Your SPRS Score, Explained: How to Compute and Submit a NIST 800-171 Self-Assessment Before a Prime Asks

A prime contractor calls a small San Diego machine shop that has held a Department of Defense (DoD) subcontract for two years. The prime needs the shop's Supplier Performance Risk System (SPRS) score before the next task order can be issued. The owner has never heard of SPRS, has never run a National Institute of Standards and Technology (NIST) Special Publication 800-171 self-assessment, and now has a deadline measured in days. If you hold a contract with the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, the obligation to self-assess and post a score has existed since the DFARS Assessment clause 252.204-7019 took effect. Most small subcontractors were never told.

This post walks through what the score is, how the math works, and how to post it. It is the map you need before you start.

What the score represents

NIST 800-171 contains 110 security requirements. These are the controls that protect Controlled Unclassified Information (CUI) on a contractor's systems. The DoD Assessment Methodology converts your compliance with those 110 requirements into a single number that gets posted in SPRS.

The math is subtractive, not additive. You begin at 110, a perfect score, and you deduct points for every requirement you do not fully meet. You lose points for the controls you do not have. The result can be as high as 110 and as low as negative 203. A negative score is normal for a company that has never done security work. It is not a failing grade. It is a starting position.

Why some gaps cost more than others

Every unmet requirement is worth 5 points, 3 points, or 1 point, depending on how much risk the gap creates. The weighting comes straight from the DoD methodology, and it is the single most useful thing to understand before you self-assess.

The 5 point requirements are the ones that, if missing, leave the door wide open. Multifactor authentication for network access is a 5 point control. So is limiting system access to authorized users, and so is monitoring and controlling remote access sessions. Miss a handful of these and you are 25 or 30 points underwater before you look at anything else.

The 3 point requirements are serious but more contained. The 1 point requirements are housekeeping. This weighting is why two companies with 40 open gaps each can post wildly different scores. The company that closed its 5 point items first looks far better, and the math rewards that order of operations. When we raise a client's score, we close the 5 point controls first for exactly this reason.

Most requirements are all or nothing. You either meet the requirement fully, or you take the full deduction. A small number, such as multifactor authentication and FIPS validated encryption, carry partial credit when the control covers part of your environment rather than none of it.

A worked example

Picture a 12 person subcontractor with a typical small office network and a Microsoft 365 tenant. They have passwords but no multifactor authentication, no written security policies, no logging anyone reviews, no encryption on their laptops, and no documented list of who is allowed to touch CUI.

Their assessment finds 30 open requirements: eight of the 5 point controls, twelve of the 3 point controls, and ten of the 1 point controls. The math is 110 minus 40 minus 36 minus 10, which lands at a score of 24.

Now they spend a focused month. They turn on multifactor authentication across the tenant, which closes several 5 point items at once. They enable disk encryption, largely a configuration change on modern hardware. They write the access control and incident response policies they were missing. Those moves alone can swing a score by 30 or 40 points without buying a single new tool. A 24 becoming an 88 in one quarter is an ordinary outcome. The worst looking scores often have the cheapest fixes.

The Plan of Action and Milestones

You do not need a score of 110 to bid or to keep a subcontract today. You need an honest score and a credible plan to close what remains. That plan is the Plan of Action and Milestones (POA&M). For every requirement you cannot meet yet, you record what you will do and the date you will finish, then update the score in SPRS once the requirement is genuinely closed.

Honesty matters here more than people expect. The self-assessment is a representation to the government. Posting a 105 when the real number is 40 is a false statement that can carry liability under the civil False Claims Act. Companies talk themselves into a generous score because a control was "mostly" in place. Mostly is a deduction. Score it honestly, then fix it.

How to submit the score

The mechanics trip people up more than the math does. Posting a score requires a few pieces to be in place first.

You need an active registration in the System for Award Management at sam.gov, because SPRS keys off your entity. You need a Procurement Integrated Enterprise Environment (PIEE) account with the SPRS role requested and approved, which your account administrator grants. Once you are in SPRS, you enter the assessment date, the scope you assessed as described by your system security plan, the score itself, and the date you expect to reach 110. The entry takes minutes. Producing the honest number behind it takes weeks.

One detail saves a phone call later. The score is tied to a named system security plan, and SPRS asks for that plan's name, version, and date. If you have not written a system security plan, you are not ready to post a score, because the plan defines what "your system" even means for the assessment.

Where to start this week

Confirm whether any current DoD contract or subcontract carries DFARS 252.204-7012. If one does, the obligation to self-assess and post a score is already live, whether or not anyone has asked. Then write or update your system security plan, run the self-assessment against all 110 requirements, close the 5 point controls first, and post the honest number with a POA&M for the rest. A prime is far more comfortable with a 45 and a dated plan than with silence.

Adams Cloud & Cybersecurity LLC is a San Diego service disabled veteran owned cybersecurity advisory firm. We run the self-assessment with you, build the system security plan and POA&M, and prioritize the fixes that move the score the most for the least cost. We work fast, taking a small subcontractor from an unknown score to a posted score with a credible plan in weeks, not months. Start at https://adamscloudcyber.com.