Most contractors see their SPRS score for the first time while filling out a self-assessment spreadsheet, watching a running total climb toward 110 and then, somewhere around the fifth or sixth unimplemented control, drop below zero. The reaction is almost always the same: that can’t be right, scores don’t go negative. They do, and understanding exactly why is the difference between a number that accurately represents your compliance posture and one that either overstates it in a way that carries legal risk or understates it in a way that costs you contracts you’d otherwise be eligible for.
This matters more than most compliance documentation because contracting officers and prime contractors check this specific number before a formal CMMC assessment is ever scheduled. A gap assessment, a System Security Plan, a Plan of Action and Milestones, these all matter operationally, but the SPRS score is the one figure that shows up in a database a contracting officer can query directly when deciding whether to award you a contract. This piece walks through exactly how that number is calculated, why the scale runs into negative territory, and what the score actually commits your organization to.
The Number That Gets Checked Before Certification Ever Comes Up
Under DFARS 252.204-7019, any offeror required to implement NIST SP 800-171 must have a current assessment score, no more than three years old, posted in the Supplier Performance Risk System before the DoD will consider them for contract award. That requirement exists independently of CMMC certification timelines. A contractor without a current SPRS score isn’t in a gray area waiting on a future assessment; they’re simply not eligible for award consideration on a covered contract until the score is posted.
Primes check this number too, often before they’ve had any other substantive conversation with a prospective subcontractor about cybersecurity. A subcontractor who can’t produce a current score, or whose score reads far lower than a prime’s risk tolerance allows, gets filtered out of consideration long before certification status becomes the deciding factor. Understanding how the number is built is the first step in making sure it accurately reflects your actual posture rather than an estimate assembled under deadline pressure.

Why It Starts at 110, Not 100
The starting point of 110 isn’t an arbitrary round number chosen for convenience. It corresponds directly to the 110 individual security requirements defined in NIST SP 800-171 Revision 2, organized across 14 control families covering everything from access control and incident response to physical protection and system integrity. A perfect score of 110 means every one of those 110 requirements is fully implemented, with nothing partially done and nothing outstanding.
The scoring itself is governed by the DoD’s official NIST SP 800-171 Assessment Methodology, the same document referenced directly in DFARS 252.204-7019 and 252.204-7020. Every requirement in the framework has a fixed point value assigned in that methodology, which means two honest assessors evaluating the same environment against the same evidence should land on the same score. The judgment call in a self-assessment isn’t how many points a given control is worth; that’s fixed. The judgment is in determining, honestly, whether the control is actually fully implemented.
The Deduction Model: No Partial Credit, No Curve
Calculating the score is simple arithmetic layered on top of a much less simple honesty exercise. Start at 110. For every one of the 110 requirements that isn’t fully implemented, subtract that requirement’s assigned point value, either 1, 3, or 5 points depending on its security impact. There’s no partial credit built into the model. A requirement that’s 90 percent implemented, encryption enabled everywhere except one legacy file server, MFA enforced everywhere except one set of service accounts, still costs the full point value. The methodology treats “almost implemented” the same as “not implemented” for scoring purposes, which is a deliberately blunt design choice meant to prevent self-assessments from rounding generously in their own favor.
The weighting itself isn’t evenly distributed. The requirements considered highest-impact, the ones where a gap creates the most direct exposure to CUI compromise, carry the heaviest five-point deduction, and a substantial share of the 110 requirements fall into that top tier. A smaller group of requirements with a more contained security impact are weighted at three points, and the remainder, generally more administrative or procedural in nature, are weighted at a single point. This means a handful of missing high-impact controls can do more damage to a score than a long list of missing low-impact ones, which is exactly why a raw count of “how many requirements are we missing” is a poor substitute for actually running the weighted calculation.
Why the Floor Is -203, Not Zero
The negative floor is the detail that catches nearly everyone off guard the first time they calculate a real score, and it exists for a mathematical reason that becomes obvious once you add up the weights. The total value of all the point deductions across all 110 requirements exceeds 110, because the heaviest-weighted requirements are worth far more than a single point each. An organization that has implemented essentially nothing doesn’t bottom out at zero; the deductions keep accumulating past that point, all the way down to a theoretical minimum of -203.
In practice, very few organizations land anywhere near that floor, since most contractors have at least basic hygiene in place even before formal CMMC preparation begins. But it’s common, and not itself alarming, for a first honest self-assessment to come back meaningfully negative. A negative score isn’t a disqualifying event on its own. It’s an accurate description of a starting point, and the organizations that handle it well treat it exactly that way: a baseline to remediate from, not a number to be embarrassed by or, worse, quietly inflate.
