336-886-3282[email protected]
Preferred Data Logo
Schedule

Understanding Your SPRS Score: What NC Defense Contractors Need to Know

Complete SPRS score guide for North Carolina defense contractors. Learn scoring methodology, improvement strategies, and CMMC implications. Call (336) 886-3282.

Cover Image for Understanding Your SPRS Score: What NC Defense Contractors Need to Know

Your SPRS (Supplier Performance Risk System) score measures your organization's implementation of NIST 800-171 security controls on a scale from -203 to 110, with 110 representing full compliance. For North Carolina defense contractors, this score directly determines contract eligibility, as the Department of Defense requires current SPRS submissions before awarding contracts involving Controlled Unclassified Information.

Key takeaway: According to the DoD Assessment Methodology and analysis by Summit7, the SPRS scoring system assigns weighted values of 1, 3, or 5 points to each of the 110 NIST 800-171 controls. There are 42 controls weighted at 5 points, representing the most critical security requirements. Contractors start at 110 and lose points for each unimplemented control, with no partial credit for partially implemented controls.

North Carolina ranks among the top states for defense spending, with the DoD investing $5.6 billion in the state in recent fiscal years. For contractors near Fort Liberty, Cherry Point, Seymour Johnson Air Force Base, and throughout the Piedmont Triad, your SPRS score is now a competitive differentiator that can win or lose contracts.

Need to improve your SPRS score? Preferred Data Corporation provides comprehensive NIST 800-171 assessment and remediation for North Carolina defense contractors. Call (336) 886-3282 or schedule your free assessment.

How SPRS Scoring Works

The Weighted Point System

The DoD Assessment Methodology assigns each of the 110 NIST 800-171 Rev 2 controls a weight of 1, 3, or 5 points:

  • 42 controls weighted at 5 points: These include the 17 basic safeguards from FIPS 200 and additional critical security requirements. Missing these controls has the greatest score impact.
  • Approximately 30 controls weighted at 3 points: These represent important security practices that provide meaningful protection.
  • Approximately 38 controls weighted at 1 point: These are supplementary controls that enhance overall security posture.

Score Calculation Example

Starting from 110 (perfect score):

  • Missing 3 five-point controls: 110 - 15 = 95
  • Missing 5 three-point controls: 95 - 15 = 80
  • Missing 4 one-point controls: 80 - 4 = 76

Final score: 76

This means the contractor has 12 unimplemented controls and a score requiring significant improvement before CMMC assessment.

The Role of POA&Ms (Plans of Action and Milestones)

According to the SPRS portal requirements, contractors with scores below 110 must:

  1. Create a POA&M for each unimplemented security control
  2. Specify remediation dates (typically within 180 days for CMMC)
  3. Submit both the current score and the projected score once all POA&Ms are completed
  4. Update the SPRS portal when controls are implemented

Key takeaway: POA&Ms are not blank checks. Under CMMC 2.0, according to industry analysis from Ignyte Platform, 1-point controls must be fully implemented and cannot have POA&Ms applied. The remaining controls with POA&Ms must be completed within 180 days of assessment.

Common SPRS Score Ranges and What They Mean

Score: 100-110 (Assessment Ready)

Contractors in this range have implemented most or all NIST 800-171 controls and are well-positioned for CMMC Level 2 assessment. Minor gaps may exist but can be quickly remediated.

Action needed: Complete remaining POA&M items, document all controls in System Security Plan, and prepare for C3PAO assessment.

Score: 70-99 (Active Improvement Needed)

This is the most common range for contractors who have made earnest compliance efforts but have gaps in technical implementation or documentation. Common missing controls include multi-factor authentication, encryption, SIEM/log management, and comprehensive policies.

Action needed: Prioritize 5-point controls, implement technical solutions for gaps, and develop remediation timeline. According to Ignyte Platform analysis, organizations should aim for a minimum score of 88 to be competitive for CMMC Level 2 certification.

Score: 30-69 (Significant Gaps)

Contractors in this range have fundamental security gaps that require substantial investment in both technology and processes. Multiple control families likely have incomplete implementation.

Action needed: Engage a managed security provider for comprehensive assessment and remediation planning. Expect 12-18 months of focused effort to reach assessment readiness.

Score: Below 30 (Critical Deficiency)

Scores in this range indicate minimal security control implementation. The gap between the current state and compliance is substantial, often requiring complete infrastructure modernization.

Action needed: Immediate consultation with compliance specialists. Consider whether in-house implementation or migration to a compliant managed service platform is more cost-effective.

The Gap Between Self-Assessed and Actual Scores

Why Self-Assessments Overestimate Compliance

Research and assessment experience reveals consistent patterns of self-assessment inflation:

Documentation gaps: Contractors may implement technical controls but lack the documented policies, procedures, and evidence required to demonstrate compliance. A control without documentation is not implemented.

Partial implementation misconceptions: The DoD methodology offers no partial credit. A control that is 80% implemented scores the same as one that is 0% implemented - both receive full point deductions.

Scope underestimation: Many contractors underestimate the scope of their CUI environment, missing systems, applications, and data flows that must be included in the assessment boundary.

Inherited control assumptions: Contractors using cloud services may assume the cloud provider handles certain controls without verifying through shared responsibility documentation.

