How the NIST 800-171 self-assessment scoring methodology works, why most SPRS scores are inflated, and how to fix yours before a prime or assessor checks.
Every defense contractor handling Controlled Unclassified Information has, somewhere in the Supplier Performance Risk System, a number between negative 203 and positive 110. That number is the organization’s self-assessed posture against NIST SP 800-171, and for years it functioned as paperwork: submitted once, rarely revisited, almost never checked. Three things have changed. Primes now pull SPRS scores during source selection. The government has demonstrated willingness to treat false scores as false claims. And CMMC certification assessments now test the same 110 requirements the score claims, with an independent assessor doing the counting.
How the scoring actually works
The methodology is subtraction, and it is unforgiving. You start at 110, one point available per requirement, and deduct for every requirement not fully implemented. Deductions are weighted: most requirements cost one point, but the requirements DoD considers most consequential cost three or five. Multifactor authentication not fully implemented is minus five. No FIPS-validated cryptography where required is minus three, with partial credit possible in limited cases. The floor is negative 203, and a first honest calculation landing negative is common, normal, and fixable. What is not fixable after the fact is a positive score on file that an assessor later demonstrates should have been negative.
Where scores go wrong
- Counting intentions as implementations. The methodology scores what is fully implemented today. A control that is budgeted, planned, or mostly deployed is not implemented, and scoring it as done is the single most common inflation.
- Scoring the wrong boundary. The assessment applies to the systems that process, store, or transmit CUI. Organizations routinely score a hardened subset while CUI quietly lives in email, file shares, and endpoints outside it.
- Misreading partial credit. Only a handful of requirements allow partial deductions. For everything else, 90 percent implemented scores identically to zero percent implemented.
- Forgetting the documentation half. Many requirements are explicitly about plans, policies, and records. An organization can run technically excellent security and still fail a third of the requirements on paper alone.
- Letting the score age. Scores have a validity period and environments drift. A score calculated against the network you had three years ago describes an organization that no longer exists.
Why honesty is now the cheap option
An accurate low score with a dated, credible System Security Plan and POA&M signals an organization that understands its posture and is closing gaps on a plan. An inflated high score signals either negligence or misrepresentation, and both read badly to the two audiences that now matter: primes deciding which subcontractors carry supply chain risk, and the Department of Justice, which has settled False Claims Act cases premised on cybersecurity misrepresentations. In the Phase 2 era, a third audience joins them: the C3PAO whose assessment will produce the real number next to your claimed one.
Fixing it
Recalculate against your actual environment, requirement by requirement, with evidence for every point claimed. Document the basis of estimate so the score can be defended line by line. Submit the corrected score; a downward correction with a remediation plan is a defensible business posture, silence on a known-wrong score is not. Then work the plan in weighted order: the five-point and three-point gaps first, because they move both the number and the risk fastest.
Daytol calculates, documents, and defends SPRS scores for defense contractors, and builds the remediation plans that raise them. If you cannot produce the evidence behind your current score in an afternoon, it is time for a recalculation.