What Is an SPRS Score and How Do DoD Primes Use It to Screen Subcontractors?

Federal procurement within the Defense Industrial Base (DIB) increasingly requires contractors at every tier to demonstrate a measurable cybersecurity posture before receiving access to Controlled Unclassified Information (CUI). The Supplier Performance Risk System (SPRS) score, derived from a self-assessment against National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, is the primary instrument through which that posture is quantified, recorded, and verified by contracting officers and prime contractors alike. For the complete compliance framework governing these requirements, read the CMMC Compliance for Small Defense Contractors: The Definitive Guide.

This article explains how the SPRS score is calculated, where it must be submitted, how prime contractors use it to evaluate and screen subcontractors, the Defense Federal Acquisition Regulation Supplement (DFARS) provisions that make the score mandatory, and how the current self-assessment requirement maps to Cybersecurity Maturity Model Certification (CMMC) Level 2.

What Is the Supplier Performance Risk System?

The Supplier Performance Risk System (SPRS) is a Department of Defense (DoD) enterprise application that aggregates supplier performance data including past performance ratings, quality system survey results, and cybersecurity assessment scores. For cybersecurity purposes, SPRS serves as the system of record in which DoD contractors submit and maintain their NIST SP 800-171 self-assessment scores. The application is operated by the Defense Logistics Agency and is accessible to DoD contracting officers and to prime contractors holding an appropriate SPRS account established through their cognizant DoD contracting office.

Contracting officers use SPRS to verify that a prospective contractor has completed a current assessment, to review the score on file, and to confirm that any Plan of Action and Milestones (POA&M) addressing unimplemented controls has been documented. Prime contractors with system access use SPRS for the same purpose when evaluating subcontractors during proposal development and ongoing contract performance.

What Is a NIST SP 800-171 Self-Assessment Score?

NIST SP 800-171, formally titled Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, establishes 110 security requirements organized across 14 practice families. Those families cover Access Control, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, System and Information Integrity, and Awareness and Training.

A NIST SP 800-171 self-assessment is an organization's internal evaluation of how completely its systems, policies, and practices satisfy each of those 110 requirements. The result is a numeric score calculated according to the DoD Assessment Methodology, published by the DoD Chief Information Officer (CIO). That score is the figure submitted to SPRS.

How Is the SPRS Score Calculated?

The DoD Assessment Methodology assigns a weighted point value to each of the 110 NIST SP 800-171 requirements. The scoring framework operates as follows:

• Maximum score: 110. A score of 110 reflects full implementation of all 110 requirements with no residual gaps.
• Minimum score: -203. A score of -203 reflects zero implementation. The minimum falls well below zero because higher-criticality requirements carry deductions that exceed their proportional share of the 110-point maximum when unimplemented.
• Weighted deductions. Requirements are not equal in weight. Requirements in practice families such as Access Control, Identification and Authentication, and System and Communications Protection carry larger deductions than requirements in lower-criticality families. A single unimplemented high-weight requirement can reduce the score by multiple points.
• POA&M treatment. Requirements that are planned for implementation but not yet in place may be addressed in a Plan of Action and Milestones. The score submitted to SPRS reflects the current implementation state at the time of assessment, not projected future states.

The table below illustrates how prime contractors and contracting officers commonly interpret score ranges. These ranges are not formal DoD-defined acceptance thresholds; the DFARS requires a current assessment, not a minimum score.

Where Is the Score Submitted, and Who Can View It?

Contractors submit their NIST SP 800-171 self-assessment scores directly into SPRS at the SPRS portal. The submission records the assessment score, the date of assessment, and identification of the systems and networks in scope. A Procurement Instrument Identifier (PIID) associated with the relevant DoD contract is typically entered to link the assessment to the specific program.

Access to SPRS score records is limited:

• DoD contracting officers with a current SPRS account can view scores for any contractor registered in the system as part of pre-award due diligence or contract administration.
• Prime contractors who hold a government-established SPRS account can view subcontractor scores as part of supply-chain risk management.
• The submitting contractor itself can view and update its own score records.

