The Supplier Performance Risk System score is not a suggestion, contracting officers check it before awarding contracts, and false scores carry False Claims Act liability. Here's the precise methodology behind the number, what can trigger a government audit, and how to improve your score without inflating it.
NIST SP 800-171 Rev 2 DFARS 252.204-7012 32 CFR Part 170 SPRS
The Supplier Performance Risk System (SPRS) is a Department of Defense database that contracting officers use to evaluate supplier risk before awarding contracts. It captures information about contractor performance history, business system risk, and, most relevantly for this discussion, cybersecurity posture.
Since November 2020, DFARS 252.204-7021 has required defense contractors to submit their NIST SP 800-171 self-assessment score to SPRS. That score must be entered before a contractor can be awarded a DoD contract that includes the DFARS 252.204-7012 clause, which covers virtually every contract involving Covered Defense Information (CDI) or Controlled Unclassified Information (CUI).
This is not a compliance formality that gets ignored. Contracting officers pull SPRS records during source selection. Program managers reference them during contract administration. And DIBCAC (Defense Industrial Base Cybersecurity Assessment Center, the DoD organization that conducts government-led assessments on defense contractors) uses SPRS data to prioritize which contractors to audit. Your SPRS score is a live, searchable, government-accessible record of the cybersecurity posture you've certified to the Department of Defense. The DoD has long memories and a Federal Acquisition Regulation.
The scoring methodology is defined in the DoD Assessment Methodology for NIST SP 800-171, published by the Office of the Under Secretary of Defense for Acquisition and Sustainment. The calculation works as follows:
The 110-point breakdown: Of the 110 NIST 800-171 practices, 1 practice is worth 5 points each (there are multiple), contributing most of the weight to the top score. The exact point allocations are published in the DoD Assessment Methodology document. Understanding which practices carry which weights is essential to prioritizing your remediation work.
For a partial implementation, the methodology instructs assessors (and self-assessors) to assign half the point deduction. For example, a 5-point practice that is partially implemented contributes a 3-point deduction (rounded up from 2.5). This means a score can reflect genuine in-progress implementation, but the partial implementation must be real and documentable, not aspirational.
A score of 110 is rare for organizations that have never been formally assessed, it typically requires mature security programs with complete documentation, implemented controls, and evidence artifacts ready for examination. Most defense SMBs fall in the 60–90 range on an honest self-assessment.
A negative score is not uncommon for organizations that perform an honest self-assessment for the first time after years of operating without a formal cybersecurity program. If your score comes back at, say, -47, the correct response is to start remediating, not to call your lawyer first. Although, honestly, maybe both. What matters is that the score is accurate, and that a POA&M (Plan of Action and Milestones, your documented list of gaps with specific remediation steps and target dates) exists to document the path forward.
Some DoD programs specify a minimum SPRS score threshold for contract eligibility. These thresholds vary by program and are set by the contracting officer, not by DFARS directly. A score below threshold can make you non-competitive on a bid even if you're technically eligible. This is where the score has real business impact beyond compliance.
Not all SPRS scores carry the same weight. The DoD Assessment Methodology defines three assessment types, each with different levels of rigor and different levels of trust assigned to the resulting score:
The most common type. The contractor reviews its own implementation of all 110 NIST 800-171 practices, scores each one according to the DoD methodology, and submits the resulting score to SPRS. This is a self-reported, unverified assessment. The contractor signs off on the accuracy of the score, which is the basis for False Claims Act exposure if the score is inflated. Basic assessments are valid for one year and must be renewed annually.
A Medium assessment is conducted by DoD personnel, typically DIBCAC, using the Basic assessment as a starting point, supplemented by document review and interviews. It does not include hands-on technical testing of all controls. Medium assessments result in a government-validated SPRS score that carries more credibility than a self-assessment and may be required by certain contract types.
The most rigorous type. DIBCAC conducts the full assessment, document review, personnel interviews, and hands-on technical testing of controls. The resulting score reflects verified implementation, not self-reported posture. High assessments are conducted by DIBCAC for critical programs and high-risk contractors. A High assessment result in SPRS supersedes any self-reported Basic assessment.
The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) is the DoD organization responsible for conducting Medium and High assessments. DIBCAC is part of the Defense Contract Management Agency (DCMA) and has the authority to conduct unannounced assessments on DoD contractors as part of their oversight mission.
What triggers a DIBCAC review? Several factors increase audit risk:
In October 2021, the Department of Justice launched the Civil Cyber-Fraud Initiative, explicitly targeting government contractors who submit false cybersecurity compliance certifications to obtain or retain federal contracts. The legal theory is straightforward: submitting an SPRS score you know to be inflated is a false claim against the United States government, actionable under 31 U.S.C. § 3729.
This has already been enforced. In 2022, Aerojet Rocketdyne settled a False Claims Act case for $9 million after a whistleblower alleged that the company misrepresented its cybersecurity compliance. In 2024, additional enforcement actions targeted smaller defense contractors. The DoJ has made clear this is an ongoing priority, not a one-time initiative.
The personal liability dimension is significant. The False Claims Act allows the government to pursue individual executives, not just the company entity. Signing off on an inflated SPRS attestation as the CEO is the cybersecurity equivalent of personally guaranteeing a bad loan, except the lender is the federal government. A VP who signed off on an inflated SPRS score can face personal financial liability and, in egregious cases, criminal referral. The legal exposure is not hypothetical, it's been realized.
The practical implication: if your honest score is lower than what you've submitted, the right action is to correct the submission and file an updated score with a POA&M that documents your remediation plan. This doesn't immunize you from prior misrepresentation, but it demonstrates good faith and significantly reduces future liability.
