Understanding Your SPRS Score
For a lot of government contractors, the SPRS score is the most misunderstood piece of cybersecurity compliance. You’ve heard you need one to support DoD contracts — but how it’s calculated, what it means, and how it shapes future requirements is often fuzzy. Understanding it is a real step toward improving your security maturity, prioritizing remediation, and preparing for CMMC. Here’s how it works and how to improve it.
What SPRS is
The Supplier Performance Risk System is a DoD repository for contractor assessment information. On the cybersecurity side, it tracks NIST SP 800-171 self-assessment results for organizations that handle CUI, giving contracting officers visibility into your readiness. For many defense contractors, an accurate SPRS score is now a prerequisite for contract eligibility.
Why it matters
Your score is a snapshot of your NIST 800-171 implementation status. It doesn’t guarantee compliance, but it shows how many requirements you’ve implemented and where the big gaps are. It supports contract eligibility, demonstrates assessment activity, helps prioritize remediation, feeds CMMC planning, and gives leadership a read on maturity. Low scores usually expose broader governance and documentation weaknesses, not just isolated technical gaps.
How the score is calculated
Scoring is based on the 110 NIST 800-171 requirements. You start at 110 and lose points for each requirement that isn’t implemented — and some carry heavier penalties because they’re more critical to protecting CUI. That’s why a score can go negative when significant gaps exist. The score reflects what’s actually implemented, so focus on real operational security, not documentation theater. Inputs include control implementation, documentation maturity, SSP accuracy, supporting evidence, and remediation planning.
What drags scores down
- Missing multifactor authentication
- Incomplete access control
- Insufficient logging and monitoring
- Weak vulnerability management
- Outdated SSPs
- Incomplete policies and procedures
- Poor evidence management
- Unclear assessment boundaries
- Limited executive oversight
More often than not, a low score is a process and governance problem, not a technology limitation.
SPRS and CMMC
They’re related but different. SPRS is how you report NIST 800-171 self-assessment results; CMMC adds formal assessment to validate those controls. Improving your SPRS performance now simplifies future CMMC readiness and lowers assessment risk.
Your SSP drives the score
The SSP underpins assessment quality and should accurately describe your boundaries, controls, platforms, roles, implementation methods, and procedures. Assessments routinely turn up documentation that doesn’t match operational reality — and those mismatches become problems.
Evidence matters
Strong evidence backs up your conclusions and shows controls are working. Keep configuration screenshots, audit logs, training records, vulnerability reports, policy acknowledgements, change management documentation, and incident response records throughout the year — not the week before a review.
How to improve your score
- Run a NIST 800-171 self-assessment
- Review and update your SSP
- Identify the missing controls
- Build a POA&M for remediation
- Strengthen documentation and evidence
- Validate Microsoft 365 controls
- Run readiness reviews regularly
This belongs in front of leadership
Your SPRS score isn’t only an IT metric. Leadership funds remediation, approves policies, and owns risk decisions. Contractors who treat cybersecurity as a business initiative tend to raise their scores and sustain them.
How Mythos helps
We help you assess maturity, find the gaps, improve NIST 800-171 implementation, and prepare for CMMC — with security improvements that reduce risk and hold up under scrutiny.