Scoring
7 min read

How to Calculate Your SPRS Score (NIST SP 800-171)

Your SPRS score is the single number the DoD uses to gauge how completely you've implemented NIST SP 800-171. Here's exactly how it's calculated, scored the same way an assessor would.

Start at 110 and subtract

The DoD Assessment Methodology scores a Level 2 (NIST SP 800-171 Rev 2) assessment by starting from a baseline of 110 — the number you'd have if all 110 security requirements were fully implemented — and subtracting a weighted value for every requirement that is not implemented.

Because the deductions are weighted, the score can fall below zero. The minimum possible score is −203 if nothing is implemented. A negative score isn't a glitch; it reflects the real risk of many unimplemented high-weight requirements.

The 1, 3, and 5 point weights

Not every requirement is worth the same. The methodology weights each requirement by impact, so a missing high-impact control costs you more than a limited-effect one:

  • 5 points — high-impact requirements (the basic requirements plus a subset of derived ones).
  • 3 points — requirements with a confined effect.
  • 1 point — the remaining derived requirements with a limited or indirect effect.

Partial credit: MFA and FIPS encryption

Two requirements have built-in partial credit rather than all-or-nothing scoring. Multifactor authentication (3.5.3) deducts 5 points if MFA isn't implemented at all, 3 points if it's implemented only for remote and privileged users, and 0 if it's fully implemented. FIPS-validated cryptography (3.13.11) deducts 5 if no cryptography is used, 3 if encryption is used but not FIPS-validated, and 0 if it is FIPS-validated.

Getting these two right is where simple calculators most often diverge from how an assessor actually scores you.

The SSP is a prerequisite, not a deduction

Requirement 3.12.4 — having a System Security Plan — is not point-scored. But its absence means the assessment cannot be completed: it's treated as incomplete information and noncompliance with DFARS 252.204-7012. Treat the SSP as a gate you must pass before a score is meaningful, not a line item you can trade away.

What the number means

A score of 110 is a Final self-assessment. A score of 88 to 109 is a Conditional self-assessment, which requires a Plan of Action and Milestones (POA&M) to close the gap. Below 88 you are not eligible to affirm a Conditional or Final status. SPRS itself stores only the summary score, the assessment date, your scope, and the POA&M completion date — never your individual per-requirement answers.

Key takeaways

  • Baseline 110; subtract a weighted 5, 3, or 1 for each unimplemented requirement.
  • The score can go negative (floor −203).
  • MFA (3.5.3) and FIPS crypto (3.13.11) have three-state partial credit.
  • No SSP (3.12.4) means the assessment can't be completed — it's a gate, not a deduction.
  • 110 = Final · 88–109 = Conditional (with a POA&M) · below 88 = not eligible.

Know your score before you submit

Run a full 110-requirement self-assessment free — no account required to see your score.

Start free assessment
Free SPRS score calculator 800-171 ↔ CMMC Control Mapper

Sources

SentryNexus is a preparation and self-assessment tool. It does not connect to or submit anything to SPRS, and it is informational support only — not legal or compliance certification advice.

Related guides

What Is a POA&M? (And Which Gaps Are Eligible)Conditional vs Final CMMC Status & Validity WindowsHow to Prepare for a CMMC / SPRS Self-Assessment