If you've heard that CMMC compliance matters for your DoD contracts, you've probably also heard the number 110. That's the total number of security practices in CMMC Level 2, drawn from NIST SP 800-171. Your SPRS score is the numerical representation of how many of those practices you've implemented. It lives in a federal database, contracting officers check it before award, and it has a hard floor that determines whether you can bid at all.

Here's how it actually works.

The Scoring Model

You start at 110 points. Every practice that is not implemented deducts points. The amount varies by practice based on its assessed criticality. Some deductions are small. Some are significant. A handful of high-value controls can drop your score substantially on their own.

The floor that matters: if your score is below 88, you cannot bid on contracts requiring CUI handling. That's not a soft guideline. It's a hard cutoff. Contracting officers check the Supplier Performance Risk System (SPRS) before award. No entry, or an entry below 88, and the conversation is over before it starts.

The number that should wake you up: −12 That's the average SPRS score among DoD contractors when assessed independently. Not 88. Not 50. Negative twelve. For years, contractors self-reported scores near perfect. When auditors actually looked, the reality was dramatically different.

Why Self-Reported Scores Were Wrong

The SPRS system previously relied entirely on contractor self-assessment. There was no verification, no audit, no external check. Contractors filled out their scores and submitted them. Unsurprisingly, the scores tended to be optimistic, not always from dishonesty, but from a genuine lack of understanding about what "implemented" actually means under NIST 800-171.

A control isn't implemented because you have a policy that says you do it. It's implemented when the technical and procedural evidence demonstrates that it is consistently, verifiably in place. That's a different bar than most contractors were applying.

The Controls That Hit Hardest

Certain practices carry heavier point weights because of their criticality. Multi-factor authentication is one of the most significant, and it also cannot be put on a Plan of Action & Milestones (POA&M). If MFA is not implemented before your assessment, you fail that control with no deferral option. Same with encryption of CUI at rest and in transit.

These aren't edge cases. They're foundational controls that a large percentage of small contractors haven't fully implemented, particularly in environments that evolved organically without a dedicated security function.

What Your Score Actually Means for Business

Your SPRS score is public-facing within the federal procurement system. It influences not just whether you can win a contract but how contracting officers perceive your risk profile. A score near 110 signals a mature security program. A score near the floor signals the opposite, and that perception follows you into every bid you submit.

Knowing your real score before a solicitation requires it gives you time to close the gaps that matter most, improve your score meaningfully, and enter the bidding process from a position of actual confidence rather than optimistic guesswork.