San Antonio, TX · Military City, USA UEI L58JZMKRCLM5  ·  CAGE 203C1  ·  NAICS 541511  ·  SAM.gov Active
BrandShyp
Book a consultation
BrandShyp LLC
DOD CYBERSECURITY COMPLIANCE

What Is SPRS? A Plain-English Guide to the Supplier Performance Risk System

UEI: L58JZMKRCLM5 CAGE: 203C1 SAM ACTIVE
OVERVIEW

If you sell IT, software, or technical services to the Department of Defense and handle Controlled Unclassified Information, there’s a database deciding whether you’re even eligible for award before a human reads your proposal. It’s called SPRS — the Supplier Performance Risk System — and the single number it holds about your cybersecurity posture can quietly disqualify you. We bid federal IT work every week and maintain our own NIST 800-171 posture, so here’s the honest, jargon-free version: what SPRS is, how the score is built, who has to post one, and how it feeds the new CMMC program. When you’re ready to run your own number, the SPRS score calculator does the math in your browser.

Work with us Resource Center
THE BASICS

What SPRS Actually Is

A government scoreboard for supplier risk — and one of its columns is your cybersecurity score.

The Supplier Performance Risk System is a Department of Defense application that consolidates supplier performance and risk information into one place that acquisition officials can query. Think of it as the DoD’s standing file on you as a vendor.

SPRS pulls together several risk signals — past performance, delivery, quality, and price risk among them — but for IT and software contractors the column that matters most is your NIST SP 800-171 DoD Assessment score. That score is the government’s shorthand for “how well has this company implemented the cybersecurity controls required to protect Controlled Unclassified Information (CUI)?” When a contracting officer evaluates an offer that involves CUI, they can open SPRS and see whether you have a current, posted score — before your technical approach gets a second look.

Why it bites quietly: SPRS rarely shows up as a line item you’ll fail on. It operates upstream as an eligibility gate. A missing or stale score can sideline an otherwise strong proposal without a single comment in your debrief — which is exactly why so many capable small businesses never learn it was the problem.
THE SCORE

How the 110-Point Score Works

You start at a perfect score and lose weighted points for every control you haven’t implemented.

The NIST 800-171 Basic Assessment is a self-assessment scored under the DoD Assessment Methodology against the 110 security requirements in NIST SP 800-171 Revision 2 — the revision the DoD methodology and SPRS scoring still use. The math is deliberately simple, and it runs in one direction — downward.

START AT 110

Every control met

If you fully implement all 110 NIST SP 800-171 security requirements, your score is 110 — the maximum.

SUBTRACT 5 / 3 / 1

Weighted deductions

Each unmet control subtracts a weighted value — 5, 3, or 1 point — based on its impact under the methodology. Higher-impact controls cost more.

CAN GO NEGATIVE

No floor at zero

Because deductions stack, a system with many unmet high-value controls can land well below zero. A negative score is real and common for firms early in their compliance journey.

A handful of controls carry the 5-point weight, a middle band carries 3 points, and the remainder carry 1 point — so which controls you’ve missed matters as much as how many. Closing a few high-value gaps moves the number far more than closing many low-value ones. That weighting is precisely what our SPRS calculator models, so you can see where your points are actually leaking.

Honesty caveat: the Basic Assessment is self-generated, which DoD rates as a “Low” confidence level. An automated check or a spreadsheet is a floor for understanding, not a certification. The score you post must reflect a real System Security Plan and honest implementation status — verify against NIST SP 800-171 Revision 2 and the DoD Assessment Methodology, not a guess.
WHO & WHEN

Who Has to Post a Score

If you touch CUI on a covered DoD contract, the clauses pull you in — primes and subs alike.

The obligation comes from two DFARS clauses. 252.204-7019 tells offerors that, to be considered for award on a covered contract, they must have a current assessment posted in SPRS. 252.204-7020 obligates the contractor to keep that assessment current and to flow the requirement down to subcontractors that will handle CUI.

  • DoD prime contractors required to implement NIST SP 800-171 (i.e., contracts carrying the underlying DFARS 252.204-7012 safeguarding clause).
  • Subcontractors at any tier that will store, process, or transmit CUI — a prime cannot award covered work to a sub that hasn’t completed at least a Basic Assessment.
  • Established firms re-competing whose previously posted score has aged out.

