Table of Contents
SPRS Scoring and CMMC Readiness: What Contractors Need to Know
If your organization handles Controlled Unclassified Information (CUI) under a DoD contract, you're required to submit a NIST SP 800-171 self-assessment score into the Supplier Performance Risk System (SPRS). SPRS scoring is one piece of the broader CMMC compliance picture, our complete CMMC compliance guide covers how scoring, certification levels, and the assessment process connect. That score, and the documentation behind it, is the foundation your CMMC readiness is built on. Get it wrong, and you're not just risking a failed assessment. Under the False Claims Act, knowingly submitting an inflated score is a legal liability.
What SPRS Is and What It's For
SPRS is the DoD's centralized system for collecting contractor performance data, including cybersecurity compliance. The relevant regulatory hook is DFARS 252.204-7019 and 252.204-7020, which require contractors handling CUI to conduct a NIST SP 800-171 self-assessment and submit the resulting score to SPRS before a contract can be awarded or renewed.
Contracting officers pull SPRS scores when evaluating bids. A score of 110 indicates full implementing all 110 NIST SP 800-171 Rev 2 controls. A score of -203 indicates significant gaps across all control families. Most organizations fall somewhere in between, and a low score doesn't automatically disqualify you, but it does invite scrutiny, and it needs to be accompanied by a Plan of Action and Milestones (POA&M) documenting how and when gaps will be closed.
How the Scoring Works
The methodology is defined in the DoD Assessment Methodology for NIST SP 800-171. You start at 110 and subtract points for each unimplemented or partially implemented requirement. The deduction varies by control, some requirements carry a one-point penalty, others carry five. Controls in the Access Control (AC) and Identification and Authentication (IA) families tend to carry higher weights.
A few things contractors frequently misunderstand:
- Partial credit doesn't exist in the same way people assume. A control is either implemented, partially implemented, or not implemented. Partial implementation still results in a deduction, the full deduction for that control. There's no sliding scale.
- Scope matters. Your score applies to the environment where CUI is stored, processed, or transmitted, your CUI boundary. Controls only need to be implemented within that scope, which is why defining and minimizing your CUI boundary before scoring is worth the effort. A narrower boundary means fewer systems to secure and document.
- A score of 110 doesn't mean you'll pass a CMMC assessment. Self-assessment and third-party assessment use different evidence standards. Controls you scored as implemented need to be demonstrably, consistently implemented with documentation that survives scrutiny from a C3PAO assessor.
The SPRS-to-CMMC Connection
CMMC Level 2 is built on the same 110 controls as NIST SP 800-171 Rev 2, the same controls your SPRS score is based on. The difference is verification: SPRS is self-reported, CMMC Level 2 (for most contractors) requires a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO).
Your SPRS score is effectively a preview of where you'll land when a C3PAO assessor walks in. A score in the 80s or 90s suggests meaningful gaps that will surface during assessment. A score of 110 with thin or missing documentation is also a problem, assessors aren't just looking at whether a control exists, they're looking for evidence that it's consistently implemented and that your team understands how it works.
CMMC also introduces the concept of SPRS score accuracy as an ongoing obligation. Under DFARS 252.204-7020, contractors must have their score affirmed by a senior company official, creating personal accountability for the accuracy of what's submitted.
Required Documentation
Two documents are non-negotiable for both SPRS and CMMC readiness:
System Security Plan (SSP): The SSP describes your CUI environment, what systems are in scope, how each NIST SP 800-171 control is implemented (or why it's not), network architecture, user roles, and interconnections with external systems. It's both your primary self-assessment evidence and the document a C3PAO assessor uses to understand your environment before the assessment begins. An SSP that's sparse, outdated, or inconsistent with what your systems actually do is one of the most common assessment failures.
Plan of Action and Milestones (POA&M): Any control that isn't fully implemented requires a POA&M entry documenting the gap, the planned remediation, the responsible party, and the target completion date. The POA&M isn't an admission of failure, it's evidence that you've identified gaps and have a credible plan to close them. Submitting a score without a POA&M for unimplemented controls, or submitting a POA&M with no realistic timelines, undermines the credibility of the entire submission.
Additional documentation that supports both SPRS and CMMC includes incident response plans, configuration baselines, user training records, access control policies, and vulnerability scan reports. These don't need to be elaborate, but they need to exist and reflect current practice.
Where Contractors Go Wrong
Inflating the score. This is the highest-risk mistake. Submitting a score of 110 when controls aren't actually implemented, or aren't implemented consistently, creates False Claims Act exposure. In March 2025, MORSE Corp, a Massachusetts defense contractor, paid $4.6 million to settle DoJ allegations that it submitted a self-assessed SPRS score of 104 while its actual score, determined by a third-party consultant, was -142. Only 22% of controls were implemented. A whistleblower employee initiated the case and received $851,000 of the settlement. A defensible score that accurately reflects your current state is always better than an inflated score that doesn't hold up.
