What is the Supplier Performance Risk System (SPRS)?
The Supplier Performance Risk System (SPRS) is the Department of Defense's official system for evaluating contractor risk. Under DFARS clauses 252.204-7019 and 7020, contractors must maintain a current cybersecurity assessment score on file to be eligible for contract awards.
The score reflects the extent to which an organization has implemented the 110 security controls outlined in the NIST SP 800-171 framework. It serves as an objective, quantifiable metric of your organization's baseline cybersecurity readiness and protection of CUI.
How the SPRS Scoring Methodology Works
Unlike traditional grading scales that start at zero, the SPRS scoring system assumes a perfect score of 110 and subtracts points for any unimplemented controls. Not all controls are weighted equally; deductions are based on the impact the missing control has on the network's overall security.
Controls are assigned a deduction value of 1, 3, or 5 points. Because of these heavy penalties, it is entirely possible—and common for companies just starting their compliance journey—to end up with a negative SPRS score. The lowest possible score is technically -203.
How to Calculate Your SPRS Score
To calculate your SPRS score, begin with a baseline of 110 points. For every NIST 800-171 requirement that is not yet fully implemented, subtract its assigned point value (either 1, 3, or 5) from your total.
For example, if your organization has implemented all controls except for two 5-point controls and one 3-point control, your calculation would be: 110 - 5 - 5 - 3. Your final SPRS score would be 97.
Important note: Partial implementation does not earn partial credit. If a requirement is only partially met, you must deduct the full value of that control.
The Role of the Plan of Action and Milestones (POA&M)
When you identify unmet controls during your self-assessment, you are required to document them in a Plan of Action and Milestones (POA&M). The POA&M details your timeline, resources, and strategy for implementing the missing security controls.
While a POA&M is acceptable for most missing controls, certain foundational controls—such as basic routing and access limitations—cannot simply be relegated to a POA&M if you expect to handle CUI safely. The goal is to continuously work through your POA&M to eventually reach the target score of 110.
Frequently asked questions
What is the maximum and minimum possible SPRS score?
The maximum possible score is 110, indicating full implementation of all NIST 800-171 controls. The minimum possible score is -203, which occurs if zero controls have been implemented.
How often do I need to update my SPRS score?
Per DFARS requirements, your SPRS score must be updated at least once every three years. However, best practice is to update it whenever you successfully close items on your POA&M.
Can I still win DoD contracts with a negative SPRS score?
Yes, having a score on file is often the hard requirement. However, contracting officers use these scores in their risk assessments, so a lower score could make you less competitive against peers with higher scores.
Do I get partial points for partially implemented controls?
No. The DoD scoring methodology requires full implementation of a control to avoid the deduction. If it is only 90% implemented, you must take the full point deduction.