Free Tool · Gated for CMMC Prospects · Instant Access

SPRS Score Calculator: Self-Compute Your 110-Point NIST SP 800-171 Score

The Department of Defense requires every contractor handling Controlled Unclassified Information to submit a Supplier Performance Risk System (SPRS) score. This calculator walks you through all 110 NIST SP 800-171 Rev 2 controls with the correct DoD weights (5, 3, 1) and produces a live score from -203 to +110. Unlock access with your work email. Built by Petronella Technology Group, a CMMC-AB Registered Provider Organization (RPO #1449).

CMMC-AB RPO #1449 Entire team CMMC-RP DFE #604180 BBB A+ since 2003

Unlock the Calculator

Enter your work email to access the full 110-control SPRS calculator. Instant access, no credit card, no sales pressure. Bookmark the calculator URL after submit to return without re-entering your details.

By submitting you agree to our privacy policy. One-click unsubscribe on every follow-up. No sales pressure.

Prefer to talk? (919) 348-4912 rings Penny, our front-desk agent. Free 15-minute CMMC readiness call on request.

What is an SPRS score and why does it matter?

The Supplier Performance Risk System (SPRS) is the DoD's central scoring and reporting system for supplier cybersecurity posture. Since November 30, 2020, every prime and subcontractor that handles Controlled Unclassified Information (CUI) must perform a self-assessment against the 110 security controls in NIST SP 800-171 Rev 2 and submit the resulting numerical score to the SPRS portal. That score, on a scale of -203 to +110, tells contracting officers how far a supplier is from full CMMC Level 2 readiness before the contract award.

The rule that made this mandatory is DFARS clause 252.204-7019, which requires a current SPRS assessment as a condition of contract award, and 252.204-7020, which requires the prime to flow the requirement down to every subcontractor that will receive CUI. A missing, expired, or zero-filled SPRS submission is a compliance gap that can stall a contract file review and eliminate a bid from evaluation.

The score has three practical effects. First, contracting officers can see it directly in SPRS when evaluating award decisions. Second, primes increasingly refuse to flow CUI down to subs with low scores because the prime inherits the sub's exposure. Third, the score anchors the conversation with your Certified Third-Party Assessor Organization (C3PAO) when you move to a formal CMMC Level 2 assessment. A score of 110 with a valid System Security Plan means you are ready to schedule a C3PAO engagement. A lower score maps to a Plan of Action and Milestones with concrete remediation timelines.

The SPRS score is self-reported. That does not mean it is optional. The DoD's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) performs spot-check Medium and High assessments against the same 110 controls. A self-reported 110 that a DIBCAC audit cannot substantiate is a False Claims Act exposure. The calculator on this page is a planning instrument, not a substitute for a formal gap assessment.

How the score is calculated

The math is simple. The weighting is not. DoD assigned each of the 110 controls a weight of 5, 3, or 1 points based on risk impact. Start at 110, subtract the weight of every control you have not fully implemented, and the result is your score.

Weight 5: Critical controls (MFA, FIPS crypto, CUI-at-rest protection) Weight 3: Important controls (access enforcement, audit logging) Weight 1: Baseline controls (policy documentation, session timeouts)

Weight 5 controls carry the most penalty because the DoD treats them as foundational. Miss a weight 5 control and your ceiling score falls by 5 points. There are 42 weight 5 controls, 14 weight 3 controls that reduce to weight 1 once partially remediated, and the rest at weight 1. If you miss every single control, the math produces a score of -203 (110 minus the total 313-point penalty), which is the official floor of the SPRS scale.

Three rules shape how the calculation actually works in practice. First, a control is either fully implemented or it is not. There is no partial credit in SPRS. A control implemented for 80% of systems still counts as not implemented for scoring. Second, a Plan of Action and Milestones (POA&M) can hold an implementation date, but the score itself does not rise until the control is actually implemented and evidenced. Third, the CMMC final rule (effective 2025) limits POA&M eligibility to controls with weights of 1 or 3 only. All weight 5 controls must be fully implemented to pass the C3PAO assessment, regardless of the SPRS math.

This calculator lets you check each of the 110 controls as implemented or not. The score updates in real time as you toggle. Families are organized by NIST SP 800-171 control family (Access Control, Configuration Management, Incident Response, and so on), so you can see which areas are dragging your score the most. The tool persists your selections in your browser so you can come back later without losing progress.

What you get when you unlock the calculator

Not a cold-call trap. A working instrument you can hand to your IT lead or compliance officer and use to drive a real conversation.