Scoring the wrong environment. If your CUI boundary is poorly defined, you may be scoring systems that aren't actually in scope, or, more dangerously, failing to score systems that are. CUI can exist in email, shared drives, collaboration tools, and endpoints, not just the server you designated as your "CUI system."
Treating the SSP as a one-time document. The SSP needs to reflect your current environment. If you migrated to a new cloud platform, added remote access capabilities, or changed your network architecture since the last update, your SSP is inaccurate, and an assessor will notice the discrepancy.
No POA&M for known gaps. Contractors sometimes omit POA&M entries for controls they've been meaning to address but haven't prioritized. The gap still exists; not documenting it doesn't make it go away. It just makes the submission less credible.
Waiting until a contract requires CMMC. CMMC assessments take time to prepare for and schedule. C3PAO capacity has been limited during the ramp-up period. Starting remediation six months before a contract deadline typically means not having enough runway to close meaningful gaps, remediate documentation, and book an assessment slot.
Improving Your Score Practically
Start with a gap assessment against all 110 NIST SP 800-171 Rev 2 controls mapped to your actual environment, not a generic questionnaire, but a technical review of what's implemented, what's partially implemented, and what's missing. This produces a prioritized remediation list.
Focus first on the high-weight controls, Access Control (AC), Identification and Authentication (IA), and System and Communications Protection (SC) carry the most scoring weight and the highest assessor attention. MFA on all CUI-adjacent systems, role-based access controls with documented justification, and network segmentation isolating your CUI boundary are the most common gaps and the most to close.
Once gaps are remediated, update your SSP to reflect the changes, update your SPRS submission, and maintain the documentation that evidences the controls are working. CMMC assessors will ask to see logs, configuration screenshots, training records, and policy acknowledgment signatures, not just policy documents.
For a full picture of how SPRS scores connect to C3PAO assessment readiness and Phase 2 timelines, see our CMMC compliance guide for small defense contractors.
Reach out to Stratify IT to schedule a NIST SP 800-171 gap assessment, we'll evaluate your current controls against your CUI environment, identify scoring gaps, and build a remediation roadmap with realistic timelines ahead of your CMMC assessment.
Your SPRS score is the baseline a C3PAO starts from, understanding how C3PAO assessments use that documentation is covered in CMMC ecosystem and the role of C3PAOs. For contractors trying to close scoring gaps without overextending their remediation budget, reducing CMMC compliance costs address how to sequence remediation to maximize score improvement per dollar spent.
Frequently Asked Questions
Technically, a low score with a solid POA&M shouldn't disqualify you outright, but contracting officers have discretion, and in competitive bids, a score well below zero is a real disadvantage. Some program offices set informal thresholds, and a score in the negative triple digits with vague remediation timelines will raise flags regardless of whether a POA&M exists. The quality and credibility of your POA&M matters as much as the score itself.
You're required to reassess and resubmit anytime your score changes, meaning when you implement new controls or when gaps are discovered. There's no mandated reassessment interval written into DFARS, but most compliance practitioners recommend reviewing your score at least annually, and definitely before a contract renewal or new award. If your environment changes significantly, new systems, new CUI flows, a vendor change, that's also a trigger for reassessment, not just a calendar date.
The FCA allows the government to pursue treble damages, three times the value of the contract, plus civil penalties per false claim. The 2023 Aerojet Rocketdyne settlement, where the company paid $9 million, is the clearest example of how this plays out. Intent matters legally, but 'we misunderstood the controls' is a difficult defense when assessors find systemic gaps. Documented good faith and a credible POA&M are your best protection, but they don't eliminate liability.
Subcontractors handling CUI need their own SPRS scores. The flowdown requirements under DFARS 252.204-7020 are explicit, primes are responsible for ensuring their subs comply, which means you can't umbrella a subcontractor under your own submission. If a sub is touching CUI and doesn't have a valid score on file, that's a compliance gap that sits with both parties. Primes increasingly ask subs to provide their CAGE code and SPRS score as part of subcontracting agreements.
Once a C3PAO completes a CMMC Level 2 assessment, that certified result effectively supersedes your self-assessed SPRS score for contracts requiring Level 2 certification. You'll still maintain a score in SPRS, but the weight shifts to the certified assessment outcome. The practical implication: if your self-assessed score was generous and the C3PAO finds significant gaps, you're looking at a failed certification and a suddenly credible FCA exposure window. Treat the gap between the two as your highest-priority risk.
Any system that processes, stores, or transmits CUI falls within scope, that includes cloud environments. Microsoft 365 GCC High is purpose-built to support NIST SP 800-171 compliance, and Microsoft publishes a Customer Responsibility Matrix detailing which controls they handle versus which remain your responsibility. The mistake most contractors make is assuming a FedRAMP-authorized cloud service means those controls are simply checked off. You still need to configure it correctly, document your shared responsibility, and verify your tenant settings actually reflect the controls you're claiming.