Compliance
A plain-English guide for defense contractors on how the NIST SP 800-171 self-assessment score works, what SPRS actually stores, and how to close the gaps that keep the score low.
If you need to post or defend an SPRS score, the short answer is this: score the environment you actually run, not the one you plan to finish next quarter. Under the DoD assessment methodology, 110 is the target, weighted deductions apply for requirements not met, and SPRS stores the result rather than performing the assessment for you. One 2026 caveat before you start: a DoD class deviation has begun shifting this self-assessment requirement into CMMC for new solicitations (covered below) — but the SPRS score still governs existing contracts and remains the foundation for CMMC Level 2, so the mechanics here still matter.
Sources: SPRS NIST SP 800-171 page, DoD assessment methodology PDF, DoD CIO CMMC overview, DFARS 252.204-7020 (codified), DoD FAR-overhaul class deviations, NIST SP 800-171 Rev. 3, NIST SP 800-171A Rev. 3
SPRS is not the assessment tool.
The SPRS site says it stores and provides access to NIST SP 800-171 assessment scoring information. It also says the Basic Assessment cannot be performed in SPRS. In other words, you do the assessment outside the portal, then store the required result data there.
That sounds obvious, but many small contractors lose time here because they treat portal access as the project instead of treating the environment as the project.
The current DoD scoring model still points to 110 as the fully met outcome.
The DoD assessment methodology says a score of 110 is awarded if all requirements are met, and the current DFARS language uses examples like "95 out of 110" for the summary score posted to SPRS. The same methodology says weighted values are subtracted for requirements not met.
That weighting is the part that matters. Not every miss hurts equally. Some requirements are scored at 1, some at 3, and some at 5 under the DoD methodology.
The floor is not zero. The score can go negative, because the weighted deductions can total more than 110 once enough 3- and 5-point controls are unmet — which is why a low but honest score paired with a credible POA&M is a stronger position than a number that does not survive evidence.
This is where many teams get confused.
NIST published SP 800-171 Revision 3 in May 2024, and NIST published SP 800-171A Revision 3 alongside it. But DoD's CMMC overview still says Level 2 is tied to the 110 security requirements in NIST SP 800-171 Revision 2.
So as of June 2026, the practical reading is:
That is not a contradiction. It is a transition state. For current contract and CMMC Level 2 purposes, follow the DoD requirement set that the solicitation and clause point to.
If you need the broader program view beyond scoring, pair this with a CMMC Level 2 rollout guide that covers assessment types, timelines, and the sequence for small defense contractors.
There is a second moving piece in 2026, and most write-ups oversimplify it into "the self-assessment is dead." It is not that simple.
Effective February 1, 2026, DoD issued a class deviation under the federal acquisition overhaul that, for new solicitations using the deviation authority, replaces DFARS 252.204-7020 with a new assessment clause (DFARS 252.240-7997), drops the standalone "Basic" self-assessment and SPRS-upload requirement, and folds contractor assessment obligations into CMMC under DFARS 252.204-7021. The replacement clause keeps only the government-performed Medium and High assessments.
The nuance that matters: this is a class deviation, not a rewrite of the codified rule. DFARS 252.204-7019 and 7020 are still in the codified DFARS — they have not been deleted. So the Basic self-assessment and the SPRS score still apply to any contract awarded before the deviation, and to any new solicitation that does not invoke it. If you are sitting on a 2024 or 2025 award that incorporated 7019/7020, that SPRS score still binds you until a contracting officer says otherwise. And DFARS 252.204-7012 — safeguarding CUI plus 72-hour incident reporting — was not touched and remains in force.
Net for a small contractor in mid-2026: the self-assessment and SPRS score below are still the right work for existing contracts, and they are the foundation CMMC Level 2 is built on — but confirm which clause your specific solicitation carries before assuming the standalone SPRS upload still applies.
Use this order.
Do not score the whole company if only part of the environment handles CUI. Also do not under-scope the environment by ignoring systems that protect, manage, or provide security for the in-scope systems.
Bad scope creates meaningless scores.
The Basic Assessment is based on review of the system security plan associated with the covered contractor information system. If the SSP is stale, copied from a template, or disconnected from reality, your score will be fiction before you begin.
