A NIST SP 800-171 SPRS score is the single number the Department of Defense uses to gauge how much cybersecurity risk you carry before it awards you a contract. You calculate it by assessing your systems against the 110 controls in NIST SP 800-171 Rev 2, applying the DoD Assessment Methodology, and posting the result to the Supplier Performance Risk System (SPRS). The score runs from a maximum of 110 down to a floor of -203.

Most coverage treats that number as an IT scorecard. It is not. The moment you post it to SPRS, it stops being an internal metric and becomes a representation to the federal government. That distinction is the whole subject of this post, and it is the difference between a compliance task and a legal exposure.

KEY TAKEAWAYS
  • Your SPRS score is a self-reported representation to the DoD, not an internal IT number. Posting a wrong one knowingly is the basis for False Claims Act liability, and no breach has to occur.
  • The score starts at 110 and drops by 1, 3, or 5 points for each unimplemented control under the DoD Assessment Methodology v1.2.1. The range is -203 to 110.
  • Most controls are all-or-nothing. A few, including multifactor authentication (3.5.3) and FIPS-validated encryption (3.13.11), have a defined partial deduction.
  • In March 2025 a defense contractor that posted a 104 when its real score was -142 paid $4.6M to settle. That 246-point gap, not a hack, was the violation.
  • 88 of 110 (80%) is the conditional-certification floor for CMMC Level 2. 110 is the only score that is acceptable in the long run.

SPRS score number line showing a reported score of 104 versus an actual score of -142, the 246-point gap behind a $4.6M False Claims Act settlement

A self-assessment is not a low-stakes assessment

For most of the Defense Industrial Base, the SPRS score is self-generated. You run the assessment yourself, calculate the number, and upload it. There is no auditor in the room. It is tempting to read “self-assessment” as “low stakes,” and that reading is exactly what gets contractors into trouble.

The score is required under DFARS 252.204-7019 and 252.204-7020, and contracting officers now actively check it before award. As of November 10, 2025, with DFARS 252.204-7021 in effect, SPRS stopped being an advisory tool and became part of the award decision. A low or stale score can cost you the bid. A score you cannot defend can cost you a great deal more.

In March 2025, the Department of Justice announced that MORSECORP, a Massachusetts defense contractor, agreed to pay $4.6 million to resolve False Claims Act allegations. According to the DoJ settlement, the company submitted a self-assessed SPRS score of 104 in January 2021. A third-party consultant later determined the real score was -142, with only 22% of the controls actually implemented. The company did not correct the SPRS entry until June 2023, three months after the government served it with a subpoena.

Read that gap again. The company reported a number near the top of the range. Its true posture sat near the bottom. There was no breach, no stolen data, no incident. The misrepresentation itself was the violation.

How the SPRS score is actually calculated

If you understand how the number is built, you understand why an inflated one is so easy for a consultant or an assessor to expose.

How the SPRS score is built: start at 110, subtract 1, 3, or 5 points per unmet control, with a floor of -203, plus the partial-deduction nuance for MFA and FIPS encryption

You start with a perfect score of 110, one point for each of the 110 controls in NIST SP 800-171 Rev 2. The DoD Assessment Methodology (currently version 1.2.1) then assigns each control a weighted value of 1, 3, or 5 points based on how much that control matters to protecting Controlled Unclassified Information (CUI). For every control you have not fully implemented, you subtract its weighted value.

Because the sum of all the weights exceeds 110, the math can run negative. A contractor that has implemented almost nothing lands at the -203 floor. This is why first-time honest self-assessments so often come back negative, and why the DIB-wide average score has historically sat around 60 rather than 110.

Here is the nuance most quick explainers skip, and getting it right is part of getting the score right:

The takeaway for a small shop: you cannot round up. “We are mostly there on access control” does not earn partial credit on a control the methodology treats as binary. The score reflects what is actually implemented and documented, not what is planned or in progress.

The number you post is a representation, not a status update

This is the part that turns an IT metric into a legal instrument.

