SPRS Score
Also known as: NIST 800-171 Assessment Score
An SPRS score is a numerical NIST SP 800-171 self-assessment score, ranging from a maximum of +110 down to a possible -203, calculated using the DoD Assessment Methodology by subtracting weighted point values for unimplemented controls. SPRS scores are required at CMMC Level 2 and above — Level 1 is binary MET/NOT MET with no numerical score.
Related terms
- NIST SP 800-171
NIST SP 800-171 is the National Institute of Standards and Technology publication that defines 110 security controls for protecting Controlled Unclassified Information (CUI) on non-federal systems. It is the controls catalog used at CMMC Level 2 — but is not used at Level 1, which is based on the 15 safeguarding requirements in FAR 52.204-21.
- Supplier Performance Risk System
The Supplier Performance Risk System (SPRS) is the Department of Defense system of record where contractors post their NIST SP 800-171 assessment scores and CMMC affirmations. Contracting officers verify SPRS entries before award on solicitations that include DFARS 252.204-7019, -7020, or -7021.
- DFARS 252.204-7019
DFARS 252.204-7019 requires offerors on DoD solicitations involving CUI to post a current NIST SP 800-171 self-assessment score in the Supplier Performance Risk System (SPRS) before they are eligible for award. The score must not be more than three years old at the time of the offer.