The DoD methodology is about what is not yet implemented. That means "purchased but not rolled out," "approved but not enforced," and "documented but not operating" should not be scored as met.
The DFARS examples for SPRS reporting include the summary score and the date you expect to reach 110 based on the associated plans of action. That only works if the gap list is honest.
The heaviest penalties tend to cluster around the controls that actually change attack outcomes.
From the assessment methodology's weighted template, examples of higher-value misses include foundational access control, multifactor authentication (a 5-point miss when it is absent for privileged or remote access, 3 points when only partially implemented), logging, configuration management, and training or role-based security responsibilities.
In plain English, the fastest ways to drag the score down are usually:
This is one reason the overlap with what controls cyber insurers require in 2026 is operationally useful. Different framework, similar pain points.
The SPRS site says the module contains:
That list tells you something important: DoD expects the score to be attached to a real scope, a real SSP, and a real remediation timeline.
Start with the weighted failures and the controls that support multiple requirements at once.
If MFA coverage is partial, admin practices are messy, or access reviews are informal, fix those before polishing low-value documentation items. These are both scoring issues and breach issues.
You cannot defend what you cannot see. This is where a service like managed detection and response often matters because it turns "we think coverage is complete" into evidence you can actually hand over.
Many contractor environments still think in terms of laptops and servers only. Real attacks do not. For Microsoft 365 or Google Workspace tenants that support the in-scope environment, managed ITDR is often the missing operational layer.
A POA&M is not a wish list. Dates should connect to actual work, actual owners, and actual evidence. If you cannot describe how the gap will be closed and proven, the plan is weak.
Do not post a new score every time one ticket closes. Re-score when the control state has genuinely changed.
These are the ones I see most often:
If the policy says MFA is required but several admins still have exceptions, the requirement is not met.
If a provider or parent company supplies a control, be precise about what is inherited, what evidence exists, and what remains your responsibility.
A score can look strong until someone asks for the exports, diagrams, logs, training records, and restore evidence behind it.
The useful support here is not "we wrote you a document." It is tightening the controls that move the score and the risk at the same time: detection coverage, identity monitoring, proof of configuration, restore evidence, and plain-English remediation sequencing.
If that is the bottleneck, the most relevant pages are managed detection and response, managed ITDR, and cyber insurance readiness for the evidence discipline side.
No. The SPRS site says the Basic Assessment cannot be performed in SPRS. SPRS stores the results.
The DoD assessment methodology says 110 is awarded if all requirements are met.
No. The DoD methodology uses weighted values, and current CMMC commentary in the Federal Register refers to the Level 2 weighted point system using values of 1, 3, or 5.
Use the requirement set your DoD clause and solicitation point to. As of June 8, 2026, DoD's current CMMC Level 2 guidance still points to the 110 requirements in NIST SP 800-171 Revision 2.
Usually the high-value operational fixes: identity, admin access, endpoint visibility, logging, secure configuration, and truthful SSP and POA&M maintenance.
Last updated
June 16, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
No. SPRS stores the assessment results. The SPRS site says the Basic Assessment cannot be performed in SPRS itself.
Under the DoD assessment methodology, a score of 110 is awarded if all applicable requirements are met. Weighted values are subtracted for requirements not met.
Yes for current CMMC Level 2 and SPRS reporting mechanics. DoD's CMMC overview still ties Level 2 to the 110 requirements in NIST SP 800-171 Revision 2, even though NIST has published SP 800-171 Revision 3.
DFARS language tied to the DoD assessment methodology generally requires a current assessment to be no more than three years old unless the solicitation specifies a shorter period.
Fix the weighted control failures first: identity, privileged access, endpoint protection, logging, configuration management, and backup or recovery controls. Then make sure the SSP and POA&M reflect what is actually true.
Related reading
A plain-English CMMC guide for small defense contractors covering what Level 2 means in 2026, what actually drives cost, how the rollout works, and the steps to get ready.
Read articleA plain-English guide to North Carolina's data breach notification law for small businesses, including who must notify, what the notice must say, when to contact the Attorney General, and when consumer reporting agencies must be told.
Read articleA plain-English PCI DSS 4.0.1 guide for small merchants covering how to choose the right SAQ, what changed in the v4.0.1 SAQ set, and where merchants usually scope themselves wrong.
Read article