If your organization does any work for the Department of Defense, your SPRS score and CMMC compliance posture are linked in ways that many contractors still do not fully understand. The gap between your submitted score and your actual security posture is increasingly the subject of federal enforcement.
This post explains how SPRS scoring works, what a realistic score looks like, and the 7 mistakes that put aerospace suppliers, defense manufacturers, and government contractors at serious legal and contractual risk.
What Is an SPRS Score?
SPRS stands for Supplier Performance Risk System. It is the DoD database where defense contractors self-report their cybersecurity posture using a score derived from NIST SP 800-171. The score ranges from -203 to +110. A perfect score of 110 means full implementation of all 110 controls.
Under DFARS 252.204-7019 and 7020, contractors must complete a self-assessment of NIST 800-171 compliance, enter the resulting score into the SPRS portal, and have a senior official affirm the score annually. Prime contractors are required to check your SPRS score before awarding subcontracts. If your score is low, or if you have not submitted one, you may not even make the shortlist.
How SPRS Score and CMMC Are Connected
Your SPRS score is not a replacement for CMMC. Think of it this way: SPRS is your self-reported cybersecurity score under the existing DFARS framework. CMMC is the verified, third-party confirmation that your score is accurate.
Under CMMC Level 2, most defense contractors will undergo a C3PAO assessment that validates every control you claimed in your SPRS submission. If your self-reported score was 110 but the assessor finds 12 controls not implemented, the gap becomes an audit finding and potentially an enforcement action. For the full picture of how DFARS and CMMC interact, see our breakdown of DFARS 7012 vs CMMC.
The enforcement mechanism is the Civil Cyber-Fraud Initiative, launched by the Department of Justice in 2021. Under this initiative, inflated SPRS scores are treated as fraudulent claims under the False Claims Act, which carries penalties of up to three times the value of affected contracts plus civil fines per false claim.
What a Realistic SPRS Score Looks Like
Most defense contractors, especially manufacturers, aerospace subcontractors, and engineering services firms, do not have a score of 110. A realistic score for a manufacturer with partial NIST 800-171 implementation:
| Control Family | Typical Score Impact |
|---|---|
| Access Control (AC): 22 controls | -15 to -25 pts for 4 to 6 open controls |
| Audit & Accountability (AU): 9 controls | -8 to -12 pts for 3 to 4 open controls |
| Configuration Management (CM): 9 controls | -8 to -15 pts for 2 to 4 open controls |
| System & Communications Protection (SC): 16 controls | -10 to -20 pts for 3 to 5 open controls |
| Typical realistic score | 60 to 85 (not 110) |
If your submitted SPRS score is 110 and your actual posture resembles the table above, you have a problem that goes beyond CMMC readiness.
7 Dangerous SPRS Scoring Mistakes
Mistake 1: Submitting a Score Without Doing a Real Assessment
Many contractors filled out a spreadsheet, guessed at controls, and submitted 110. No technical evaluation. No evidence review. No policy documentation. CMMC assessors are trained to find this immediately. When your IT lead cannot explain how a control is implemented, it fails, regardless of what the SPRS portal shows.
Mistake 2: Scoring Controls as Met Based on Intent, Not Implementation
"We plan to implement MFA" is not a MET control. "We have MFA configured on all CUI systems, enforced through Azure AD Conditional Access, and here are the screenshots" is a MET control. Your SPRS score must reflect actual implementation with supporting evidence, not roadmap items.
Mistake 3: Not Accounting for Flow-Downs to Subcontractors
If you are a prime contractor and you flow CUI to subcontractors, your SPRS score does not cover their environment. Each sub must have its own score and its own compliance obligations. Primes who attest to supply chain security without verifying sub scores face compounding liability if a sub is found noncompliant.
Mistake 4: Ignoring the Score After Submission
SPRS scores must be updated whenever your security posture changes significantly. An outdated score that does not account for known vulnerabilities or new systems is a paper trail straight to enforcement if a breach or complaint surfaces.
Mistake 5: Failing to Document the Assessment Methodology
The DFARS rules require that your assessment methodology be documented and available for audit. You need to record who performed the assessment, what evidence was reviewed, and when it occurred. An undocumented self-assessment is not a defensible self-assessment.
Mistake 6: Assuming a High Score Means You Are CMMC-Ready
SPRS is a self-assessment. CMMC is a verified assessment. Your SPRS score of 95 may still result in a failed CMMC audit if the missing controls are in critical families like Access Control or Incident Response. Use your SPRS score as a starting point, not a destination. Our guide on how to prepare for a CMMC assessment covers what needs to be closed before the C3PAO arrives.
Mistake 7: Not Fixing POA&M Items Before the CMMC Assessment
CMMC Level 2 is less forgiving than SPRS. Only certain controls are eligible for POA&M deferral, and all deferred items must be closed within 180 days of certification. If your SPRS POA&M has been carrying the same open controls for two years, your C3PAO is going to ask difficult questions. See our post on how to build a CMMC POA&M that will survive that scrutiny.
The False Claims Act Risk Is Real
The DoJ's Civil Cyber-Fraud Initiative has already produced significant enforcement results. Defense contractors, including several small manufacturers, have paid multi-million dollar settlements for submitting inflated cybersecurity compliance claims. Qui tam relators, often current or former employees or competitors, can file FCA suits on behalf of the government and receive a share of any recovery.
If your submitted SPRS score does not reflect your real NIST 800-171 posture, the time to fix it is now, before a C3PAO or a federal investigator finds the gap for you.
How to Fix Your SPRS Score Before It Becomes a Problem
Start with an honest gap analysis: not a spreadsheet exercise, but a real technical evaluation of your current controls against every NIST 800-171 practice. Our CMMC compliance services include a DFARS/CMMC gap workshop that reviews your submitted SPRS score against your actual environment and produces a remediation roadmap with accurate control status.
Start with the CMMC grant funding: it takes about 15 minutes and gives you a candid baseline. Or talk to our team before your next contract bid.