The Two Controls With Variable Weight
Almost every requirement in the framework has a single fixed point value. Two do not, and they happen to be the same two controls that carry variable, partial scoring under the broader CMMC methodology: multi-factor authentication and FIPS-validated encryption. Our deep dives into multi-factor authentication under CMMC and FIPS-validated encryption cover the technical requirements behind each in detail, but the scoring mechanics are worth understanding on their own: rather than a flat deduction for any gap, these two controls can cost either 3 or 5 points depending on how far short of full implementation the organization actually is. Encryption that’s simply missing costs more than encryption that’s present but not properly FIPS-validated, for example, even though both scenarios represent the requirement not being fully met.
This variable weighting is a narrower version of the same principle behind the overall no-partial-credit rule: the DoD wants the score to reflect not just whether a requirement is met, but how far off an unmet requirement actually is. It doesn’t change the underlying discipline required to calculate the score honestly, but it does mean these two specific line items deserve more careful judgment than a simple yes-or-no checklist entry.
Two Different Scores Living in the Same System
One detail that trips up contractors who’ve been managing their compliance posture for a few years: SPRS can hold more than one type of score, and confusing them has real consequences. The original NIST SP 800-171 DoD Assessment score, the self-calculated number described throughout this piece, is one record type. As CMMC Level 2 certification comes online for a given contractor, a separate CMMC score arrives bundled with a certification status, a unique assessment identifier, and an annual affirmation requirement, distinct from the legacy self-assessment record even though both scores are built from the same underlying 110 requirements.
A contracting officer or prime reviewing SPRS needs to be looking at the right record for the right purpose, and an organization that assumes its older self-assessment score automatically carries forward as its CMMC status, or vice versa, can create exactly the kind of confusion that costs a contract award over what amounts to a recordkeeping mismatch rather than an actual security gap.
What Score Actually Gets You Considered for a Contract
The DoD doesn’t publish a universal minimum SPRS score that applies across every contract, and any claim that a specific number guarantees eligibility should be treated skeptically. What’s consistently true is that a score of 88 or higher, roughly 80 percent of full implementation, is the threshold most closely associated with qualifying for a conditional CMMC Level 2 certification, with the remaining gaps documented on a Plan of Action and Milestones and a defined 180-day window to close them. A score below that range doesn’t automatically disqualify an organization from every opportunity, but it does signal meaningfully more remediation work ahead, and it’s the kind of number that makes a prime think twice about adding a new subcontractor to a program with tight compliance deadlines.
Individual solicitations can and do specify their own minimum score requirements beyond whatever general expectation exists across the defense industrial base, so the honest answer to “what score do I need” is always “whatever the specific solicitation requires, and higher than that if you want to be competitive rather than merely eligible.”
Where SPRS and the POA&M Intersect
A score below 110 isn’t itself a compliance failure; it’s an accurate representation of a work-in-progress compliance program, provided the gaps are documented. Any organization scoring below a perfect 110 is expected to maintain a Plan of Action and Milestones identifying every unmet requirement contributing to that deduction, along with a realistic remediation timeline for closing each gap and returning the score to 110. Contracting officers and primes reviewing a below-perfect score expect to see that POA&M as the explanation, not as an afterthought produced only when asked.
This is where the score and the broader compliance program stop being separate exercises. A POA&M with a small number of specific, actively-tracked items reads as evidence of a mature program that monitors itself honestly. A POA&M assembled the week a score was requested, listing every gap as vaguely “in progress” with no real timeline, reads as exactly what it is, and both contracting officers and primes have gotten better at telling the two apart.

Keeping the Number Honest
The organizations that run into serious trouble with SPRS scores are almost never the ones with a low, honestly calculated number. They’re the ones whose posted score is higher than the truth. A self-attestation that overstates compliance status isn’t just a security gap; it’s a representation made to the federal government, and the False Claims Act treats inflated cybersecurity claims the same way it treats any other false representation made to secure a federal contract or payment. Recent enforcement activity in this exact area has resulted in multi-million-dollar settlements against defense contractors whose posted scores didn’t match their actual security posture, and the exposure applies regardless of whether an inflated score was intentional or the product of a rushed, poorly documented self-assessment.
Calculating an accurate score starts with an honest, control-by-control evaluation against the actual DoD methodology rather than a general impression of “we’re pretty secure.” A CMMC gap assessment conducted against assessor standards, not just framework text, produces a score an organization can stand behind, along with the POA&M that explains the gaps and the roadmap for closing them. Getting that number right, even when it’s uncomfortable, protects the organization far more than an optimistic estimate ever will.
Stealth Technology Group helps defense contractors calculate an accurate SPRS score and build the roadmap to close the gap to 110. If you need to confirm your SPRS score reflects your actual posture before a prime or contracting officer checks it, visit our compliance services page, or contact Stealth Technology Group today at (617) 903-5559 to talk with a specialist.
