Reporting Your DoD Self Assessment (SPRS) Score: What to Know

If you contract with the Department of Defense (DoD)—directly or indirectly—you’re likely required to report a cybersecurity self-assessment score to the Supplier Performance Risk System (SPRS). SPRS is a web-based system used by the DoD to track and assess contractor performance and risk. This requirement is not optional, and failure to comply can cost your organization valuable contract opportunities or trigger serious enforcement actions.

For many contractors, particularly small to mid-sized firms, understanding the purpose, process, and implications of the SPRS score can be challenging. This post outlines what the score is, why it matters, how it’s used in procurement, and how Compass can help your organization meet its obligations with confidence.

What Is the SPRS Score?

The SPRS score is a numeric representation of your organization’s implementation of the 110 security requirements outlined in NIST SP 800-171, Revision 2—a federal framework for protecting Controlled Unclassified Information (CUI) in non-federal information systems.

SPRS scores are based on the NIST SP 800-171 DoD Assessment Methodology. A basic self-assessment score (along with a date when full compliance will be reached, if not already) must be submitted to SPRS via the Supplier Risk System portal. The scoring methodology is defined by the DoD Assessment Methodology (DoDAM), and it operates on a subtractive basis:

• You begin with a maximum score of 110
• For each unmet requirement, points are subtracted based on the control’s weighted impact:
  • 5 points for high-impact gaps
  • 3 points for medium-risk gaps
  • 1 point for lower-risk deficiencies
• Incomplete implementation of certain critical controls—like multi-factor authentication—may result in partial deductions (e.g., 3 instead of 5)
• It’s possible to have a negative score (as low as -203), especially if you lack a documented System Security Plan (SSP)

A perfect score (110) reflects full alignment with NIST 800-171, but most organizations report scores well below that on their first attempt. What matters is that the score is accurate, up to date, and defensible.

If a contractor’s SPRS score is less than 110, indicating security gaps exist, then the contractor must create a Plan of Action identifying security tasks that still need to be accomplished. An SSP describes the cybersecurity plan the contractor has in place to protect CUI. The SSP needs to address each NIST SP 800–171 security requirement and explain how the requirement is implemented. This can be through policy, technology, or a combination of both.

Why the SPRS Score Exists

The SPRS requirement stems from DFARS clauses 252.204-7012, 7019, and 7020, which collectively form the cybersecurity backbone of DoD contracting. Under these rules, any contractor that stores, processes, or transmits CUI must:

1. Perform a Basic Self-Assessment aligned with NIST 800-171
2. Submit the score to SPRS
3. Maintain an SSP and Plan of Action & Milestones (POA&M) to track remediation

The DoD uses the SPRS score as a risk indicator during acquisition decisions. A low or missing score can disqualify your bid or prevent you from serving as a subcontractor on federal programs involving CUI.

**If you handle CUI, you’re subject to Level 2 and must:

• Conduct a NIST 800-171 self-assessment,
• Score it using the DoD methodology,
• Submit the score and related info to SPRS, and
• Keep it updated at least every 3 years or when significant changes occur.**

As the Cybersecurity Maturity Model Certification (CMMC) framework continues to roll out, SPRS scores are becoming more scrutinized. In many cases, a valid SPRS score is the minimum requirement to get through the door.

The final 48 CFR Part 204 CMMC Acquisition rule will authorize the DoD to include specific CMMC level requirements in solicitations and contracts. Once in effect, contracting officers will be prohibited from awarding a contract, exercising an option, or extending performance unless the contractor has a current certification or self-assessment at the required CMMC level and has affirmed continuous compliance in the SPRS for all systems handling FCI or CUI. These requirements will also apply to subcontractors at all tiers if they process, store, or transmit FCI or CUI. Although the rule has not yet been finalized, the DoD may still apply CMMC requirements to existing contracts through bilateral modifications after negotiation.

Where and How to Report

Reporting is done through the SPRS portal, which is accessible via the Procurement Integrated Enterprise Environment (PIEE). SPRS: https://www.sprs.csd.disa.mil/

To submit a score:

• Your organization must have an active CAGE code and be registered in SAM.gov
• You must create a PIEE account and request the SPRS Cyber Vendor User role
• Once approved, you can log into SPRS, select your CAGE code, and enter your assessment details

If you're unable to access the SPRS portal, the DoD also allows score submissions via encrypted email to webptsmh@navy.mil. However, this method has limitations and may delay updates or contract reviews.

Regardless of the method, your submission must include:

• Assessment date
• Score value
• System Security Plan (SSP) name and version
• CAGE code(s) covered
• Projected date to reach full compliance (110), if not already met
• Assessment scope (Enterprise, Enclave, or Contract-specific)

CMMC 2.0 adds more accountability to the self-attestation process by requiring a senior company officer (aka Affirming Official [AO]) to confirm the results. For Level 1, this means signing off when uploading assessment documents to SPRS. For Level 2, it applies when entering self-assessment scores into the system.

Why Accurate Reporting Matters

Your SPRS score is a certification to the federal government about your cybersecurity posture. Submitting an inaccurate score—either by mistake or intentionally—carries serious risk.

Potential consequences include:

• Loss of contracts
• Suspension or debarment from future federal awards
• Enforcement under the False Claims Act, with penalties up to three times the contract value
• Whistleblower actions by internal personnel or competitors

Additionally, scores can be audited by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) through random checks or during escalated contract reviews. If selected, you may undergo a Medium or High Confidence assessment, which involves in-depth documentation reviews and sometimes on-site inspection.

The DoD has also indicated that CMMC Level 2 certifications—when applicable—will rely on or replace SPRS scores with verified third-party assessments submitted by Certified Third Party Assessment Organizations (C3PAOs).

**CMMC Level 1 (FAR 52.204-21) – Basic Safeguarding of Federal Contract Information (FCI)

• Requirement: After the self-assessment, results (not the score) must be submitted into the SPRS
• Affirmation: The organization must affirm compliance with FAR 52.204-21 requirements in SPRS.
• Annual Affirmation: The self-assessment and affirmation must be done every year to maintain certification status.**

Common Challenges for Contractors

Many small and mid-size defense contractors struggle with:

• Understanding how to interpret the 110 NIST controls
• Translating technical gaps into a structured POA&M
• Maintaining a compliant SSP across multiple CAGE codes or environments
• Keeping the score updated during security improvements or policy changes
• Navigating the PIEE portal and registration steps

These challenges are compounded by evolving requirements, updates to federal guidance, and the limited availability of internal cybersecurity expertise.

How Compass Can Help

As a CMMC Registered Provider Organization (RPO), Compass assists defense contractors and their partners in understanding and meeting federal cybersecurity requirements. Whether you're reporting your SPRS score for the first time or working toward long-term compliance goals, we offer practical guidance rooted in real-world experience.

Our team supports organizations by helping them assess their current cybersecurity posture, identify gaps, interpret requirements under NIST SP 800-171, and prepare for evolving compliance obligations—including those under CMMC.

From advising on documentation and scoring considerations to supporting improvement efforts over time, Compass provides the expertise and structure needed to stay aligned with DoD expectations and maintain a competitive edge in the defense contracting space.

Final Thoughts

SPRS reporting is not a one-time task—it’s part of an ongoing effort to align with federal cybersecurity standards. Contractors that take the process seriously are better positioned to win and retain DoD contracts while avoiding costly enforcement actions.

If your organization needs help performing an assessment, improving your score, or reporting it accurately, Compass is here to guide you every step of the way. Reach out today to schedule a consultation or learn more about our NIST 800-171 and CMMC support services.