Consequences of Inaccurate Scores

According to multiple legal analyses, submitting inaccurate SPRS scores carries serious consequences:

  • False Claims Act liability: Potential treble damages plus per-claim penalties
  • Contract termination: Loss of existing DoD contracts
  • Debarment: Prohibition from future government contracting
  • Criminal prosecution: In egregious cases of intentional misrepresentation

Strategies to Improve Your SPRS Score

Strategy 1: Prioritize 5-Point Controls

Focus remediation on the 42 controls weighted at 5 points. These provide the greatest score improvement per dollar invested:

  • [ ] Implement multi-factor authentication (MFA) for all CUI access
  • [ ] Deploy FIPS-validated encryption for CUI in transit and at rest
  • [ ] Establish centralized logging and monitoring (SIEM)
  • [ ] Implement automated patch management
  • [ ] Configure network segmentation for CUI environments
  • [ ] Deploy endpoint detection and response (EDR) solutions
  • [ ] Establish incident response procedures and team

Strategy 2: Leverage Cloud-Based Solutions

Cloud platforms pre-configured for NIST 800-171 compliance can implement multiple controls simultaneously:

  • Microsoft 365 GCC/GCC High addresses email encryption, access control, and audit logging
  • Azure Government provides FIPS-validated infrastructure
  • Managed SIEM services address audit and accountability requirements
  • Cloud backup solutions provide data protection controls

Strategy 3: Address Documentation Systematically

Many score improvements require documentation rather than technology:

  • System Security Plan (SSP) covering all CUI systems
  • Policies for each control family (access control, incident response, etc.)
  • Procedures detailing how each control is implemented
  • Evidence of ongoing control operation (logs, reports, training records)

Strategy 4: Define CUI Scope Accurately

Reducing your CUI scope (legitimately) reduces the number of systems requiring full NIST 800-171 implementation:

  • Identify exactly which data qualifies as CUI
  • Map all systems that store, process, or transmit CUI
  • Consolidate CUI processing to fewer, better-protected systems
  • Implement architectural boundaries that limit CUI data flows

SPRS and CMMC 2.0 Connection

How SPRS Feeds CMMC Assessment

Your SPRS score provides the baseline for CMMC Level 2 certification:

  1. Pre-assessment: C3PAO reviews your submitted SPRS score and SSP
  2. Assessment planning: Gap areas from SPRS guide assessment focus
  3. On-site verification: Assessors verify that claimed controls are actually implemented
  4. Scoring: CMMC assessment identifies MET, NOT MET, and NOT APPLICABLE for each control
  5. POA&M evaluation: Limited POA&Ms accepted for 3 and 5-point controls only

CMMC Timeline Pressure for NC Contractors

With CMMC Phase 2 (mandatory Level 2 C3PAO certification) beginning November 2026, North Carolina defense contractors need SPRS scores at or near 110 by mid-2026 to allow time for:

  • C3PAO scheduling (3-6 month wait times)
  • Assessment completion (2-4 weeks)
  • POA&M remediation (180 days maximum)
  • Final certification issuance

How Preferred Data Supports NC Defense Contractors

With 37 years serving North Carolina businesses and a BBB A+ rating, Preferred Data Corporation helps defense contractors throughout High Point, Greensboro, Winston-Salem, Charlotte, Raleigh, Durham, and the Piedmont Triad improve their SPRS scores and achieve CMMC certification.

Our SPRS improvement services include:

  • Independent NIST 800-171 gap assessments with accurate scoring
  • Prioritized remediation roadmaps focused on 5-point controls
  • Managed IT infrastructure aligned to NIST requirements
  • Cybersecurity solutions implementing technical controls
  • Cloud platform configuration for CUI environments
  • SSP and policy documentation development
  • POA&M management and tracking
  • CMMC assessment preparation and support

Ready to improve your SPRS score? Call (336) 886-3282 or schedule your assessment to start your compliance journey.

Frequently Asked Questions

What is the minimum SPRS score required for DoD contracts?

There is no published minimum SPRS score requirement; however, contracting officers can see your score and use it in source selection decisions. A score of 110 (full compliance) is the target. According to industry analysis, contractors should aim for a minimum of 88 to be competitive, as scores significantly below this indicate substantial security gaps that may disqualify your bid.

How often must SPRS scores be updated?

SPRS scores must be less than three years old for contract award. However, contractors should update scores whenever significant controls are implemented or when system changes affect compliance. Best practice is annual reassessment with interim updates as POA&M items are completed.

Can my business be penalized for a low SPRS score?

A low score itself is not penalized, but submitting an inaccurate (inflated) score carries serious consequences including False Claims Act liability, contract termination, and debarment. The risk is in claiming a higher score than your actual implementation supports, not in honestly reporting a low score with a credible remediation plan.

How does NIST 800-171 Rev 3 affect my current SPRS score?

The DoD has not updated the SPRS scoring methodology for Rev 3, which was released in May 2024. Contractors should continue scoring against Rev 2 (110 controls) until the DoD announces a transition timeline. Preparing for Rev 3 now is prudent, as it adds three new control families and will require updated assessments.

What is the fastest way to improve a low SPRS score?

Focus on implementing the 42 five-point controls first, as each provides maximum score improvement. Common quick wins include deploying MFA (multiple 5-point controls), implementing endpoint protection, enabling system logging, and completing security awareness training. A managed security provider can help North Carolina businesses implement multiple controls simultaneously.

Support