The DoD Assessment Methodology assigns 5 points to the most security-critical practices, 3 points to moderately critical ones, and 1 point to lower-weight requirements. Prioritize your remediation work around 5-point practices first, each one you close has five times the SPRS impact of a 1-point practice.
| Practice | Domain | Requirement Summary | Weight |
|---|---|---|---|
| 3.1.1 | Access Control | Limit access to authorized users and functions | 5 pts |
| 3.1.2 | Access Control | Limit access to the types of transactions authorized users are permitted | 5 pts |
| 3.4.1 | Config Management | Establish and maintain baseline configurations | 5 pts |
| 3.4.2 | Config Management | Establish and enforce security configuration settings | 5 pts |
| 3.5.3 | Identification & Auth | Use MFA for local and network access to privileged accounts | 5 pts |
| 3.13.8 | System & Comms | Implement cryptographic mechanisms to protect CUI in transit | 5 pts |
| 3.13.10 | System & Comms | Establish and manage cryptographic keys | 5 pts |
| 3.3.1 | Audit & Accountability | Create and retain system audit logs to enable monitoring and investigation | 3 pts |
| 3.5.1 | Identification & Auth | Identify system users, processes, and devices | 3 pts |
| 3.14.6 | System & Info Integrity | Monitor organizational systems to detect attacks and indicators of compromise | 3 pts |
Improving your SPRS score requires actually implementing security controls, not adjusting how you score existing partial implementations. Here's the structured approach:
Work through all 110 NIST 800-171 practices and document your actual implementation status. Use the DoD Assessment Methodology scoring rubric. For each practice, determine: Implemented (full score), Partially Implemented (half deduction), or Not Implemented (full deduction). Document your evidence for every implemented claim.
Add up your deductions and subtract from 110. If the number is significantly different from what you've reported to SPRS, you need to correct the submission before bidding on new work. Continuing to use an inflated score on new contract bids compounds your legal exposure.
Sort your not-implemented and partially-implemented practices by point value, highest first. Close the 5-point gaps first, each one you close has the greatest impact on your SPRS score. For each gap, write a specific remediation action with a realistic timeline and named responsible party.
SPRS submissions can be updated. As your team closes POA&M items and fully implements practices, recalculate your score and update your SPRS submission. Each update should reflect the practices newly closed, not a wholesale revision of your entire posture. Keep documentation showing the date each control was verified as implemented.
When you submit an SPRS score, you are making a legal certification to the United States government. The SPRS submission process requires an authorized organizational representative to affirm that the score accurately reflects the organization's current implementation of NIST SP 800-171. That affirmation is the basis for False Claims Act liability.
Under 32 CFR Part 170, contractors seeking CMMC Level 2 certification through self-attestation (for programs that don't require a C3PAO assessment) also certify their compliance in the Procurement Integrated Enterprise Environment (PIEE), the DoD's online procurement portal where senior officials formally record compliance affirmations. Senior company officials, typically the CEO or CISO, must personally sign the attestation. This is not a delegable signature to a junior compliance staff member.
Before you sign: Make sure you have reviewed the actual evidence, not just received a summary from your IT team. If you sign an attestation asserting that MFA is implemented and it isn't, your signature is on the false claim. Executives who rely entirely on unverified representations from subordinates are not insulated from personal liability.
Our CMMC SSP template includes all 110 NIST 800-171 practices organized by domain, with implementation status tracking and a built-in SPRS score calculator. Pair it with our POA&M template to build a complete, synchronized compliance documentation set that accurately captures your posture, and gives you a clear remediation roadmap to improve it.
An SPRS score is a numerical representation of a defense contractor's cybersecurity posture, submitted to the Supplier Performance Risk System (SPRS). It is calculated using the DoD Assessment Methodology for NIST SP 800-171: start at 110, subtract points for each unimplemented or partially implemented control. The score can go negative. Contracting officers review SPRS scores before awarding contracts, and a low score can impact contract eligibility.
A perfect SPRS score is 110, indicating that all 110 NIST SP 800-171 practices are fully implemented. There is no universally mandated minimum score for all contracts, but some DoD programs require scores above specific thresholds (often 70 or higher) as a contract eligibility requirement. A negative score indicates significant gaps and will raise questions during source selection or DIBCAC audit.
DFARS 252.204-7021 requires contractors to have a current SPRS score on file. The DoD Assessment Methodology calls for annual self-assessments. You must update your score whenever your security posture materially changes, for example, when you close POA&M items, implement new controls, or when a government-led assessment results in an official score. The score must accurately reflect your current implementation status at the time of any contract bid.
Submitting a false SPRS score, certifying NIST 800-171 compliance you haven't achieved, exposes your organization to liability under the False Claims Act (31 U.S.C. § 3729). The DoJ's Civil Cyber-Fraud Initiative, launched in 2021, explicitly targets contractors who falsely certify cybersecurity compliance to obtain or retain government contracts. Enforcement actions have resulted in multi-million dollar settlements. Individual executives can face personal liability.
DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) conducts Medium and High assessments based on program criticality, contract type, and risk signals. Triggers include: contracts explicitly requiring a government-led assessment, anomalously high self-reported SPRS scores, cyber incident reports that suggest significant gaps, tip-offs from primes or subcontractors, and random selection as part of DIBCAC's overall DIB audit program. A reported cyber incident almost always triggers at least a Medium assessment review.
Yes. SPRS accepts scores below zero. The system is designed to capture your actual security posture, not just scores above a threshold. Submitting an honest negative score is legally safer than submitting an inflated positive score. A low score may affect contract eligibility, but an accurate low score cannot be used to pursue a False Claims Act case against you. A false high score can. If your score is very low, the right approach is to develop a POA&M, prioritize high-weight practices, and begin remediation immediately.
No spam. Just practical guidance on CMMC compliance and new resources when we publish them.