How to calculate your SPRS score (step by step)

If you're a small defense contractor staring down the November 10, 2026 CMMC deadline, you've probably been told you need an “SPRS score.” This guide explains exactly what that score is, how it's calculated against the 110 controls of NIST SP 800-171, and how to figure out your own number in about ten minutes — no consultant required.

What an SPRS score actually is

SPRS stands for Supplier Performance Risk System — the Department of Defense's database for tracking how well its contractors are managing the security of Controlled Unclassified Information (CUI). Your SPRS score is the single number the DoD uses to measure where you stand against NIST SP 800-171, the security standard at the heart of CMMC Level 2.

The score is a simple measurement, but with a non-obvious scale:

• The maximum is 110 — one point for every NIST 800-171 control you've fully implemented.
• The minimum is −203 — because some controls are weighted more heavily than others (more on that below).
• The threshold most contractors care about is 88 — the level the DoD generally treats as “conditional eligibility” for Level 2, provided you also have a Plan of Action and Milestones (POA&M) for the rest.

Your score is submitted (by you) into the SPRS database. Contracting officers can see it. After the CMMC deadline kicks in, an unfavorable number can quietly cost you the ability to win or keep contracts that involve CUI.

The scoring methodology in one paragraph

The math is intentionally simple. You start at 110. For every control you have not implemented, you subtract the control's point weight. Controls are worth either 1, 3, or 5 points, with the more impactful ones (multi-factor authentication, audit logging, encryption, etc.) carrying the higher weights. If you've partially implemented a control, the rules generally let you deduct half the weight instead of the full amount. Sum everything up, and you have your SPRS score.

Step 1 — List every control and its weight

NIST SP 800-171 Revision 2 contains 110 controls, grouped into 14 families:

• 3.1 Access Control (22 controls)
• 3.2 Awareness & Training (3 controls)
• 3.3 Audit & Accountability (9 controls)
• 3.4 Configuration Management (9 controls)
• 3.5 Identification & Authentication (11 controls)
• 3.6 Incident Response (3 controls)
• 3.7 Maintenance (6 controls)
• 3.8 Media Protection (9 controls)
• 3.9 Personnel Security (2 controls)
• 3.10 Physical Protection (6 controls)
• 3.11 Risk Assessment (3 controls)
• 3.12 Security Assessment (4 controls)
• 3.13 System & Communications Protection (16 controls)
• 3.14 System & Information Integrity (7 controls)

The DoD publishes the official point weights in the NIST SP 800-171 DoD Assessment Methodology. You'll find each control assigned 1, 3, or 5 points based on how much risk its absence creates. A few examples:

• 3.1.1 — Limit system access to authorized users: 5 points
• 3.5.3 — Use multifactor authentication: 5 points
• 3.1.4 — Separate the duties of individuals: 1 point
• 3.3.8 — Protect audit logs: 3 points
• 3.13.11 — Use FIPS-validated cryptography for CUI: 5 points

Before you start counting, make sure you have a current copy of the methodology open. Weights are sometimes adjusted between revisions, and the SPRS submission must match the official table.

Step 2 — Score each control as Met, Partial, Not Met, or N/A

For every one of the 110 controls, decide which of these applies:

• Met — you've fully implemented the control, you have evidence to prove it, and an assessor could verify the implementation today. No points deducted.
• Partial — the control is in place but with gaps (e.g., MFA is enforced for some accounts but not all privileged accounts). Half the points deducted (rounded up to the nearest whole point).
• Not Met — the control is not in place. Full points deducted.
• N/A — the control genuinely does not apply (rare; common candidates are physical-protection controls if you have no on-prem systems handling CUI). No points deducted, but you'll need to document the rationale.

This is the step that takes the longest. For most small contractors it's a few hours of honest self-assessment, ideally walking through each control with whoever runs IT.

Step 3 — Do the math

Once each control is categorized:

1. Start with 110.
2. For each Not Met control, subtract its full point weight (1, 3, or 5).
3. For each Partial control, subtract half the point weight, rounded up (so a 5-point partial is −3, a 3-point partial is −2, a 1-point partial is −1).
4. Met and N/A controls contribute zero deductions.

That's your SPRS score. Submit it (along with the assessment date and CMMC level you're claiming) in the SPRS portal.

A worked example

Take a small machining shop — call them Acme Manufacturing, 12 people, one IT consultant on retainer. They sit down and self-assess against all 110 controls. Here's what they find:

• Met: 78 controls (a mix of weights)
• Partial: 9 controls — 4 are 5-point controls, 3 are 3-point controls, 2 are 1-point controls
• Not Met: 21 controls — 5 are 5-point controls, 8 are 3-point controls, 8 are 1-point controls
• N/A: 2 controls (no physical CUI handling)

The deductions:

• Partial deductions: 4 × 3 (half of 5, rounded up) + 3 × 2 (half of 3, rounded up) + 2 × 1 (half of 1, rounded up) = 20 points
• Not Met deductions: 5 × 5 + 8 × 3 + 8 × 1 = 25 + 24 + 8 = 57 points
• Total deductions: 77 points

Acme's SPRS score: 110 − 77 = 33.

That's below the 88 conditional-eligibility threshold and well below the 110 required for full Level 2 compliance. It also tells Acme exactly where to focus — the 21 unimplemented controls, weighted by points-per-day-of-effort, become a remediation plan.

What your score actually means

Once you have your number, it falls into one of these rough bands:

• 110: Fully compliant. All 110 controls met. This is the bar for full CMMC Level 2 certification (subject to a C3PAO assessment).
• 88–109: Conditional eligibility — you've covered the most critical controls and have a credible POA&M for the rest. For many small contractors, this is the realistic short-term goal.
• 40–87: Significant gaps. You're not yet eligible for Level 2 contracts, but you have a working foundation. Targeted remediation is the next step.
• Below 40: Early stage. Major implementation work ahead. The good news is your highest-leverage moves are obvious (the 5-point controls).
• Negative numbers: Systemic gaps across multiple high-weight controls. Don't panic — many contractors start here. The score is a starting point, not a verdict.

Common mistakes when calculating your score

A few things that trip up first-time assessors:

• Skipping controls you don't understand. Every unanswered control will, in a true assessment, count as Not Met. Reading the official guidance for each control matters.
• Calling something “Met” without evidence. An assessor will ask for the proof. If you don't have a policy, a screenshot, or a log, the control isn't met — it's aspirational.
• Confusing CMMC Levels. Level 1 is a 17-control subset for protecting Federal Contract Information (FCI). Level 2 is all 110 NIST 800-171 controls for CUI. Most contracts that mention CMMC mean Level 2.
• Ignoring the half-credit rounding rule. A “partial” 5-point control is a 3-point deduction, not 2.5. Rounding up the deduction is intentional — the DoD wants partial credit to be conservative.
• Treating “N/A” as a free pass. N/A only applies where a control genuinely cannot apply to your environment, and you'll need to document why for the assessor. Don't use it to avoid work.

The fastest way to get an honest SPRS number

You can absolutely do this by hand — print the methodology, open a spreadsheet, walk through 110 lines. It takes a few hours and a clear head. Or you can use the free SPRS calculator at 144company.com, which runs the math live in your browser as you click through each control. It takes about 10 minutes, requires no signup, and saves your progress locally so you can come back to it.

Once you have your number, the next question becomes which gaps to fix first — and that's where 144's full readiness workflow picks up: a prioritized roadmap sorted by score-gained-per-day of effort, with cost estimates and a projected ready date, plus the SSP and POA&M documents an assessor expects. Everything self-serve, $149/month, no consultants required.