NIST 800-171 SPRS Score: How It's Calculated and Why It Now Carries Legal Weight

DoD reviews it at contract award now. If it’s wrong, the False Claims Act, not your IT team, decides what happens next.

An SPRS (Supplier Performance Risk System) score is a defense contractor’s self-assessment against the 110 controls in NIST SP 800-171, scored from a maximum of 110 down to a floor of -203. Since November 10, 2025, DoD contracting officers review it at contract award, which makes an inaccurate score a False Claims Act risk.

KEY TAKEAWAYS

SPRS scores run from +110 (all 110 NIST SP 800-171 controls met) to a floor of -203, calculated with the DoD Assessment Methodology v1.2.1.
You start at 110 and subtract 1, 3, or 5 points for each unmet control. There is no partial credit, and the 110 controls hold 320 assessment objectives.
Since 48 CFR took effect on November 10, 2025, contracting officers review your score at award (DFARS 252.204-7019 and -7020).
An inflated score is False Claims Act exposure. MORSECORP paid $4.6 million in the first FCA case built on a contractor not correcting its SPRS score.
CMMC Level 2 conditional status needs a score of at least 88, and your score must match your SSP and POA&M.

CyberZ graphic on a dark background reading "Your SPRS score is a legal statement, not an IT metric," tagged CMMC, NIST 800-171, and False Claims Act.

For years, the SPRS score lived in a quiet corner of defense contracting. Contractors self-assessed against NIST SP 800-171, calculated a number, posted it to a DoD database, and moved on. Few people read it closely. That period is over. The number you have on file is now something a contracting officer looks at before awarding work, and something a whistleblower or the Justice Department can hold up later if it did not reflect reality. This guide explains what the score is, exactly how it is calculated, why it suddenly carries legal weight, and what to do this week if you are not certain yours is accurate.

What an SPRS score actually is

SPRS stands for Supplier Performance Risk System, a DoD database that stores supplier risk and performance information used across the acquisition community. For cybersecurity, it holds your NIST SP 800-171 assessment score: a single number that summarizes how completely you have implemented the 110 security controls required to protect Controlled Unclassified Information (CUI) on a non-federal system.

The requirement traces back to DFARS 252.204-7012, which obligates contractors handling covered defense information to implement NIST SP 800-171. DFARS 252.204-7019 and 252.204-7020 then require you to perform an assessment using the DoD methodology and post the resulting summary score in SPRS, and to keep it current. If you handle CUI on a DoD contract, an SPRS score is not optional. It is a condition of doing business.

How the SPRS score is calculated

The scoring is deliberately strict. You begin with a perfect score of 110, which assumes every one of the 110 controls is fully implemented. For each control you have not met, you subtract its assigned weight of 1, 3, or 5 points. The weight reflects how much that control matters to the security of CUI, and the values come from the DoD Assessment Methodology, version 1.2.1.

A couple of concrete examples make the weighting clear. If you have not deployed multi-factor authentication for any users (Security Requirement 3.5.3), you lose 5 points. If you have deployed it only for remote and privileged users, you lose 3. If your encryption is not FIPS-validated (Security Requirement 3.13.11), you lose 3 points; if you use no encryption for CUI at all, you lose 5.

Scale showing the SPRS score range from a floor of -203 to a maximum of 110, with the CMMC Level 2 conditional floor marked at 88, plus three rules: start at 110, subtract 1, 3 or 5 points per unmet control, and no partial credit.

Two features of the methodology trip up first-time assessors.

The first is that there is no partial credit. A control is either Met or Not Met. The 110 controls expand into 320 assessment objectives in NIST SP 800-171A, and to score a control as Met you must satisfy every one of its objectives. Miss a single objective and the entire control counts as unmet, with the full weight deducted.

The second is that the floor is deeply negative. Because the combined weights of all the controls add up to more than 110, a contractor who has implemented almost nothing does not land at zero. The lowest possible score is -203. First-time honest self-assessments routinely come back negative, and that is normal. The danger is not a low score. The danger is a comfortable positive score that your evidence cannot support.

The three assessment levels

The DoD methodology defines three assessment types. A Basic Assessment is the self-assessment most contractors complete: you evaluate your own systems against the 110 controls, calculate a score, and post it to SPRS. A Medium Assessment and a High Assessment are conducted by the government and involve review of documentation and, for High, an on-site or thorough validation. One detail worth noting: for Medium and High assessments performed virtually, the maximum score is capped at 100 rather than 110, because the assessor cannot independently verify certain physical controls.

For CMMC Level 2, a third-party assessment by a C3PAO becomes the requirement for many CUI contracts as the program phases in. A conditional Level 2 status requires a score of at least 88 out of 110, with the remaining gaps tracked on a Plan of Action and Milestones and closed within a defined window.

Where you post the score and how long it lasts

You post the summary score, not the individual control determinations, into SPRS, along with the date of the assessment and the date you project full compliance. A score is considered current for three years. A stale score, one older than three years, on an active contract is its own compliance problem, because the regulation expects a current assessment on file.

This is where many contractors fall behind. They post a score once, often during a proposal rush, and never revisit it as their environment changes or as they remediate gaps. The score drifts from reality in both directions: sometimes lower than it should be after real improvements, and sometimes, more dangerously, higher than the implemented controls justify.

Why the score now carries legal weight

The shift that changed everything happened on November 10, 2025, when the CMMC rule codified at 48 CFR took effect. Contracting officers now actively review SPRS scores during contract evaluation. The score is no longer a preparatory artifact sitting in a database. It is a representation the government relies on when deciding whether to award you work.

