Skip to main content
background

DoD Assessment Methodology

The DoD Assessment Methodology is the standardized scoring framework used to evaluate a defense contractor’s implementation of NIST SP 800-171 security requirements. Documented in the NIST SP 800-171 DoD Assessment Methodology (Version 1.2.1), it produces a numerical score ranging from -203 to 110 that is recorded in the Supplier Performance Risk System (SPRS) and used by contracting officers to assess cybersecurity risk when awarding DoD contracts.

  • glossary
  • How the DoD Assessment Methodology Works

How the DoD Assessment Methodology Works

The methodology assigns a weighted value to each of the 110 NIST SP 800-171 security requirements based on its criticality to protecting Controlled Unclassified Information (CUI). A contractor starts with a perfect score of 110 and loses points for each requirement that is not fully implemented. Each unimplemented requirement deducts specifically 1, 3, or 5 points depending on the security impact of the control, resulting in a possible score range of -203 (no requirements met) to 110 (all requirements fully implemented).

Assessment Confidence Levels

The methodology defines three confidence levels for assessments:

  • Basic (Self-Assessment): The contractor evaluates their own implementation and submits the score to SPRS. This is the minimum requirement under DFARS 252.204-7019.
  • Medium (DIBCAC Review): DIBCAC reviews the contractor’s documentation and conducts interviews to verify the self-reported score, but does not perform on-site technical verification.
  • High (DIBCAC On-Site): The most rigorous level, involving DIBCAC assessors conducting on-site evaluation of security control implementation and operational effectiveness.

SPRS Score and Contract Eligibility

The resulting score is submitted to SPRS along with the date of the assessment and the anticipated date for achieving a score of 110 (if not already at full compliance). Contracting officers can access SPRS scores when evaluating contract proposals. While there is no official minimum score threshold published by the DoD, a low score signals cybersecurity risk and may influence award decisions, particularly for contracts involving sensitive CUI.

DoD Assessment Methodology vs. CMMC Assessment

The DoD Assessment Methodology and the CMMC Assessment Process (CAP) both evaluate NIST 800-171 implementation but serve different purposes. The DoDAM produces a numerical score for SPRS and is used for ongoing DFARS compliance monitoring. The CAP results in a pass/fail CMMC certification level. As CMMC rolls out, contractors will need both — a current SPRS score for existing contracts and a CMMC certification for new contract awards that include DFARS 252.204-7021.