What Makes a Good SPRS Score? Benchmarks for Cybersecurity Success
June 19, 2024

Manufactured with Speed and Precision
The manufacturing capabilities you need and the engineering support you want, all from a single partner.
Submit a DesignKey Points
- SPRS Score Fundamentals: An SPRS (Supplier Performance Risk System) score measures DoD contractor compliance with NIST SP 800-171 cybersecurity controls, ranging from +110 (perfect compliance) to -203 (no controls implemented). The score directly impacts contract eligibility and competitive positioning.
- The 88 Benchmark: A score of 88 out of 110 is the minimum threshold for CMMC Level 2 Conditional Certification. This benchmark represents 80% compliance with NIST SP 800-171 security requirements and signals crucial cybersecurity measures are in place to protect Controlled Unclassified Information (CUI).
- Scoring Methodology: SPRS uses subtractive scoring based on 110 NIST SP 800-171 controls, each weighted at 1, 3, or 5 points depending on criticality. Points are deducted from the maximum 110 for each unimplemented control, making accuracy essential for DoD contract success.
- Compliance Consequences: Low SPRS scores increase perceived risk to the DoD, potentially leading to lost contracts, disqualification from bidding opportunities, and supply chain exclusion. Inaccurate or falsified scores can result in False Claims Act penalties exceeding three times the contract value.
- Strategic Improvement: Improving SPRS scores requires implementing robust cybersecurity measures, conducting regular self-assessments, maintaining current System Security Plans (SSPs), and developing time-bound Plans of Action and Milestones (POA&Ms) for any gaps. Partnering with compliant manufacturers like Modus Advanced helps streamline the path to certification.
Your SPRS score serves as your cybersecurity report card for the Department of Defense. This numerical assessment determines your eligibility for DoD contracts and reflects your ability to protect sensitive government information.
A strong SPRS score demonstrates your organization's commitment to cybersecurity compliance and proves you're a trustworthy partner for defense contracting. Understanding what constitutes a good SPRS score is essential for securing valuable DoD contracts and maintaining competitive positioning in the Defense Industrial Base.
Learn everything you need to know about CMMC here!
Understanding the SPRS Scoring System
The SPRS scoring system operates on a subtractive model. Scores range from 110 (perfect compliance) to -203 (no controls implemented).
A perfect 110 indicates full compliance with all NIST SP 800-171 security requirements. Most contractors start with scores below perfection, with points deducted for unimplemented security controls.
The scoring methodology assigns weighted values to each control. A 5-point deduction indicates a high-risk vulnerability. A 3-point deduction represents medium-risk gaps. A 1-point deduction signals low-risk issues.
These deductions accumulate quickly. Organizations must understand the point system to prioritize remediation efforts effectively.
What Is a Good SPRS Score? The Direct Answer
A score of 88 out of 110 or higher qualifies as a good SPRS score for DoD contractors. This threshold represents the minimum requirement for CMMC Level 2 Conditional Certification.
The 88 benchmark reflects 80% compliance with NIST SP 800-171 security controls. This level demonstrates that crucial security measures protect Controlled Unclassified Information (CUI) in your systems.
Scores above 88 position contractors favorably for DoD contract awards. A perfect 110 remains the ultimate goal, but achieving it immediately is challenging for most organizations.
Organizations scoring below 88 must create detailed Plans of Action and Milestones (POA&Ms) showing how they will remediate gaps within 180 days. POA&Ms are not acceptable for controls weighted at 3 or 5 points under most circumstances.
SPRS Score Benchmarks for Competitive Positioning
Different score ranges signal different levels of cybersecurity maturity to the DoD and prime contractors.
- Score of 88-109 (Conditional Certification Range): This range qualifies for CMMC Level 2 Conditional Certification. Organizations must demonstrate compliance with most controls and maintain valid POA&Ms for remaining gaps. The 180-day remediation window applies to all deficiencies.
- Score of 110 (Perfect Compliance): Full implementation of all 110 NIST SP 800-171 controls indicates optimal cybersecurity posture. This score eliminates the need for POA&Ms and positions contractors most favorably for contract awards.
- Score Below 88 (Remediation Required): Scores in this range indicate significant gaps in cybersecurity controls. Organizations must address critical vulnerabilities before qualifying for many CUI-related contracts. Prime contractors often establish their own minimum score requirements above the 88 threshold.
- Negative Scores (Critical Deficiencies): Scores below zero reflect missing core controls like multi-factor authentication, audit logging, or access control. These gaps require immediate attention and typically disqualify contractors from DoD opportunities.
