If you're a defense contractor or part of the Defense Industrial Base (DIB), your SPRS score isn’t just a number; it’s a gatekeeper to federal contracts. With the Cybersecurity Maturity Model Certification (CMMC) program gaining traction, understanding your Supplier Performance Risk System (SPRS) score is critical to maintaining contract eligibility and securing future opportunities.
What Is the SPRS Score and When Does It Matter?
Your SPRS score is calculated based on how many NIST SP 800-171 controls you’ve implemented, with a maximum score of 110. It’s submitted to the Department of Defense via the SPRS portal and is required before being awarded a contract that involves Controlled Unclassified Information (CUI).
Best time to calculate your SPRS score:
Right after your initial controls assessment. That’s typically early in the compliance process, following scoping and discovery—when you’ve mapped your systems, data, boundaries, and vendors. You don’t want to submit a score based on guesses; a rushed or inaccurate submission can backfire if you’re audited.
Common Pitfalls: Why Many Get SPRS Wrong
Many organizations either haven’t started the compliance process or assume everything in their IT environment is in scope. Without proper boundary identification and data flow documentation, businesses often:
- Overengineer solutions
- Overspend on unnecessary technologies
- Delay remediation unnecessarily
This often results in a lower SPRS score and a longer, more expensive path to certification.
How It’s Scored (and Why Some Controls Matter More)
Each of the 110 NIST SP 800-171 controls has a point value—most are worth 1 point, but some critical controls deduct 3 or 5 points if they are not implemented. These “high-impact” controls typically involve:
|
Category |
High-Impact Controls |
Deduction |
|
Access Control |
Multi-Factor Authentication, Least Privilege |
-5 points |
|
Audit & Accountability |
Audit logging and retention |
-3 to -5 |
|
System & Communications Prot. |
Encryption of CUI in transit and at rest |
-5 |
|
Configuration Management |
System hardening and change control |
-3 |
|
Incident Response |
Reporting and response plans |
-3 |
These carry more weight because they directly address high-risk vulnerabilities. Failure to implement them significantly undermines your security posture and, therefore, your eligibility to handle CUI.
Level 1 vs. Level 2: Does SPRS Apply to Both?
Not exactly.
- Level 1 (Foundational): Includes 17 basic cyber hygiene controls and does not require an SPRS score.
- Level 2 (Advanced): Requires full implementation of NIST SP 800-171. An SPRS score submission is mandatory, along with a documented System Security Plan (SSP) and a Plan of Action and Milestones (POA&M) if there are outstanding gaps.
If your business works with CUI—or plans to—you must meet Level 2 standards.
How Systems Engineering Helps Raise Your SPRS Score
At Systems Engineering, we guide organizations through the entire CMMC journey—from initial scoping to ongoing compliance monitoring.
Our SPRS score improvement process includes:
- Scoping and Discovery: Identify where CUI resides, define boundaries, and document data flows.
- Initial Controls Assessment: Measure your current cybersecurity posture against NIST SP 800-171A.
- SPRS Score Calculation: Generate and validate your score before submitting it to the DoD.
- POA&M Development: Assign responsibilities and set timelines for addressing gaps.
- Remediation Support: From technical deployments to policy creation, we help close compliance gaps.
- Continuous Advisory Services: We provide strategic guidance to maintain ongoing compliance.
A Managed Services Provider Aligned with the NIST Cybersecurity Framework
Systems Engineering stands apart from traditional MSPs by embedding compliance into the core of its operations. As part of our managed services model, we’ve aligned our internal processes, technologies, and service delivery with the NIST Cybersecurity Framework (CSF)—the same model that underpins CMMC.
This alignment ensures that:
- Our platforms support the Identify, Protect, Detect, Respond, Recover, and Govern functions outlined in the NIST CSF.
- Our clients benefit from security-first solutions, including endpoint detection and response, identity management, continuous monitoring, and incident response readiness.
- We’re not just helping you prepare for a compliance audit—we operate at the same security standards we recommend.
Working with an MSP aligned with NIST CSF builds on a solid foundation. It reduces complexity, increases trust, and accelerates readiness for CMMC and real-world cyber threats.
What's Next?
If your organization handles CUI and hasn't submitted an SPRS score—or if your score is below 110—now is the time to act. With CMMC Level 2 assessments already underway and DoD contracts increasingly requiring validated compliance, the time to prepare is now.
Systems Engineering can help you:
- Establish a compliance-aligned IT environment
- Improve technical, procedural, and documentation gaps
- Submit an accurate, defensible SPRS score
Contact us today to find out where your organization stands—and how to confidently move forward.