SPRS scores are not publicly accessible in the way that System for Award Management (SAM.gov) registrations are. A prime contractor without an SPRS account cannot independently retrieve a subcontractor's score and must rely on the sub to provide written self-attestation, which the prime's contracting officer can then verify.

What Do DFARS 252.204-7019 and 252.204-7020 Require?

Two DFARS clauses establish the regulatory basis for SPRS submission and maintenance.

DFARS 252.204-7019 (Notice of NIST SP 800-171 DoD Assessment Requirements) is the solicitation provision that notifies offerors that a current assessment is required before award. An offeror whose most recent assessment is more than three years old, or who has no assessment on file in SPRS, is not eligible for award of a contract involving covered defense information. This clause appears in solicitations; it does not flow down to subcontracts as a standalone provision, but primes are expected under DFARS 252.204-7020 to apply equivalent screening to subcontractors who will handle covered defense information.

DFARS 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements) is the contract clause that carries the obligation through performance. It requires contractors to maintain a current assessment, update SPRS if the score changes materially, and provide access to assessment records when requested by the contracting officer. DFARS 252.204-7020 also establishes an explicit flowdown requirement: primes must include the substance of the clause in subcontracts where the subcontractor will process, store, or transmit covered defense information, or where the subcontractor operates systems that affect the prime's own compliance posture.

The foundational safeguarding obligation rests in DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting), which requires adequate security using NIST SP 800-171 controls and mandates cyber incident reporting within 72 hours of discovery. DFARS 252.204-7012 has been required on most DoD contracts involving covered defense information since 2017 and flows down to all subcontractors at every tier that handle covered defense information. All three clauses are available at acquisition.gov DFARS Part 252.

How Do DoD Primes Use SPRS Scores to Screen Subcontractors?

Prime contractors use SPRS scores as a supply-chain risk management gate during subcontractor due diligence, proposal teaming, and contract administration. The screening process typically operates across three stages.

Pre-teaming due diligence. Before executing a Teaming Agreement or Subcontract Letter of Intent, a prime will request the prospective subcontractor's current SPRS score and the date of assessment. Primes with SPRS accounts may independently verify the score against SPRS records. A subcontractor with no score on file, or with an assessment date more than three years prior, represents an immediate due-diligence gap that the prime must resolve before the team can represent compliance in a proposal.

Proposal incorporation. In proposals to DoD prime contracting officers, primes are expected to represent that all subcontractors handling covered defense information satisfy the NIST SP 800-171 assessment requirement. A subcontractor carrying a materially negative SPRS score creates a proposal-level risk. Primes must either document a remediation plan for the sub's gaps, or select a different subcontractor. A misrepresentation in this regard carries False Claims Act exposure under 31 USC 3729 if the representation is later found to be inaccurate.

Score thresholds and risk tolerance. No government-mandated minimum score governs subcontractor selection; the DFARS requires a current assessment, not a passing score. In practice, prime contractors apply internal risk thresholds. Scores below zero typically require the sub to provide a documented remediation timeline before the prime will execute a subcontract. For roles involving access to particularly sensitive covered defense information, primes may set internal acceptance thresholds considerably higher than zero.

Ongoing monitoring. DFARS 252.204-7020 requires that scores remain current throughout performance. Primes are expected to monitor subcontractor compliance status, particularly when the sub's systems are in scope for the prime's own NIST SP 800-171 obligations. For the full due-diligence framework a prime applies when evaluating an SDVOSB subcontractor, see How Do Primes Evaluate, Structure, and Contract with an SDVOSB IT Subcontractor?

How Does the SPRS Score Relate to CMMC Level 2?