All 110 NIST SP 800-171 Rev 2 controls

Grouped by the 14 NIST control families with the official DoD SPRS weight (5, 3, or 1) visible on every row. No abbreviated subset, no marketing version.

Live score from -203 to +110

Real-time scoring calibrated to the official DoD SPRS range. Scaled so that zero controls implemented produces -203, matching the published floor.

Family-level visibility

See exactly which families pull your score down. Access Control, System and Communications Protection, and Identification and Authentication are usually the worst offenders.

Browser persistence

Your selections save in local storage so you can pick up tomorrow where you left off. Clear at any time from the calculator interface.

Print or save as PDF

One-click print-friendly rendering. Hand the output to your C3PAO assessor or use it as a gap-planning worksheet for your next System Security Plan revision.

Bookmarked return access

The calculator URL includes a personal access key after your first submission. Bookmark it and come back weekly as your remediation work progresses.

Who this calculator is built for

  • Defense primes and subcontractors that handle or will handle CUI under DFARS 252.204-7012.
  • Manufacturing firms on the Defense Industrial Base supply chain seeing CMMC language in their flow-downs.
  • Engineering, architecture, and design firms serving federal agencies.
  • Aerospace suppliers preparing for Joint Surveillance Voluntary Assessment (JSVA) or C3PAO certification.
  • MSPs and MSSPs scoping the compliance posture of a new defense client before bid.
  • Internal compliance leads preparing for a board conversation about CMMC budget, timeline, and risk.
  • Prime contractors reviewing subcontractor SPRS submissions before awarding CUI work.

If you have not yet determined whether CUI flows into your environment, start with the CMMC compliance overview before the calculator. Scoping CUI is step zero. Running the calculator before you know where CUI lives will produce a number, but not a useful one. Petronella Technology Group consults on all three CMMC levels: Level 1, Level 2, and Level 3.

SPRS score and the CMMC Level 2 bridge

Many defense contractors treat SPRS and CMMC as separate programs. They are connected. CMMC Level 2, which is the tier required for contracts involving CUI, is essentially a third-party validation of the same 110 NIST SP 800-171 Rev 2 controls that feed your SPRS score. A perfect self-reported SPRS score of 110 with a valid System Security Plan means you are ready to schedule a C3PAO assessment. The assessor will spot-check your evidence, confirm the controls are actually implemented, and issue the Level 2 certification if they hold up.

The reverse is also true. If your SPRS score is 45, you are not ready for a C3PAO engagement. Attempting an assessment in that state wastes $30,000 to $120,000 of engagement fees and burns 6 to 18 months of calendar time. The cost-effective path is to use the SPRS calculator as your directional instrument, build a Plan of Action and Milestones, remediate in priority order, re-run the self-assessment every quarter, and only schedule the C3PAO when your score is reliably at or near 110.

The CMMC final rule also sets a hard 180-day ceiling on any POA&M that survives into a Level 2 assessment. If you are still carrying open findings 180 days after the assessment, your certification is at risk. That makes the SPRS calculator not just a pre-assessment tool but also a during-engagement tool, because you need to close gaps faster than you used to.

A common mistake we see in CMMC gap engagements at Petronella Technology Group is contractors who submitted a 110 to SPRS in 2021 without ever implementing FIPS-validated cryptography or multi-factor authentication on every privileged account. The self-reported score looks great, the DIBCAC Medium assessment is brutal. The calculator gives you a chance to honestly re-score now, before anyone else does.

What a score at each tier typically means

  • Score 100 to 110: Audit-ready or nearly so. Final steps: engage a C3PAO, run a pre-assessment with a Registered Practitioner Organization, validate SSP versioning, schedule the formal assessment. Typical timeline: 60 to 120 days to certified.
  • Score 70 to 99: Low risk, substantial work remaining. You have the basics in place but a handful of weight 5 or weight 3 controls are gaps. Typical timeline: 3 to 6 months with focused remediation, then C3PAO.
  • Score 30 to 69: Medium risk, structured remediation required. Multiple control families have gaps. Typical timeline: 6 to 12 months with project-managed CMMC gap program, policy refresh, tooling deploy, and evidence collection before a C3PAO is viable.
  • Score 0 to 29: High risk, early stage. Several weight 5 controls missing. Most likely no dedicated security staff or SSP. Typical timeline: 9 to 18 months, usually starting with a full gap assessment and SSP build before remediation planning is even meaningful.
  • Score below 0: Critical risk, pre-program. The basics are missing. Focus first on scoping (where does CUI live), then on the System Security Plan, then on the foundational weight 5 controls. Typical timeline: 12 to 24 months.

