SPRS Score Calculator
The REAEGIS SPRS Score Calculator computes your Supplier Performance Risk System score in real time from your actual control implementation data. The score updates every time a practice status changes.
What is the SPRS Score?
The SPRS (Supplier Performance Risk System) score is a numeric value from -203 to +110 that represents a DoD contractor's cybersecurity posture under NIST SP 800-171 Rev 2 (opens in a new tab).
The score is computed using the DoD NIST SP 800-171 Assessment Methodology (opens in a new tab), which assigns a weighted point value to each of the 110 security requirements.
Source: SPRS portal (opens in a new tab)
Scoring Methodology
| Starting value | +110 (all 110 practices implemented) |
|---|---|
| Per unimplemented practice | Subtract that practice's weighted value (1–5 points) |
| Minimum score | -203 (no practices implemented) |
The total sum of all practice weights is 202 points (not 203 — the DoD methodology weights sum to 202, but accounting for the starting value of +110, the minimum possible is -203 when all practices with negative weight are unimplemented and all practices that add points are not implemented).
Source: DoD NIST SP 800-171 Assessment Methodology v1.2.1 (opens in a new tab)
SPRS Submission Requirement
Contractors must enter their assessment score into SPRS within 30 days of conducting a self-assessment. The submission includes:
- Company name and CAGE code
- Assessment date
- Date of plan of action (if applicable)
- Date plan of action is expected to be completed
- System security plan date
SPRS scores submitted to the DoD are subject to review under the False Claims Act (FCA). Scores that materially overstate implementation may constitute fraud. REAEGIS computes the score from actual evidence — not self-reported claims.
Bid-Eligibility Thresholds
The minimum SPRS score required for bid eligibility is set at the solicitation level by the prime contractor or contracting officer. Common thresholds:
| Threshold | Context |
|---|---|
| 88 | Common prime contractor minimum for CUI-handling subcontracts |
| 110 | Required for programs where full NIST 800-171 compliance is mandated |
These thresholds are not regulatory floors — they are contract requirements that vary by program.
How REAEGIS Computes the Score
- Load the 110 practices from the NIST 800-171 Rev 2 catalog (seeded in the REAEGIS database)
- Read implementation status for each practice in the current program (
IMPLEMENTED,PARTIALLY_IMPLEMENTED,NOT_IMPLEMENTED,NOT_APPLICABLE) - Apply weighted values per the DoD Assessment Methodology weight table
- Compute sum and display live score, breakdown by family, and gap-to-88 analysis
The score is recomputed every time a control implementation status changes. No manual recalculation required.
Gap Analysis
The SPRS dashboard shows:
- Current score with color coding (red < 0, amber < 88, green ≥ 88)
- Score by family — which of the 14 families have the most unimplemented practices
- Gap to 88 — how many points and which specific practices to implement to reach the prime contractor minimum
- Gap to 110 — the full implementation path
SPRS Score vs. CMMC Level 2
The SPRS score and CMMC Level 2 assessment are related but distinct:
| SPRS Self-Assessment | CMMC Level 2 C3PAO | |
|---|---|---|
| Who assesses | Contractor self-certifies | Third-party C3PAO |
| Legal exposure | FCA liability for false claims | CMMC certification revocation |
| Validity | 1 year (annual re-assessment required) | 3 years |
| SPRS entry | Required within 30 days | Required |
REAEGIS helps with both: the SPRS Calculator supports self-assessment, and the evidence vault supports C3PAO assessment.