language explanation of what counts as CUI, see our guide on Controlled Unclassified Information.
Can I use standard commercial cloud storage for CUI?
No. DFARS 252.204-7012(b)(2)(ii)(D) requires that any cloud service used for covered defense information meet the FedRAMP Moderate baseline or an equivalent. Standard Microsoft 365 and Google Workspace commercial plans do not qualify. Microsoft 365 Government Community Cloud (GCC) and Google Workspace for Government are FedRAMP authorized for CUI. Verify your cloud provider’s authorization status at marketplace.fedramp.gov before storing any covered data.
Your Next Step
If you have DFARS 252.204-7012 in your contract and no SPRS score on record, start with two things: download the free NIST SSP template from csrc.nist.gov and register for SPRS portal access at sprs.csd.disa.mil. Both are free. Both take less than an hour to initiate.
If you want free in-person guidance, find your nearest APEX Accelerator at apexaccelerators.us. These are government-funded assistance centers that help small businesses navigate exactly this kind of requirement at no charge.
If your environment is complex enough that a self-assessment feels out of reach, our CMMC guide covers what third-party assessment costs and what to expect from the process.
