← Custodia

What to Tell Your Prime When They Ask for Your SPRS Score (And You're Level 1)

Your prime sent a supplier questionnaire asking for your SPRS score and you're a CMMC Level 1 contractor — which doesn't have a score. Here's the exact email to send back, the regulation to cite, and three sentences you should never say.

By David Fuentes· Compliance Officer, CustodiaMay 11, 20269 min read

It almost always happens the same way. A prime contractor — Lockheed, Raytheon, General Dynamics, a Tier-2 sub of one of them, or somebody's purchasing department running a generic cybersecurity supplier questionnaire — emails you a PDF with a question that looks like this:

“Please provide your most recent SPRS NIST SP 800-171 assessment score. Score must be 88 or above for award.”

And if you're a Level 1 contractor — the small machine shop, the IT services firm, the electrical contractor with three federal contracts — the honest answer is that you don't have one of those scores. Not because you forgot. Because the regulation doesn't generate one for your tier.

This post is how to say that without losing the contract.

TL;DR — the 30-second answer

  • The 0–110 SPRS score is the NIST SP 800-171 Basic Assessment score required by DFARS 252.204-7019/-7020 for Level 2 contractors.
  • As a Level 1 contractor under FAR 52.204-21, you don't generate that score — you instead post an annual Level 1 affirmationin SPRS that's binary (MET / NOT MET).
  • Most primes accept the Level 1 affirmation as the correct equivalent the moment you explain it in writing with the regulation cited.
  • Do notcompute a number to make the form happy. That's the path to a False Claims Act problem.

Why your prime is asking

Primes are not trying to trip you up. They're running the same questionnaire on 200 suppliers because their compliance team wrote it for the worst-case — the Level 2 sub with CUI sitting on their network. The question got copied onto every supplier's onboarding packet because that was easier than building two flows. When you push back with the correct answer, their compliance team almost always nods and moves on. They appreciate that you know the regulation.

There are two scoring systems. You're in the other one.

The federal cybersecurity regulation has two parallel regimes. They live in different parts of the FAR/DFARS and they produce different results.

  • Level 1 / FAR 52.204-21 regime. Triggered by Federal Contract Information (FCI). 15 safeguarding requirements. Self-assessed annually. Senior-official affirmation posted in SPRS. Result: MET or NOT MET. No 0–110 number.
  • Level 2 / DFARS 252.204-7012, -7019, -7020 regime. Triggered by Controlled Unclassified Information (CUI). 110 NIST SP 800-171 controls. Basic Assessment scored on a –203 to +110 scale; minimum 88 to be eligible. Result: numeric SPRS score.

Your prime's questionnaire is asking about the second regime. You are correctly affirming in the first. They are not contradictory; they are not the same.

The exact email to send back

Copy, paste, edit the bracketed bits, and send. Plain English. No need to apologize.

Three sentences you should never say

  1. “Our score is 110.”— You don't have a 0–110 score, and stating one is a false statement to the federal government once it gets passed up the chain.
  2. “We're working on getting a SPRS score.”— You aren't. There's nothing to work on. The score does not apply to your tier.
  3. “Just put zero.”— Zero is a real Level 2 outcome that means “none of the 110 controls implemented” and would torpedo any sub on a DFARS 7012 contract. Don't volunteer a number.

If the prime pushes back

If after your email the prime still insists on a 0–110 number, ask one question:

“Could you share which contract clause is being flowed down to us — FAR 52.204-21, or DFARS 252.204-7012? If 7012 is in the flow-down, we need to know so we can scope accordingly. If it's only 52.204-21, then our Level 1 affirmation is the regulatory match.”

One of two things happens:

  1. They confirm only FAR 52.204-21 flows down. You're Level 1. Your affirmation is the answer. The conversation ends.
  2. They confirm DFARS 252.204-7012 flows down. You actually are a Level 2 contractor. The 0–110 score is genuinely required. You need to either implement NIST SP 800-171 and post a real Basic Assessment score, or decline the work. (Read our L1 vs L2 guide for the next step.)

Either outcome is a win — you now know your real obligation in writing.

What to do this week

  1. Take the free SPRS readiness quiz (4 minutes) to confirm Level 1 actually applies to your contracts.
  2. If you haven't posted a Level 1 affirmation in SPRS this year, that's the work in front of you. The full sprint takes most small contractors 1–2 weeks of focused effort.
  3. Save the email template above into your prime-response folder. You'll use it again.
  4. Subscribe to the Monday Bid Digest — weekly federal opportunities curated for Level 1 contractors.

FAQ

Do Level 1 contractors have a SPRS score?

No. The 0–110 SPRS score is the NIST SP 800-171 Basic Assessment score required by DFARS 252.204-7019/-7020 for Level 2. Level 1 contractors post a binary affirmation (MET / NOT MET) in SPRS.

What do I send my prime instead?

Your most recent annual CMMC Level 1 affirmation: CAGE code, affirmation date, status (MET), and the name and title of the senior official who affirmed. Cite FAR 52.204-21 as your controlling clause.

What if the prime won't accept my Level 1 affirmation?

Ask which contract clause is flowing down. If only FAR 52.204-21, your Level 1 affirmation is regulatorily correct. If DFARS 252.204-7012, you may actually be Level 2 and need to plan accordingly.

Can I just compute a score to satisfy the form?

No. Submitting a fabricated number to SPRS or to a prime is a federal false statement under 18 U.S.C. § 1001 with False Claims Act exposure under 31 U.S.C. § 3729.

How long does a Level 1 affirmation last?

One year. It must be renewed annually by a senior company official under 32 CFR § 170.22.

Keep reading
  1. CMMC Level 1
    CMMC Level 1: The Complete 2026 Guide for Small DoD Contractors

    The single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.

    Read →
  2. CMMC Level 1
    DoD Cybersecurity Requirements: A Plain-English Guide for Non-Technical Business Owners

    You're not an IT person. You won a contract. The prime is asking weird questions. Here's exactly what they need, in English, without the acronym soup.

    Read →
  3. CMMC Level 1
    CMMC vs NIST 800-171: The Difference Most Small Contractors Get Wrong (2026)

    CMMC and NIST 800-171 are not the same thing. The difference decides whether your weekend is 5 days of paperwork or a $50K assessment.

    Read →
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)