SPRS Scoring and CMMC Readiness: What Contractors Need to Know

Table of Contents

SPRS Scoring and CMMC Readiness: What Contractors Need to Know

If your organization handles Controlled Unclassified Information (CUI) under a DoD contract, you're required to submit a NIST SP 800-171 self-assessment score into the Supplier Performance Risk System (SPRS). That score — and the documentation behind it — is the foundation your CMMC readiness is built on. Get it wrong, and you're not just risking a failed assessment. Under the False Claims Act, knowingly submitting an inflated score is a legal liability.

This article explains how SPRS scoring works, how it connects to CMMC, and what contractors most commonly get wrong.

What SPRS Is and What It's For

SPRS is the DoD's centralized system for collecting contractor performance data, including cybersecurity compliance. The relevant regulatory hook is DFARS 252.204-7019 and 252.204-7020, which require contractors handling CUI to conduct a NIST SP 800-171 self-assessment and submit the resulting score to SPRS before a contract can be awarded or renewed.

Contracting officers pull SPRS scores when evaluating bids. A score of 110 indicates full implementation of all 110 NIST SP 800-171 Rev 2 controls. A score of -203 indicates significant gaps across all control families. Most organizations fall somewhere in between, and a low score doesn't automatically disqualify you — but it does invite scrutiny, and it needs to be accompanied by a Plan of Action and Milestones (POA&M) documenting how and when gaps will be closed.

How the Scoring Works

The methodology is defined in the DoD Assessment Methodology for NIST SP 800-171. You start at 110 and subtract points for each unimplemented or partially implemented requirement. The deduction varies by control — some requirements carry a one-point penalty, others carry five. Controls in the Access Control (AC) and Identification and Authentication (IA) families tend to carry higher weights.

A few things contractors frequently misunderstand:

• Partial credit doesn't exist in the same way people assume. A control is either implemented, partially implemented, or not implemented. Partial implementation still results in a deduction — the full deduction for that control. There's no sliding scale.
• Scope matters. Your score applies to the environment where CUI is stored, processed, or transmitted — your CUI boundary. Controls only need to be implemented within that scope, which is why defining and minimizing your CUI boundary before scoring is worth the effort. A narrower boundary means fewer systems to secure and document.
• A score of 110 doesn't mean you'll pass a CMMC assessment. Self-assessment and third-party assessment use different evidence standards. Controls you scored as implemented need to be demonstrably, consistently implemented with documentation that survives scrutiny from a C3PAO assessor.

The SPRS-to-CMMC Connection

CMMC Level 2 is built on the same 110 controls as NIST SP 800-171 Rev 2 — the same controls your SPRS score is based on. The difference is verification: SPRS is self-reported, CMMC Level 2 (for most contractors) requires a third-party assessment by a Certified Third-Party Assessment Organization (C3PAO).

Your SPRS score is effectively a preview of where you'll land when a C3PAO assessor walks in. A score in the 80s or 90s suggests meaningful gaps that will surface during assessment. A score of 110 with thin or missing documentation is also a problem — assessors aren't just looking at whether a control exists, they're looking for evidence that it's consistently implemented and that your team understands how it works.

CMMC also introduces the concept of SPRS score accuracy as an ongoing obligation. Under DFARS 252.204-7020, contractors must have their score affirmed by a senior company official, creating personal accountability for the accuracy of what's submitted.

Required Documentation

Two documents are non-negotiable for both SPRS and CMMC readiness:

System Security Plan (SSP): The SSP describes your CUI environment — what systems are in scope, how each NIST SP 800-171 control is implemented (or why it's not), network architecture, user roles, and interconnections with external systems. It's both your primary self-assessment evidence and the document a C3PAO assessor uses to understand your environment before the assessment begins. An SSP that's sparse, outdated, or inconsistent with what your systems actually do is one of the most common assessment failures.

Plan of Action and Milestones (POA&M): Any control that isn't fully implemented requires a POA&M entry documenting the gap, the planned remediation, the responsible party, and the target completion date. The POA&M isn't an admission of failure — it's evidence that you've identified gaps and have a credible plan to close them. Submitting a score without a POA&M for unimplemented controls, or submitting a POA&M with no realistic timelines, undermines the credibility of the entire submission.

Additional documentation that supports both SPRS and CMMC includes incident response plans, configuration baselines, user training records, access control policies, and vulnerability scan reports. These don't need to be elaborate, but they need to exist and reflect current practice.

Where Contractors Go Wrong

Inflating the score. This is the highest-risk mistake. Submitting a score of 110 when controls aren't actually implemented — or aren't implemented consistently — creates False Claims Act exposure. In March 2025, MORSE Corp, a Massachusetts defense contractor, paid $4.6 million to settle DoJ allegations that it submitted a self-assessed SPRS score of 104 while its actual score — determined by a third-party consultant — was -142. Only 22% of controls were implemented. A whistleblower employee initiated the case and received $851,000 of the settlement. A defensible score that accurately reflects your current state is always better than an inflated score that doesn't hold up.

Scoring the wrong environment. If your CUI boundary is poorly defined, you may be scoring systems that aren't actually in scope, or — more dangerously — failing to score systems that are. CUI can exist in email, shared drives, collaboration tools, and endpoints, not just the server you designated as your "CUI system."

Treating the SSP as a one-time document. The SSP needs to reflect your current environment. If you migrated to a new cloud platform, added remote access capabilities, or changed your network architecture since the last update, your SSP is inaccurate — and an assessor will notice the discrepancy.

No POA&M for known gaps. Contractors sometimes omit POA&M entries for controls they've been meaning to address but haven't prioritized. The gap still exists; not documenting it doesn't make it go away. It just makes the submission less credible.

Waiting until a contract requires CMMC. CMMC assessments take time to prepare for and schedule. C3PAO capacity has been limited during the ramp-up period. Organizations that start remediation six months before a contract deadline typically don't have enough runway to close meaningful gaps, remediate documentation, and book an assessment slot.

Improving Your Score Practically

Start with a gap assessment against all 110 NIST SP 800-171 Rev 2 controls mapped to your actual environment — not a generic questionnaire, but a technical review of what's implemented, what's partially implemented, and what's missing. This produces a prioritized remediation list.

Focus first on the high-weight controls — Access Control (AC), Identification and Authentication (IA), and System and Communications Protection (SC) carry the most scoring weight and the highest assessor attention. MFA on all CUI-adjacent systems, role-based access controls with documented justification, and network segmentation isolating your CUI boundary are the most common gaps and the most impactful to close.

Once gaps are remediated, update your SSP to reflect the changes, update your SPRS submission, and maintain the documentation that evidences the controls are working. CMMC assessors will ask to see logs, configuration screenshots, training records, and policy acknowledgment signatures — not just policy documents.

Reach out to Stratify IT to schedule a NIST SP 800-171 gap assessment — we'll evaluate your current controls against your CUI environment, identify scoring gaps, and build a remediation roadmap with realistic timelines ahead of your CMMC assessment.

Learn more about our CMMC compliance services to see the full range of what we offer.

Stratify IT — compliance built around your business, not a template.

For more on CMMC readiness and DFARS compliance, explore our leadership blogs.