When you upload an SPRS score, you are not logging a private milestone. You are telling the federal government, in connection with a contract or an award decision, that your security posture is what the number says it is. Under the False Claims Act (31 U.S.C. 3729), a knowingly false statement made to obtain government money is actionable, and “knowingly” includes reckless disregard for the truth.

The DoJ’s Civil Cyber-Fraud Initiative has spent the last few years applying exactly that theory to cybersecurity representations. The cases share a pattern, and it is worth naming the specifics rather than gesturing at a trend:

In both cases there was no requirement to prove a breach. As DoJ officials have repeatedly framed it, these are not data-breach cases; they are misrepresentation cases. The trigger is the distance between what a contractor certified and what was true. Fiscal year 2025 was a record year for these cyber-fraud recoveries, and with a new DoJ National Fraud Enforcement Division established in January 2026, there is no signal the pace is slowing.

For a 12-person subcontractor, the practical reading is blunt: the SPRS field is the most legally consequential number in your business, and it takes about thirty seconds to enter.

What an accurate SPRS score actually requires

A defensible score is not a guess and not a vendor’s marketing number. It rests on three things, and if you are missing any of them, your score is not yet trustworthy.

A System Security Plan (SSP). The SSP describes how each of the 110 controls is implemented in your environment. The DoD Assessment Methodology scores against the SSP. No SSP means no basis for the score, and under DFARS it also means an incomplete CMMC assessment. (CA.L2-3.12.4 requires the plan; NIST SP 800-171A defines the objectives an assessor checks it against.)

Control-by-control evidence. “Implemented” has to be demonstrable. For each Met determination, you should be able to point to the configuration, the policy, or the artifact that proves it. This is what a C3PAO examines, interviews on, and tests, and it is what a whistleblowing consultant looks for first.

A POA&M for the gaps, scored honestly. Where a control is not yet met, an honest score subtracts the points and a Plan of Action and Milestones documents the remediation path. A POA&M does not raise your score; it manages the gap and shows good faith. Padding the score to avoid the POA&M is precisely the move that creates liability.

What to do this week

You do not need a six-month project to de-risk the number. You need an afternoon and some honesty.

  1. Pull your current SPRS entry and check its date. Scores must be less than three years old. A stale score is its own problem.
  2. Re-run the math against your real environment, control by control, using the DoD Assessment Methodology weights. Do not start from a vendor template that assumes Met. Start from Not Met and earn each point.
  3. Reconcile the score to your SSP. If the SSP says a control is implemented but you cannot produce evidence, that control is Not Met for scoring purposes.
  4. Correct the SPRS entry if it is wrong, and do it now. The MORSECORP timeline shows that the delay in correcting a known-wrong score was part of what the government cited. A prompt correction is far better than a defended fiction.
  5. Document how you arrived at the number. If anyone ever asks how you got there, “here is the worksheet and the SSP it ties to” is the answer that ends the conversation.

The bottom line

Your SPRS score is the cheapest thing in your compliance program to enter and the most expensive thing to get wrong. It is a representation to the federal government, scored by a published methodology, backed by your SSP and your evidence, and enforced through the False Claims Act regardless of whether you are ever breached. Calculate it honestly, tie it to a real SSP, and correct it the moment you learn it is off. The contractors who get burned are not the ones who scored a 47. They are the ones who scored a 104 they could not defend.

If you want the score done right the first time, the NIST 800-171 SPRS Score Workbook ($87) walks every one of the 110 controls with the correct 1/3/5 weights, the partial-deduction cases built in, and a roll-up that produces a submission-ready number tied to your SSP. It is the worksheet referenced in step 5 above. For contractors who want the whole package, it is also part of the CMMC Level 2 Readiness Kit ($147), alongside the SSP template, asset scoping worksheet, and evidence tracker.

Not sure what a wrong score could actually cost you? The free exposure estimator at falseclaimsrisk.com puts a number on it, no signup required.

Sources