Supplier Performance Risk System (SPRS)

If you plan on working with the Department of Defense (DoD) and handling Controlled Unclassified Information (CUI), you’ve probably heard about NIST 800-171 and CMMC compliance. But there’s another key piece of the puzzle that’s less spoken about: SPRS (Supplier Performance Risk System).

What is SPRS, and how does it fit into your cybersecurity compliance journey? Let’s break it down in simple terms.

What is SPRS?

SPRS is not a new security framework or a separate compliance requirement. It is the DoD’s official system for tracking NIST 800-171 self-assessment scores and other supplier performance data.

Why Does SPRS Exist?

Before SPRS, contractors could claim they were compliant with NIST 800-171 without any verification. Now, the DoD requires contractors to:

• Perform a self-assessment against NIST 800-171
• Calculate their NIST SPRS score (a maximum of 110 points)
• Submit this score in the SPRS portal before bidding on DoD contracts

How Does SPRS Fit with NIST 800-171 & CMMC?

To fully understand SPRS, you need to know where it fits in the bigger picture:

NIST 800-171: The Security Standard

• A framework with 110 cybersecurity controls that is required for DoD contractors handling CUI.
• Contractors must assess their compliance and identify security gaps.

SPRS: The Compliance Reporting System

• The DoD’s official portal for recording and tracking NIST 800-171 self-assessment scores.
• Your SPRS score reflects how many of the 110 controls you’ve implemented.

CMMC: The Certification Process

• CMMC (Cybersecurity Maturity Model Certification) builds on NIST 800-171.
• If your contract requires CMMC Level 2, you will eventually need an official third-party assessment.
• SPRS helps track your progress toward certification.

Bottom line: If you handle CUI, you must comply with NIST 800-171, report your score in SPRS, and possibly prepare for SPRS CMMC certification in the future.

How the DoD Uses SPRS Scores

SPRS scores help the DoD evaluate risk before awarding contracts. Here’s how:

• Higher scores make contractors more competitive. A higher SPRS score indicates a stronger security posture.
• Scores below 110 require a Plan of Action & Milestones (POA&M). If you haven’t implemented all 110 controls, you must outline when and how you plan to do so.
• The DoD may audit your score. If your reported SPRS score is questionable, the DoD can request evidence or conduct an audit.
• Low scores could limit your contract eligibility. Certain contracts may require a minimum SPRS score or full compliance with NIST 800-171.

How to Calculate & Submit Your SPRS Score

Step 1: Perform a NIST 800-171 Self-Assessment

You’ll need to review all 110 security controls in NIST 800-171 and determine how many you’ve implemented for your SPRS assessment.

Step 2: Calculate Your SPRS Score

• Each of the 110 controls is worth points (some more than others).
• If you fully implement a control, you get full credit.
• If you haven’t implemented a control, you lose the corresponding points.
• The maximum score is 110 (perfect compliance), and the lowest possible score is -203.

Step 3: Submit Your SPRS Score

Once you’ve calculated your score:

1. Log into the SPRS portal (https://www.sprs.csd.disa.mil/).
2. Enter your SPRS score and Plan of Action & Milestones (POA&M) for any missing controls.
3. Keep your SPRS score updated as you improve compliance.

The DoD will check your SPRS score when evaluating contracts, so maintaining an accurate and competitive score is critical.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Start Free Trial Now

Start Free Trial Now

Learn more about Supplier Performance Risk System (SPRS)
Click Here

How to Improve Your SPRS Score Quickly

If your SPRS score is low, here’s how to improve it efficiently:

1. Focus on high-value controls first. Some controls weigh more than others—fixing these first gives you the biggest score boost.
2. Implement multi-factor authentication (MFA). This is a relatively easy win with significant security benefits.
3. Encrypt sensitive data. Ensuring encryption is in place for CUI can resolve multiple controls at once.
4. Regularly update your POA&M. The DoD wants to see progress—documenting small improvements can be beneficial.
5. Use automation tools. Cybersecurity solutions can help streamline compliance efforts and reduce manual errors.

The Role of POA&Ms in SPRS Compliance

A Plan of Action & Milestones (POA&M) is a crucial part of SPRS reporting if your score is below 110. Here’s what you need to know:

• POA&Ms outline missing controls and planned fixes. They detail which security gaps exist, how you plan to fix them, and by what date.
• The DoD reviews POA&Ms for contract eligibility. Some contracts may require full compliance rather than an active POA&M.
• An outdated POA&M can hurt you. If your POA&M shows no progress over time, the DoD may question your commitment to compliance.

Common Questions About SPRS

Is SPRS a separate security framework?

No. SPRS is just the system where you report your NIST 800-171 compliance.

What happens if my SPRS score is low?

A low SPRS score means you haven’t implemented enough NIST 800-171 controls. While you can still bid for contracts, the DoD may require a plan (POA&M) showing when you’ll fully comply.

Do I need SPRS if I’m working toward CMMC certification?

Yes! Since CMMC Level 2 requires full NIST 800-171 compliance, your SPRS score should already be 110 before getting certified.