Consequences of Inadequate SPRS Scores
Low SPRS scores create substantial business risks for defense contractors. The DoD uses these scores to assess contractor reliability and cybersecurity maturity.
- Contract Implications: Inadequate scores increase perceived risk for the DoD. Contracting officers may exclude low-scoring contractors from consideration. Prime contractors increasingly require minimum SPRS scores from subcontractors, often setting thresholds at or above 88.
- Competitive Disadvantages: Organizations with scores below competitive benchmarks lose opportunities to better-prepared competitors. The Defense Industrial Base continues moving toward higher cybersecurity standards, making strong scores essential for market positioning.
- Compliance Risks: Inaccurate or outdated SPRS scores create serious compliance issues. The DoD relies on these scores for risk assessment. Falsified scores can trigger False Claims Act violations with penalties up to three times the contract value.
- Supply Chain Impact: DFARS 7020 requires prime contractors to verify subcontractor SPRS scores within the last three years. Contractors without current scores face exclusion from supply chain opportunities.
Strategies for Improving Your SPRS Score
Maintaining competitive SPRS scores requires proactive cybersecurity compliance and regular security posture assessments against NIST SP 800-171 controls.
- Conduct Regular Self-Assessments: Organizations should evaluate their systems against all 110 NIST SP 800-171 controls using the DoD Assessment Methodology. Document findings in System Security Plans (SSPs) and POA&Ms. This proactive approach demonstrates commitment to addressing vulnerabilities and continuous improvement.
- Prioritize High-Value Controls: Focus remediation efforts on controls weighted at 5 points first, then 3-point controls. These high-value requirements typically address critical areas like multi-factor authentication (3.5.3) and FIPS-validated encryption (3.13.11).
- Maintain Accurate Documentation: SSPs must comprehensively describe security controls and their implementation. POA&Ms must include specific remediation timelines and responsible parties. The DoD may audit these documents, so accuracy is essential.
- Partner with Compliant Manufacturers: Working with CMMC-compliant manufacturing partners like Modus Advanced reduces supply chain risk. As a vertically integrated manufacturer, Modus Advanced offers streamlined processes by housing multiple manufacturing capabilities under one roof.
Our engineering team provides expertise in design optimization and quality assurance. This ensures products adhere to the highest standards while maintaining data security throughout the manufacturing process.
Modus Advanced serves as both manufacturing partner and project consultant. Our engineers work closely with customers, providing actionable feedback on designs to prevent issues downstream.
Frequently Asked Questions About SPRS Scores
How often must I update my SPRS score?
SPRS scores must be updated at minimum every three years. However, organizations should update scores whenever their SSP changes, controls are newly implemented, or contract requirements demand refreshed submissions.
Can I use POA&Ms to achieve a score of 88?
POA&Ms are permitted for certain controls, but not for those weighted at 3 or 5 points in most circumstances. Organizations must remediate all POA&M items within 180 days from the Final Findings briefing to maintain Conditional Certification.
What happens if I submit an inaccurate SPRS score?
Falsified scores can result in contract termination, disqualification from future contracts, and False Claims Act penalties. The DoD may conduct random DIBCAC assessments to verify reported scores. Internal whistleblowers can also expose inaccurate reporting.
Does my subcontractor need an SPRS score?
DFARS 7020 mandates that prime contractors verify subcontractor SPRS scores. Scores must be current (less than three years old). Many prime contractors set minimum score requirements for their supply chain partners.
Can my SPRS score be negative?
Scores can range from -203 to +110. Negative scores typically indicate missing fundamental controls across multiple control families. Organizations with negative scores need immediate remediation plans.
Elevate Your Defense Manufacturing with Modus Advanced
Maintaining a strong SPRS score is essential for securing DoD contracts and demonstrating cybersecurity commitment. A good SPRS score reflects dedication to protecting sensitive information and ensuring critical defense project success.
Contractors should prioritize cybersecurity compliance and work with reputable partners. This increases chances of winning contracts and contributing to national defense capabilities.
Modus Advanced understands the complexities of SPRS scoring and CMMC compliance. Our AS9100 and ITAR certifications, combined with our commitment to achieving CMMC Level 3 compliance, position us as a trusted partner for defense contractors.
Our vertically integrated capabilities include CNC machining, form-in-place gasketing, die cutting, waterjet cutting, and advanced assembly processes. This consolidation reduces supply chain risk and accelerates time to market.
When you partner with Modus Advanced, you gain access to engineering expertise that helps optimize designs for manufacturability. Our quality systems ensure consistent results and full traceability, supporting your compliance requirements throughout the supply chain.
Contact us today to learn how our comprehensive manufacturing solutions and proactive CMMC compliance can support your defense contracting success.