What is an SPRS score?

SPRS (Supplier Performance Risk System) is the DoD's central system for supplier risk data. The 'SPRS score' commonly refers to the NIST SP 800-171 Basic Assessment score — a number from –203 to 110 that reflects how many of the 110 NIST 800-171 controls a contractor has implemented. It is only required at CMMC Level 2. CMMC Level 1 contractors do not have a numeric score; they post a binary affirmation (MET / NOT MET) in SPRS instead.

How is the SPRS score calculated?

You start at 110 (full implementation of all 110 NIST 800-171 controls). For each unimplemented control, you subtract its weighted value — 1, 3, or 5 points depending on the control's security impact, per the DoD NIST SP 800-171 Assessment Methodology v1.2.1. The lowest possible score is –203. The score is self-reported and the contractor affirms its accuracy through a senior official affirmation in SPRS.

My prime asked for my SPRS score and I'm Level 1. What do I send?

At Level 1 you do not have a numeric SPRS score — you have a current SPRS affirmation (MET) for the 15 FAR 52.204-21 safeguarding requirements. Send the prime: (1) your CAGE code, (2) the date of your most recent annual affirmation, (3) the assessment scope ('Level 1, all FCI-handling assets'), and (4) confirmation that the affirmation is current in SPRS. They can verify directly in SPRS.

Where do I find my SPRS score?

Log into the Procurement Integrated Enterprise Environment (PIEE) at piee.eb.mil, then open the SPRS module. Your Cyber Reports and Cyber Risk Assessment pages show your assessment record, score, and affirmation status. Only authorized roles (e.g., Contractor SPRS Cyber Vendor User) can view assessment data for your CAGE code.

What happens if my SPRS affirmation is false?

A false SPRS affirmation is a federal false statement under 18 U.S.C. § 1001 and a potential False Claims Act violation under 31 U.S.C. § 3729. The senior official who signs the affirmation is personally on the hook. The DOJ has already prosecuted multiple FCA cases against contractors for misrepresenting NIST 800-171 / CMMC posture — settlements have ranged from $300,000 to $9 million.

How to Read Your SPRS Score (And What to Send When Your Prime Asks)

It usually arrives on a Wednesday afternoon, in an email with the subject line “Cybersecurity self-assessment request.” Your prime contractor — Lockheed, RTX, Booz, GDIT, take your pick — needs your SPRS scoreby end of week, or your subcontract is at risk. You've never heard of SPRS. You're an engineering company, not a cybersecurity company.

This guide tells you exactly what SPRS is, what your score means, what to send your prime, and how to fix a low number fast.

What SPRS actually is

SPRS is the Supplier Performance Risk System— the Department of Defense's central database for tracking how risky a contractor is to do business with. It's run by the Naval Sea Systems Command (NAVSEA) and lives at sprs.csd.disa.mil. There are several scores in SPRS — price risk, item risk, supplier risk — but the one your prime cares about is your NIST SP 800-171 self-assessment score, sometimes called the “Basic Assessment” score or the “cyber score.”

Under DFARS 252.204-7019/7020, anyone handling Controlled Unclassified Information (CUI) on a DoD contract has to post a current NIST 800-171 score in SPRS. And under the new CMMC rule, anyone handling FCI has to also file a CMMC Level 1 affirmation. Most primes ask for both.

How the score is calculated

The NIST 800-171 score starts at +110. For every control you don't fully meet, points are subtracted. Some controls are worth 5 points, some are worth 3, some are worth 1. There are 110 controls and the worst possible score is -203 (negative two hundred three) because some controls have multiple components and weighted deductions.

Score range	What it means	Prime's typical reaction
+110	All NIST 800-171 controls implemented. Perfect score.	Pass-through. You're bid-eligible everywhere.
+88 to +109	A handful of controls partial or missing.	Generally accepted; many primes require a POA&M.
+50 to +87	Significant gaps. POA&M required.	Some primes will flow down work, some won't.
0 to +49	Major gaps. Most primes will require remediation before award.	You're losing the bid in this range.
Negative score	Most NIST controls not implemented.	Effectively non-affirming. Lose the contract.

For CMMC Level 1, the math is simpler: you either implement all 15 safeguarding requirements and affirm, or you don't. The SPRS record shows either “Affirmed” with a date or it doesn't.

Where to find your score

Log into SPRS using your PIEE / Procurement Integrated Enterprise Environment credentials. (If you don't have PIEE access, you have to request it through SAM.gov first; that takes about 5 business days.)
Click NIST SP 800-171 Assessments in the left nav. Your most recent submitted score is at the top.
For CMMC Level 1, click CMMC Status— your affirmation date and the affirming senior official are listed there.
Hit Print/Export to get the PDF version your prime wants.

What to send when a prime asks

Primes don't want your SSP. They don't want your evidence ZIP. They want one PDF and a one-paragraph email. Here's the template that works:

The PDFs you attach: the SPRS export from step 4 above, plus your signed CMMC L1 affirmation memo. That's it. Don't volunteer the SSP unless they specifically ask — it's 30+ pages and creates more questions than it answers.

How to fix a low score in a week

If your prime just asked and your score is under 88 (or you have no CMMC L1 affirmation on file), you have roughly five business days to act. Here's the right order:

Take the free SPRS quiz — the Custodia SPRS quiz scores you against all 15 CMMC L1 safeguarding requirements in 4 minutes and tells you exactly what's missing.
Hit the high-leverage controls first. MFA (IA.L1-3.5.2), endpoint antivirus (SI.L1-3.14.2), and authorized-users roster (AC.L1-3.1.1) are typically the three biggest score movers. All three are configurable in M365 / Google Workspace in under an hour each.
Build the artifact pack. Authorized users roster, role matrix, visitor log, media disposal log, patch log, antivirus inventory, network boundary inventory. Those seven CSVs cover ~80% of evidence.
Draft your SSP.One paragraph per practice describing how it's implemented. Custodia auto-drafts these from your inputs.
Sign and submit. Senior official signs the affirmation memo, you log into SPRS, you file the CMMC Level 1 affirmation. Done.

Most Custodia customers go from “prime just asked” to “affirmation filed” in 3–5 business days using the platform. The 7-day free trial covers the entire build — no credit card required.

False Claims Act exposure (read this)

The fix is simple and structural: don't inflate your score. If a control isn't fully implemented, mark it as such, write a Plan of Action & Milestones (POA&M), and remediate. The DOJ doesn't prosecute honest gaps with a remediation plan. It prosecutes inflated attestations.

FAQ

How long is a SPRS score valid?

NIST 800-171 self-assessments are valid for 3 years from submission. CMMC Level 1 affirmations are annual— you re-affirm every year.

Can I edit my score after submitting?

Yes. You can re-submit anytime. The most recent score in SPRS is what primes see.

What if I don't have CUI, just FCI?

You only need CMMC Level 1 (the 15-requirement affirmation), not the 110-control NIST 800-171 score. Here's the difference.

How do I get PIEE access?

“The contractors who lose work to SPRS aren't the ones with gaps. They're the ones who didn't answer the prime's email by Monday.”— The Custodia Compliance Team