That reliance is what creates legal exposure. When the score you post is higher than what you have actually implemented, and the government pays you on a contract that required that compliance, the gap can become the basis for a claim under the False Claims Act, 31 U.S.C. 3729. In its fiscal year 2025 statistics, the Justice Department reported recovering more than $52 million across nine cybersecurity False Claims Act settlements, and noted that cybersecurity resolutions have more than tripled in each of the past two years. A senior DOJ official framed these cases plainly: they are about misrepresentation, not data breaches. You do not need to be hacked to be liable. You need to have said something that was not true.

Three figures: $52M+ recovered across nine cybersecurity False Claims Act settlements in FY2025, and a $4.6M MORSECORP settlement, the first FCA case over a contractor not correcting its SPRS score.

If you want a rough read on your own exposure before you go further, the free calculator at falseclaimsrisk.com walks you through the main factors in a few minutes, with no signup.

What the MORSECORP settlement teaches

The case that made all of this concrete is MORSECORP. According to the Justice Department and the settlement announced in March 2025, MORSE submitted an inflated self-assessment score to SPRS while its leadership knew the company had not implemented the required controls. The admitted failures included using a third-party email service that did not meet the FedRAMP Moderate baseline, lacking a consolidated system security plan, and not deploying core NIST 800-171 protections.

The MORSECORP timeline: an inflated score on file from 2018 to 2023, a third-party assessment that exposed the gap, a delayed correction, corrected scores of 57 then 82 then 110 between June 2023 and May 2024, and a $4.6 million settlement in March 2025.

A third-party assessment exposed the gap. Rather than correct the number promptly, MORSE waited. It did not enter a corrected score until June 2023, when it posted a 57, later improving to 82 and eventually 110 as it remediated. That delay was the heart of the case. The settlement was the first False Claims Act resolution premised on a contractor failing to update its SPRS score after learning the score was wrong.

The case also reveals where these claims come from. It began as a qui tam complaint filed by MORSE’s own head of security, who received roughly 18.5 percent of the recovery, about $851,000. The people best positioned to know whether your posted score is honest are the people who work for you, and the False Claims Act gives them a financial reason to come forward.

How to check your SPRS score this week

If you handle CUI on a DoD contract, treat your SPRS entry as something you may be asked to defend, because you can be. A practical sequence:

Pull your current SPRS score and the date it was posted. If it is older than three years, it is stale and needs a refresh regardless of anything else.
Re-run the assessment against your actual environment using the DoD Assessment Methodology, scoring each of the 320 objectives honestly. If the real number is lower than what is posted, that gap is your exposure, and it is the thing to close first.
Confirm the score is backed by a current system security plan. The score and the SSP have to tell the same story. A missing or contradictory SSP was one of the admitted failures in the MORSECORP case.
For controls you have not fully met, document them on a Plan of Action and Milestones rather than scoring them as Met. A POA&M is a legitimate, defensible position. A false Met is not. Keep in mind that conditional CMMC Level 2 status requires at least 88, and that not every control is eligible to sit on a POA&M.
If your posted score is wrong, correct it now, and keep a dated record of when you learned the true number and when you fixed it. Speed of correction is precisely what MORSE got wrong.

If you would rather not build the calculation from a blank spreadsheet, the NIST 800-171 SPRS Score Workbook ($87) runs the full 320-objective scoring with the correct weights and produces a defensible score and a clean record you can post with confidence.

Common SPRS scoring mistakes

A few errors show up again and again, and each one inflates a score above what the evidence supports:

Assuming partial credit. A control that is half-implemented is Not Met. Half-measures earn nothing unless the gap is documented on a POA&M.
Scoring a control Met without checking every objective. Because each control breaks into multiple assessment objectives, it is easy to satisfy most of them, call the control done, and quietly lose the deduction you should have taken.
Letting the score go stale. A score over three years old is not current, and a non-current score on an active contract is a finding waiting to happen.
A score that does not match the SSP. If your plan describes controls you have not implemented, or your score claims controls your plan does not document, the two will contradict each other in an assessment.

The bottom line

The SPRS score is no longer an IT housekeeping task. It is a statement the government relies on at award and can scrutinize later, and the False Claims Act puts real money behind getting it wrong. The good news is that the fix is entirely within your control: assess honestly against all 320 objectives, back the number with a current SSP and a realistic POA&M, and correct anything that is inaccurate before someone else points it out.

Knowing your real score before a contracting officer or a C3PAO does is the whole game. The NIST 800-171 SPRS Score Workbook ($87) handles the calculation end to end. And if you are standing up CMMC Level 2 readiness from scratch, the CMMC Level 2 Readiness Kit ($147) bundles the SPRS workbook with the SSP template, asset scoping worksheet, and evidence tracker, so the score, the plan, and the evidence all line up before an assessor reads them.

Sources

U.S. Department of Justice, press release on the MORSECORP Inc. $4.6 million False Claims Act settlement (March 2025).
U.S. Department of Justice, Fiscal Year 2025 False Claims Act recoveries and statistics (January 2026), reporting more than $52 million across nine cybersecurity settlements.
DoD, NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1 (control weights of 1, 3, and 5; the -203 floor; the reduced maximum for virtual assessments).
NIST Special Publication 800-171 (Rev. 2), Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (the 110 controls).
NIST Special Publication 800-171A, Assessing Security Requirements for Controlled Unclassified Information (the 320 assessment objectives).
DFARS 252.204-7012, 252.204-7019, and 252.204-7020 (NIST 800-171 implementation, the assessment requirement, and SPRS score reporting).
CMMC Program rule, 32 CFR Part 170, and the 48 CFR acquisition rule effective November 10, 2025 (contracting-officer review of SPRS scores).
False Claims Act, 31 U.S.C. § 3729.