MergeWhy
Back to Blog
CMMCMarch 20269 min read

Understanding Your CMMC SPRS Score: The 110-Point Assessment That Determines DoD Contract Eligibility

The Supplier Performance Risk System score determines whether your organization can bid on DoD contracts. Here is how the 110-point weighted scoring system works.

What is the SPRS Score?

The Supplier Performance Risk System (SPRS) score is a self-assessment metric used by the Department of Defense to evaluate a contractor's cybersecurity posture against the 110 security requirements in NIST SP 800-171 Rev 2. The score starts at 110 and is reduced by weighted deductions for each requirement that is not fully implemented. The minimum acceptable score varies by contract, but organizations with scores below 110 must have Plans of Action and Milestones for every unmet requirement.

Weighted Scoring: Not All Controls Are Equal

The 110 controls are assigned weights of 5, 3, or 1 point based on their security impact. There are 44 controls worth 5 points each (220 potential deduction points), 14 controls worth 3 points (42 potential deduction points), and 51 controls worth 1 point (51 potential deduction points), plus one control weighted at 0. Two controls have conditional scoring: 3.5.3 (Multifactor Authentication) jumps from 5 to 9 points if unmet, and 3.13.11 (FIPS-validated Cryptography) jumps from 5 to 8 points.

Score Interpretation

The DoD interprets SPRS scores using a grade-like system. A score of 110 represents full implementation (Grade A). Scores from 90 to 109 indicate minor gaps (Grade B). Scores from 70 to 89 suggest moderate risk (Grade C). Scores from 50 to 69 indicate significant gaps (Grade D). Scores below 50 represent critical deficiencies (Grade F). Most DoD contracts require a minimum score, and the score must be posted to the SPRS portal before contract award.

Change Management Controls in CMMC

Several NIST 800-171 requirements directly relate to software change management: 3.4.3 (track and review changes), 3.4.4 (analyze impact before implementation), 3.4.5 (define and enforce configuration settings), and 3.14.3 (monitor for unauthorized changes). Organizations that automate change evidence capture can demonstrate compliance with these controls through their normal development workflow, improving their SPRS score without additional process overhead.

Preparing for CMMC Level 2 Assessment

CMMC Level 2 certification requires a third-party assessment (C3PAO) validating all 110 NIST 800-171 controls. Unlike the SPRS self-assessment, this assessment requires objective evidence. Organizations should begin preparing at least 6 months before their target assessment date, ensuring they have documented evidence for every control and Plans of Action and Milestones for any gaps. Automated evidence capture for change management controls provides a strong foundation, as these are among the most frequently cited gaps in CMMC assessments.

Ready to automate your change evidence?

Install the GitHub App and start capturing compliance evidence from your first PR merge. Free 14-day trial, no credit card.

Get Started Free