SPRS Scores Explained: Defining a Good Score for CMMC Compliance

The Role of SPRS Scores in CMMC Compliance 

For companies engaging with the Department of Defense (DoD), adherence to the Cybersecurity Maturity Model Certification (CMMC) framework ensures alignment with the DoD’s information security standards as the Defense Industrial Base (DIB) continues to be the target of more frequent and complex cyberattacks. CMMC 2.0 introduced the Supplier Performance Risk System (SPRS) score, necessary for contracts that include relevant FAR/DFARS rules applicable to DoD prime contractors, subcontractors, organizations, and other suppliers within the Defense Industrial Base (DIB). Let us dive into SPRS scores and how defense contractors can navigate these contract requirements. 

Why is the SPRS Score significant?

Suppliers storing or processing Controlled Unclassified Information (CUI) are subject to DFARS 7012 contract clause which mandates compliance with NIST SP 800-171, and DFARS 7019 contract clause requires DoD contractors to conduct a self-assessment against NIST 800-171 requirements. Upon completion of the self-assessment, a score ranging between +110 to -203—must be recorded in the SPRS against the organization’s cage code. This score is commonly referred to as an SPRS score. 

 Prime contractors must not only comply with the requirements stipulated in any DoD regulation, but also must pass on standards (i.e., “flow-down”) to their subcontractors. DFARS 7020 requires primes conduct periodic reviews of their subcontractors to confirm an up-to-date SPRS score has been recorded within the last three years. 

Additionally, SPRS scores have gained additional significance due to the forthcoming implementation of CMMC expected to begin in late 2024 or early 2025. Organizations handling CUI are required to achieve at least CMMC Level 2 certification that mirrors the 110 controls in NIST SP 800-171 which plays a critical role in the organization’s CMMC certification process.  

SPRS Score Calculation

The first step in calculating your organization’s score is to develop a System Security Plan (SSP) that details the policies and procedures implemented to demonstrate compliance with NIST SP 800-171 requirements, as mandated by DFARS 7012.  

 Next, organizations must conduct a self-assessment according to the DoD’s NIST SP 800-171 Assessment Methodology. The methodology assigns each of the 110 controls a weight of one, three or five points. Scoring begins with the highest possible score of 110 and points are deducted for each control not met with the lowest score value of -203. It is important to create a Plan of Action & Milestones (POA&M) for security controls not met and on the corresponding date the identified requirement gaps will be remediated to achieve a score of 110. 

 The last step is to submit your self-assessment score in SPRS no later than the time of contract award. The self-assessment must have been completed within the last three years and be maintained for the duration of the contract. For additional instructions to gain access and report scores in SPRS, refer to the following resource: SPRS – NIST SP 800-171 (disa.mil). 

 SPRS Score for CMMC Preparedness 

Most organizations seeking CMMC Level 2 shall be assessed by an independent or third-party assessor also known as a CMMC Third Party Assessment Organization (C3PAO). Following their initial C3PAO assessment, organizations can receive a “CMMC Level 2 Conditional Certification” if their SPRS score is at least 88 out of 110 and if they create POA&Ms for the remaining controls, though Hartman strongly recommends organizations achieve alignment with all 110 controls for optimal certification preparedness and enterprise security posture.  

 The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) has stated POA&Ms will not be allowed for controls weighted at three- or five-points. Additionally, POA&Ms will be time-bound, and organizations are responsible for remediating all gaps listed in their POA&M within 180 days from the time of their Final Findings briefing with their C3PAO otherwise the Level 2 Conditional Certification will be revoked. 

Strategizing for Future Compliance: Beyond SPRS Score Submission 

DoD contractors need to prioritize the accurate calculation and reporting of SPRS scores. With the DoD placing a heavy emphasis on scoring high, companies should seek to understand how they can implement and demonstrate continuous improvement to strengthen security and align with DoD requirements. Exploring the references in this article can help companies get a better handle on SPRS scoring and compliance.  

 Partner with Hartman Executive Advisors to navigate the complexities of CMMC and SPRS compliance with confidence. Our team of CISOs and cybersecurity experts will help you improve IT governance to meet and exceed DoD requirements. With Hartman, you will receive strategic support and unbiased guidance tailored to government contractors, designed to help you make the right technology investments to achieve your business goals at the most efficient cost. 

Contact us today to learn how we can elevate your cybersecurity strategy and achieve CMMC compliance.