What Is the Supplier Performance Risk System (SPRS)?

The Supplier Performance Risk System (SPRS) is the DoD’s authoritative source for supplier and product performance information. SPRS centralizes data that the defense acquisition community uses to identify, assess, and monitor unclassified performance across the supply chain. For cybersecurity compliance, SPRS serves as the repository for NIST SP 800-171 assessment scores and CMMC self-assessment results.

What Information Does SPRS Contain?

SPRS collects and stores several types of supplier performance data:

• NIST SP 800-171 self-assessment scores (ranging from -203 to 110)
• The date of the self-assessment
• The anticipated date for achieving a score of 110 (if not yet fully compliant)
• Supplier performance data including quality and delivery metrics
• CMMC Level 1 self-assessment results
• DIBCAC assessment results for medium and high-confidence evaluations

How SPRS Scores Are Calculated

SPRS cybersecurity scores are derived from the DoD Assessment Methodology for NIST SP 800-171. The scoring starts at 110 (all requirements implemented) and deducts points for each unimplemented security requirement. Deductions range from 1 to 5 points based on the criticality of the control, resulting in a possible range of -203 to 110. Organizations submit their score along with the assessment date and, if applicable, a plan for achieving a score of 110.

Submitting Your SPRS Score

DFARS 252.204-7019 requires contractors to submit their NIST SP 800-171 self-assessment results to SPRS before receiving a contract that includes this clause. Authorized company representatives can access SPRS through the Procurement Integrated Enterprise Environment (PIEE) portal. The submission requires a current self-assessment score, the scope of the assessment (which systems and locations were evaluated), and the date of the assessment.

SPRS and Contract Award Decisions

Contracting officers access SPRS scores as part of their evaluation of contractor proposals. While the DoD has not published an official minimum score threshold, a low SPRS score signals cybersecurity risk and can influence award decisions, particularly for contracts involving sensitive CUI. Organizations with scores well below 110 should have a credible Plan of Action and Milestones (POA&M) demonstrating their path to full compliance.

Maintaining Your SPRS Score

SPRS scores are not static — organizations should update their score as they implement additional controls and close gaps identified in their POA&M. Regular reassessment ensures the SPRS score accurately reflects the current security posture, which is important both for contract eligibility and for demonstrating good faith compliance efforts to the DoD.