The CMMC Level 2 certification requirement, established by the CMMC final rule published in December 2024 (32 CFR Part 170), maps directly to NIST SP 800-171. CMMC Level 2 requires implementation of all 110 NIST SP 800-171 practices, assessed either through a DoD-authorized third-party assessment organization (C3PAO) for contracts designated as requiring a third-party assessment, or through structured self-attestation for contracts where the requiring activity has designated Level 2 Self-Assessment as sufficient.

The SPRS self-assessment score is the pre-CMMC posture indicator: it reflects the organization's current state against the same 110 practices that CMMC Level 2 will formally certify. An organization with a strong, current SPRS score has completed the foundational implementation work that a CMMC Level 2 assessment will verify. The assessment pathway differs (a DFARS self-assessment is less rigorous than a C3PAO-led audit), but the underlying control set is the same.

Once a contract requires CMMC Level 2 certification, the SPRS self-assessment score alone is not sufficient for that contract's covered work. The organization must obtain a C3PAO assessment result or complete the formal CMMC self-attestation process, both of which are submitted into SPRS through the CMMC ecosystem. For a detailed timeline of when CMMC requirements flow into solicitations, see the CMMC Timeline for Small Primes.

What Happens If a Subcontractor Has No Current SPRS Score?

A subcontractor without a current SPRS score is non-compliant with DFARS 252.204-7020 for any work involving covered defense information. The practical consequences are direct.

• Disqualification from teaming. Most primes conducting structured due diligence will not execute a Teaming Agreement with a sub that cannot demonstrate a current assessment.
• Proposal risk for the prime. Including a non-compliant sub in a DoD proposal creates a representation risk. A misrepresentation about subcontractor compliance is reviewable evidence in a False Claims Act inquiry.
• No grace period during performance. Unlike some compliance frameworks with transitional provisions, the DFARS 252.204-7020 obligation is current and ongoing. A sub that loses compliance mid-contract is immediately out of compliance.

The remediation path is straightforward: complete a NIST SP 800-171 self-assessment using the DoD Assessment Methodology, submit the score to SPRS, document any gaps in a POA&M, and provide the assessment date and score to the prime as part of the standard due-diligence package.

Frequently Asked Questions

How often must a NIST SP 800-171 self-assessment score be updated in SPRS?

DFARS 252.204-7020 requires that the score on file in SPRS reflect the contractor's current posture. DFARS 252.204-7019 treats assessments older than three years as lapsed for offeror eligibility purposes. Organizations should re-assess annually and update SPRS whenever a material change occurs, such as a change to the system boundary, a significant new control implementation, or a cybersecurity incident affecting the control environment. Waiting until the three-year threshold to conduct a new assessment is a compliance risk; material changes to the environment may require an earlier update.

Can a subcontractor with a negative SPRS score participate in a DoD-funded subcontract?

A negative score does not automatically disqualify a subcontractor. The DFARS requires a current assessment to be on file, not a minimum score. However, a negative score signals that high-criticality NIST SP 800-171 requirements are unimplemented, and most prime contractors require a documented Plan of Action and Milestones showing a credible remediation path before executing a subcontract with a negative-score sub. For roles involving access to particularly sensitive covered defense information, a prime may decline to team regardless of POA&M documentation. The practical market reality is that a negative score is a material barrier to teaming on most DoD programs.

Is a self-assessed SPRS score the same as a CMMC Level 2 certification?

No. A self-assessed SPRS score reflects the organization's current implementation state against NIST SP 800-171 requirements but is not equivalent to a CMMC Level 2 certification. CMMC Level 2 requires either a formal third-party assessment by a DoD-authorized C3PAO or a structured self-attestation process under 32 CFR Part 170, with results submitted through the CMMC ecosystem using SPRS as the submission pathway. Contracts specifying CMMC Level 2 as a condition of award accept only CMMC-process outcomes, not a standalone DFARS self-assessment score. The CMMC rule's phased implementation timeline determines when each contract type will require formal certification rather than a DFARS self-assessment.