The Supplier Performance Risk System is where DoD sees your security posture as a single number. A short guide to how the score is calculated, how it's submitted, and what it actually means.
The Supplier Performance Risk System — pronounced "spurs" — is the Department of Defense's central database for tracking contractor risk and performance. It covers many dimensions of contractor evaluation, but the part that matters for CMMC is the NIST SP 800-171 Assessment module, where contractors submit a self-assessment score reflecting how completely they've implemented the 110 controls.
That score is what your DoD customers and prime contractors see when they evaluate whether you're a credible candidate to handle CUI. It's required under DFARS 252.204-7019 for any contractor whose contract flows down DFARS 252.204-7012, which is most defense work involving CUI.
Three things make SPRS different from the SSP and POA&M:
It's a number, not a document. The SSP and POA&M live as files; the SPRS score is a single integer between -203 and 110, calculated from your control implementation status.
It lives in a government system. The SSP and POA&M sit on your servers; the SPRS score is uploaded directly to a DoD database that government acquisition staff query when evaluating contractors.
It's visible to others. SSPs and POA&Ms are typically internal. SPRS scores are visible to DoD contracting officers and to the prime contractors you work with.
SPRS scoring starts at 110 and subtracts points for each NIST 800-171 control that isn't fully implemented. Each control has a defined point value — most are worth either 1, 3, or 5 points — based on the control's relative importance to protecting CUI.
A perfect score is 110. The lowest possible score is −203, reached if every control fails at maximum point value. Most contractors land somewhere between 60 and 100 on initial assessment.
Point deductions follow a published rubric in the DoD's Assessment Methodology. The values below are the most commonly seen weights — they're not exhaustive, but they cover most of the deductions a contractor will encounter.
The score can go negative because some controls deduct more than 1 point. If a contractor has all 110 controls unmet and many of them are high-impact, the cumulative deductions exceed 110, producing a negative score. A negative SPRS score signals serious unaddressed gaps and is generally disqualifying for CUI work.
SPRS submissions happen through a portal accessed via the Procurement Integrated Enterprise Environment (PIEE). The process is mechanical once you know it, but the first submission can be confusing because access requires several pre-existing credentials.
SPRS is keyed to your CAGE (Commercial and Government Entity) code. If your company is registered in SAM.gov, you already have one. Without an active CAGE code, you can't submit.
The submitter needs a PIEE account at piee.eb.mil with the SPRS Cyber Vendor User role. If your company already submits in PIEE for other purposes (invoicing, contract management), the same account can be granted SPRS access.
In the SPRS NIST SP 800-171 Assessment module, you'll enter the date of your assessment, the scope (which systems were assessed), the assessor (almost always "self" for self-assessments), and your final score.
SPRS doesn't store your full SSP or POA&M, but it asks for the version date of the SSP that supports the score and confirms whether a POA&M exists. The score must be defensible against the documents you reference.
Your SPRS score should be updated at least annually, and after any material change to your security posture (significant remediation, environment shifts, scope changes). Stale scores raise questions during contract reviews.
There's no published threshold that automatically wins or loses contracts. SPRS scores are one input among many that DoD acquisition staff and prime contractors weigh when evaluating contractor risk. That said, certain ranges carry strong practical signals.
Above 88. A score above 88 — meaning you've implemented all controls except a small set of lower-impact items — generally communicates that you're a credible candidate for CUI work. Many primes use 88 as an informal floor for considering a sub for CUI-handling subcontracts.
Between 60 and 88. A common range for contractors mid-implementation. Demonstrates real progress but flags meaningful gaps. Combined with a credible POA&M showing fast closure, contractors in this range can still win work; without one, they often can't.
Below 60. Indicates substantial unaddressed gaps. Contractors in this range typically can't win new CUI-handling work, and existing prime relationships may come under review.
Negative scores. Most often a self-assessment red flag rather than a literal reflection of risk. If your score is negative, something is materially wrong with your environment, your understanding of the controls, or both. Either way, it's a signal to step back before submitting anything.
Two patterns worth noting:
Score honestly. Inflating your score is a False Claims Act risk. DoD has investigated and prosecuted contractors who reported scores not supported by their actual implementation. The penalty for an honest 75 with a credible POA&M is much lower than the penalty for a fraudulent 95.
Score is a snapshot, not a brand. Your score will change as you remediate gaps. A 78 today doesn't haunt you forever — when you close items on your POA&M, you update SPRS to reflect the new score. Contractors who actively work the plan see their scores climb meaningfully over a single year.
Baseline's interview produces an SPRS-equivalent self-assessment score based on your answers, plus the SSP and POA&M needed to support it.