These timelines are based on patterns we see across CMMC gap-assessment engagements. They are directional, not guarantees. Actual timeline depends on team size, budget, executive sponsorship, and how much greenfield tooling the environment needs.

The five SPRS scoring mistakes we see most often

  1. Self-scoring 110 without a System Security Plan. The SSP is control 3.12.4, which carries weight 1 but is the document C3PAO assessors read first. A missing SSP means you cannot score 110, period. Start there.
  2. Claiming MFA credit without covering service accounts. Control 3.5.3 requires multifactor authentication for all privileged access. Legacy service accounts with interactive logon rights and no MFA is the most common finding in DIBCAC Medium assessments. One exception drops the score by 5 points and shows up on audit.
  3. BitLocker in non-FIPS mode. Control 3.13.11 requires FIPS-validated cryptography. Default BitLocker on Windows 10 or 11 is not FIPS mode. Switching to FIPS mode requires group policy changes that take weeks to propagate cleanly.
  4. Treating POA&Ms as permanent. Plans of Action and Milestones are for open gaps with remediation dates. They are not a way to park a control indefinitely. Under the CMMC final rule, POA&Ms must close within 180 days of the assessment.
  5. Scoring with no CUI boundary defined. If you cannot produce a data-flow diagram showing which systems process, store, or transmit CUI, you cannot meaningfully score. The calculator will produce a number, but the number is noise.

Common questions

Is this calculator DoD-official?
No. This is an independent planning instrument built by Petronella Technology Group. The official SPRS portal lives at sprs.csd.disa.mil and is where you must submit your formal score. Our calculator uses the same 110 NIST SP 800-171 Rev 2 controls and the published DoD weights, so the number it produces should match what you would self-submit, but it is not a substitute for the portal.
Do I have to submit an SPRS score?
If you are a DoD contractor or subcontractor that handles or will handle Controlled Unclassified Information under DFARS 252.204-7012, yes. DFARS 252.204-7019 has required a current SPRS self-assessment as a condition of contract award since November 30, 2020. Primes flow the requirement down to every sub that touches CUI under DFARS 252.204-7020.
How is the score different from a CMMC Level 2 certification?
The SPRS score is self-reported. CMMC Level 2 is validated by a Certified Third-Party Assessor Organization (C3PAO). Both use the same 110 controls, but a 110 on SPRS is your claim and a CMMC Level 2 certificate is an independent confirmation of that claim. Contract language increasingly requires both.
Can a self-reported SPRS score get me in legal trouble?
Yes, if it is inaccurate. A self-reported score that a DIBCAC Medium or High assessment cannot substantiate can expose the company and the signing official to False Claims Act liability. That is a meaningful reason to score honestly and to use a Registered Practitioner Organization like Petronella Technology Group to review the self-assessment before submission.
What happens after I unlock the calculator?
You get immediate access to the full 110-control calculator in your browser, plus a confirmation email with a bookmark-able link so you can return without re-entering your details. You also receive a short three-email follow-up series with context on SPRS, POA&M mechanics, and common remediation traps. Every email has a one-click unsubscribe link.
Do you sell my email or put me on a marketing list?
No. We do not sell, rent, or share contact data. You receive a short three-email series tied to this calculator, and a CMMC-related newsletter only if you opt in separately. Unsubscribe is one click. See our privacy policy for the full text.
Will Petronella Technology Group call me after I submit?
Only if you ask us to. The confirmation email includes a link to book a free 15-minute CMMC readiness call with Penny at (919) 348-4912. No cold-call follow-up, no sales pressure. If you want a live walkthrough of your SPRS result, book the call. Otherwise we leave you alone to use the tool.
Can I share the calculator URL with my team?
Each team member should unlock the calculator with their own work email so we know who is running the instrument. The calculator URL key is personal. Sharing is not prohibited, but each lead-gen submission lets us track engagement and send the right follow-up.

From a directional score to an audit-ready roadmap

The calculator tells you where you stand on SPRS today. A structured CMMC gap assessment tells you exactly what it will take to close the distance to 110 and pass a C3PAO audit. Petronella Technology Group runs CMMC gap assessments as a Registered Provider Organization. Custom quote based on environment size, not a flat list price.

Free 15-minute consultation with Penny at (919) 348-4912. Paid engagements after scoping.