CMMC SPRS Score Explained

Your SPRS score is the single number the Department of Defense uses to gauge, at a glance, how far along your shop is on NIST SP 800-171. SPRS stands for the Supplier Performance Risk System — a DoD database where, under DFARS 252.204-7019 and 7020, many defense contractors are required to post the result of a 800-171 self-assessment. Your prime can see it. Your contracting officer can see it. For a lot of contractors it's the first thing a customer checks.

The 110-Point Scale — and Why It Isn't a Percentage

You start at a perfect 110— one point for each of the 110 controls in 800-171 — and subtract for every control you don't fully meet. The trap is assuming it works like a test score where 80 out of 110 means “73%, not bad.” It doesn't. The deductions are weighted: most controls cost you 1 point, but the ones tied to the highest-impact protections cost 3 or 5.

That weighting is why two shops with the same number of gaps can have very different scores — and why a handful of missing fundamentals can sink you fast.

Why the Score Goes Negative

Because the heavy controls deduct 3 or 5 points each, a shop missing many of them can land well below zero — sometimes a couple of hundred points into the negative. People see a number like that and assume the calculator broke. It didn't. A deeply negative score is an honest, useful signal: the protections that matter most simply aren't there yet. It tells you exactly where to start.

Met or Not Met — Partial Credit Is Limited

The methodology is unforgiving about half-measures. For most controls you either fully implement them or you take the full deduction; there's little room for “we've mostly got MFArolled out.” Mostly isn't met. This is the same honesty problem that shows up everywhere in compliance — the controls you've partiallydone don't score, and pretending otherwise just sets up a failed assessment later.

SPRS Is Not a CMMC Certificate

Here's the distinction that trips people up. The SPRS score is a self-assessment — you score yourself. A CMMC Level 2 assessment is performed by an independent C3PAOthat checks whether those controls are genuinely in place and evidenced. A score you inflated with hopeful answers won't survive that review. Used honestly, though, your SPRS score is the best gap tracker you have: it turns 110 abstract controls into one number you can watch climb as you close real gaps. To understand who does the verifying, see our guide to C3PAO vs RPO vs MSP.

How to Raise It Before an Assessment

Move the heavy controls first — the 3- and 5-point items give you the biggest jump per unit of effort. Then document what you fix in your System Security Plan, and track what's left in a Plan of Action and Milestones; we cover both in our SSP and POA&M guide. A rising SPRS score that's backed by real evidence is exactly what turns a daunting standard into a plan you can finish.