“Current” has a clock on it

A posted assessment is treated as current for a defined window (DFARS sets this at not more than three years, unless a solicitation specifies less). A score that’s gone stale is, for award purposes, no score at all — confirm the exact window in 252.204-7019 and your solicitation.

Self-assessment vs. higher tiers

Most small businesses post a Basic (self) assessment. DoD may also conduct Medium or High assessments — the High tier is run by the DCMA DIBCAC — which carry higher confidence and override your self-score.

THE CMMC CONNECTION

How SPRS Connects to CMMC

Same 110 requirements, raised stakes — and the same database holds the result.

SPRS isn’t being replaced by the Cybersecurity Maturity Model Certification — it’s the system of record CMMC plugs into. CMMC Level 2 is built on the identical 110 NIST SP 800-171 requirements that drive your SPRS score, so the work you do for one directly serves the other.

DimensionNIST 800-171 / SPRS todayCMMC Level 2
Control set110 NIST SP 800-171 requirementsSame 110 requirements
Who attestsYou (Basic self-assessment, “Low” confidence)Self or a third-party C3PAO, depending on data sensitivity
Where results liveSPRSSPRS (CMMC status is recorded there too)

In practice, a clean, honest SPRS score is the foundation a CMMC Level 2 assessment is graded against. Firms that treated their Basic Assessment as a paperwork formality — posting an optimistic number with no real System Security Plan behind it — are the ones facing the hardest scramble as CMMC requirements phase into contracts. The fix is the same either way: implement the controls for real, document them, and let the score reflect the truth.

This is educational, not legal advice. CMMC and DFARS requirements phase in by rule and by contract, and the specifics depend on the data you handle and the clauses in your solicitation. Verify your obligations against the CMMC rule at 32 CFR Part 170, the DFARS clauses, and the solicitation in front of you — and when CUI and contract value are on the line, get qualified counsel. Want a second set of eyes? Talk to us.
COMMON QUESTIONS

Questions, answered

What does SPRS stand for?
SPRS stands for the Supplier Performance Risk System. It’s a Department of Defense application that consolidates supplier performance and risk information, including a contractor’s NIST SP 800-171 Basic Assessment score, so acquisition officials can review it during source selection.
What is a good SPRS score?
The maximum and ideal score is 110, which means every NIST SP 800-171 control is fully implemented. There is no universal ‘passing’ number set in regulation, but contracting officers can see your score, and a higher number signals stronger cybersecurity posture. Many firms start with low or even negative scores and improve them by closing high-value control gaps. The goal is an honest score backed by a real System Security Plan, not an inflated one.
Can an SPRS score be negative?
Yes. The score starts at 110 and subtracts the weighted value (5, 3, or 1 point) of each unmet control. Because those deductions stack and there is no floor at zero, a system with many unmet high-value controls can land well below zero. Negative scores are common for companies early in their NIST 800-171 implementation.
Who is required to post an SPRS score?
DoD contractors and subcontractors that handle Controlled Unclassified Information on covered contracts must have a current NIST SP 800-171 assessment posted in SPRS. The requirement flows from DFARS 252.204-7019 and 252.204-7020, and it flows down to subcontractors at any tier that will store, process, or transmit CUI. A prime cannot award covered work to a sub that hasn’t completed at least a Basic Assessment.
How long is an SPRS score valid?
DFARS treats a posted assessment as current for a defined period — not more than three years from the assessment date, unless a solicitation specifies a shorter window. Once it ages out, it is treated as no score for award purposes, so re-competing firms should confirm their score is still current. Verify the exact window in DFARS 252.204-7019 and your specific solicitation.
Is SPRS the same as CMMC?
No, but they are closely linked. SPRS is the database that stores your NIST 800-171 assessment score, while CMMC (Cybersecurity Maturity Model Certification) is the program that verifies cybersecurity maturity. CMMC Level 2 is built on the same 110 NIST 800-171 requirements that drive your SPRS score, and CMMC status is also recorded in SPRS. A clean SPRS score is the foundation a CMMC Level 2 assessment is graded against.
NIST / CMMC READINESS

Don’t guess your number — know it, then fix it

Run your posture through our free SPRS calculator, then let BrandShyp help you close the high-value gaps and stand up a real System Security Plan that holds up under a CMMC Level 2 assessment.

REQUEST A BRIEFING SERVICE CATALOG