
Almost every conversation about defense cybersecurity compliance eventually collapses into a single number: your SPRS score. Contracting officers look at it, primes ask subcontractors for it, and it is the figure you are required to keep current before you can be awarded certain DoD work. Yet a surprising number of contractors post a score they cannot fully explain. This post takes the number apart — where it comes from, precisely how it is calculated, what it actually signals, and where the real leverage is when you want to move it up.
Where the score lives and why it is mandatory
SPRS is the Supplier Performance Risk System, a Department of Defense database. Three DFARS clauses put your cybersecurity posture into it and give it consequences. DFARS 252.204-7012 is the long-standing clause requiring you to safeguard covered defense information and to report cyber incidents to DoD within 72 hours. DFARS 252.204-7019 requires that you have a current NIST SP 800-171 assessment on file and that your summary score be posted in SPRS in order to be eligible for award. DFARS 252.204-7020 obligates you to provide the government access to conduct its own higher-level (Medium or High) assessment and to flow the requirement down to subcontractors. Together these clauses mean the score is not a marketing artifact; it is a gate, and an inaccurate one carries legal weight we return to below.
The calculation itself follows the DoD Assessment Methodology (the current published version is 1.2.1, dated June 24, 2020), applied against the 110 security requirements of NIST SP 800-171 Revision 2. That methodology is public, which is what makes the score reproducible rather than a black box.
The arithmetic, exactly
The model is deliberately simple, and understanding it removes most of the mystery. You start at 110, the score you earn if every one of the 110 requirements is fully implemented. For each requirement that is not implemented, you subtract a weighted value of 1, 3, or 5 points. The weight reflects how much the DoD believes that control matters to protecting CUI: the highest-impact requirements carry a 5-point subtractor, moderate ones a 3, and the least impactful a 1. Because the weights are uneven, a company that has missed a handful of heavy controls can score far worse than a company that has missed a larger number of light ones.
Two features of the methodology trip people up. First, there is no partial credit. A requirement is either MET or NOT MET; a control that is half-deployed is scored as not implemented and takes the full deduction. Second, the floor is deeply negative. If none of the 110 requirements are implemented, the deductions total to a score of −203, so the full range runs from −203 at the bottom to 110 at the top. A negative score is not a rounding artifact; it is the methodology telling you that the weighted gaps outnumber the baseline. There are a few narrow exceptions where a requirement carries a conditional or reduced deduction under specific circumstances the methodology spells out — the clearest example is the CUI encryption requirement (SC.L2-3.13.11), which is a 5-point control but is treated as a 3-point deduction if you already encrypt CUI using cryptography that is simply not yet FIPS-validated. These exceptions are the exception; for planning purposes, assume MET-or-nothing.
What the number proves, and what it does not
Here is the honest limit of an SPRS score, and it is the same limit that applies to any self-reported metric. The score assumes every requirement you marked MET is genuinely and fully implemented, with evidence behind it. A self-assessment is only as truthful as the person filling it in, and optimism is common. That is precisely why the CMMC program layers a third-party certification assessment on top for CUI work: a C3PAO tests the reality behind your claims against the 320 assessment objectives in NIST SP 800-171A, using the Examine, Interview, and Test methods. A perfect 110 posted in SPRS does not mean you are certified, and it does not mean you would pass an independent assessment — it means you have asserted full implementation. The score is the on-ramp; the assessment is the gate. Treat your SPRS number as a planning instrument and an eligibility ticket, not as a finish line.
The highest-leverage way to raise it
If you want to move the number efficiently, rank your gaps by points recovered per dollar spent, not by the order they appear in the standard. Closing a single 5-point requirement moves your score as much as closing five separate 1-point requirements, so the weighted controls deserve your attention and budget first. In practice the heavy controls cluster around a familiar set of capabilities: multi-factor authentication for network and privileged access, FIPS-validated encryption of CUI at rest and in transit, boundary protection, audit logging and accountability, and incident response readiness. These are the areas where the DoD concentrated the 3- and 5-point weights, and they are usually where a low score is actually being generated.
A large share of low scores, though, are not technical gaps at all — they are documentation gaps. The control is implemented, but nobody has described it in the System Security Plan or assembled the artifact that demonstrates it, so it gets scored NOT MET. Writing an accurate SSP and attaching real evidence to each requirement frequently recovers points that were being lost purely to missing paperwork. Before you buy a new tool, confirm you have credited yourself for the controls you already run.
The one thing you must not do
There is a tempting shortcut that has become a genuine liability: inflating the self-score. Because SPRS is self-reported, it is technically easy to post a number higher than your environment supports. It is also increasingly dangerous. The U.S. Department of Justice's Civil Cyber-Fraud Initiative, announced in October 2021, has pursued contractors under the False Claims Act for misrepresenting compliance with cybersecurity requirements, including NIST SP 800-171, and there have been public settlements over exactly this conduct. When a C3PAO assessment or a DoD Medium/High assessment later tests the reality, the gap between your posted score and your actual posture stops being a compliance problem and becomes a fraud problem. The correct move is always to post an honest score and close the gap, never to close the gap on paper alone.
From a number to a program
The most productive way to use your SPRS score is as the entry point to a real readiness sequence: get an honest baseline, rank the weighted gaps, fix the technical and documentation deficiencies, and track your posture against the 320 objectives that an assessor will actually examine. You can generate a first, honest baseline right now with our free SPRS score estimator, which runs entirely in your browser with no email required, and then follow the broader path laid out on the CMMC overview. For how this fits the wider federal mandate set, see the federal and regulatory capability page.
Where Valty fits, honestly
To be precise about the boundary: Valty is not a C3PAO and cannot certify you or produce an official DoD assessment. What the platform does is compute and continuously monitor your SPRS score under the DoD Assessment Methodology, track your environment against all 320 assessment objectives, and rank open gaps by the score impact and effort of closing them — so remediation dollars go to the controls that move the number most. It also generates the OSCAL System Security Plan and POA&M artifacts that make an honest score defensible to an assessor. That is decision-support for reaching a real score, not a way to manufacture one. The distinction is the entire point: a score is only worth what it will survive when someone else tests it.