How is the SPRS score calculated?

Under the DoD NIST SP 800-171 Assessment Methodology, every contractor starts at 110 points. Each unimplemented requirement deducts a weighted value — 5, 3, or 1 points — across 109 of the 110 requirements; the SSP requirement (3.12.4) is unscored because without a current SSP no assessment can occur. The score ranges from −203 to 110 and is reported to the Supplier Performance Risk System (SPRS).

What is the range of an SPRS score?

SPRS scores range from a maximum of 110 (every requirement implemented) down to a floor of −203 (no requirement implemented), reflecting the 313 total deductible points across the weighted 5/3/1-point requirements.

Which requirements can be on a POA&M for conditional CMMC Level 2?

CMMC Level 2 allows conditional certification when the assessment scores at least 88 of 110 (80%) and every open gap is on a Plan of Action & Milestones — but only certain requirements may be POA&M-eligible (generally the 1-point items with specific exclusions), and open items must close within 180 days or the conditional certification lapses (32 CFR 170.21).

How are partial and unanswered requirements scored?

Unanswered requirements count as not implemented, so a score never benefits from silence. "Partially implemented" takes the full deduction except for two requirements that earn partial credit under the methodology: 3.5.3 (MFA) and 3.13.11 (CUI encryption), which deduct 3 instead of 5 in their defined partial states.

How the scoring works

No black box: we compute your score exactly the way DoD specifies, and we show our work. This page is the methodology; your results page is the math applied to your answers.

The SPRS score, in 60 words

Under the DoD NIST SP 800-171 Assessment Methodology, every contractor starts at 110 points. Unimplemented requirements deduct a weighted value — 5, 3, or 1 points — for 109 of the 110; the SSP requirement (3.12.4) is unscored because without one no assessment can occur. Scores range from −203 to 110 and are reported to the Supplier Performance Risk System (SPRS), where DoD reviews them — and primes, who cannot look your score up themselves, are required to ensure their subs have a current one (DFARS 252.204-7020), which is why they ask you for it.

Want to see how specific gaps move the number? Try the interactive SPRS score calculator — check off requirements and watch the deductions land, family by family.

The weights in this dataset

44 requirements weigh 5 points (basic safeguards whose absence enables exploitation)
14 requirements weigh 3 points
51 requirements weigh 1 point

Two requirements get partial credit under the methodology: 3.5.3 (MFA) deducts 3 instead of 5 when MFA covers remote and privileged users but not yet general users, and 3.13.11 (CUI encryption) deducts 3 instead of 5 when encryption is deployed but not FIPS-validated.

POA&M eligibility (32 CFR 170.21)

CMMC Level 2 allows conditional certification when your assessment scores at least 88 of 110 (80%) and every open gap is on a Plan of Action & Milestones — but only certain requirements may be on a POA&M at all (47 of 110 in this dataset, generally the 1-point items with specific exclusions). Open items must close within 180 days or the conditional certification lapses. Our results page separates your gaps into "POA&M-eligible" and "must fix first" for exactly this reason.

The full eligibility rules — the six never-eligible requirements by id, the 3.13.11 exception, a worked example — plus a free blank template live in the POA&M template guide.

Our conservatism rules

Unanswered requirements count as not implemented. Your score never benefits from silence.
"Partially implemented" deducts full points except for the two partial-credit requirements above — exactly as the methodology prescribes.
"Not applicable" requires a written justification, which appears in your SSP for your assessor to evaluate.
Quick-assessment results are labeled estimates with an uncertainty range, and never claim conditional-certification eligibility.

Sources

NIST SP 800-171 Rev 2 (requirement text, verbatim)
NIST SP 800-171A (assessment objectives)
DoD NIST SP 800-171 Assessment Methodology v1.2.1, Annex A (point values)
32 CFR 170 (CMMC final rule: phases, POA&M limits, conditional certification)

Dataset last verified 2026-06-10. When DoD changes the rules, our regulatory watch updates this dataset and your saved results recompute — that is the point of a living platform over a PDF from last year.

See your score