NIST SP 800-171 DoD Assessment & the SPRS Score
Also known as: DFARS 7019/7020, SPRS score, Basic Assessment
What you do here: Self-assess against NIST SP 800-171 and post a current summary-level score to SPRS before award
At a Glance
- Who it applies to
- DoD contractors and subcontractors subject to DFARS 7012 (systems handling CDI) β before award or option exercise
- What it obligates
- Perform a Basic (self) Assessment of NIST SP 800-171 and post the summary score, SSP date, and closure date to SPRS
- Governing authority
- DFARS 252.204-7019 (offeror requirement) and 252.204-7020 (assessment/access requirement)
- Score validity
- A current assessment is generally one not more than 3 years old (unless the contract specifies otherwise)
- The stakes
- No current SPRS score = no award; an inflated score is a False Claims Act exposure
What It Is
The NIST SP 800-171 DoD Assessment requirement β DFARS 252.204-7019 and 252.204-7020 β is the mechanism DoD uses to verify that contractors have actually implemented the safeguarding required by DFARS 7012, in the window before CMMC third-party certification is fully in place. It works like this. A contractor whose systems will handle Covered Defense Information must perform a 'Basic Assessment' β a self-assessment scored under the DoD Assessment Methodology (start at 110, subtract weighted points for unmet requirements) β and post the result to the Supplier Performance Risk System (SPRS). The posted record includes the summary-level score, the date of the assessment, the scope, and the date by which the contractor expects to have a perfect score (i.e., close the POA&M). DFARS 252.204-7019 makes having a current assessment in SPRS a condition of being eligible for an award; DFARS 252.204-7020 obligates you to keep the assessment current, grant DoD access to conduct higher-level (Medium or High) assessments if it chooses, and flow the requirement down to subcontractors. 'Current' generally means an assessment not more than three years old. Practically, the SPRS score is a gate: a contracting officer must confirm a current score is posted before awarding a covered contract or exercising an option. Because the score is a representation made to obtain an award, posting an inflated score is a false statement β the same exposure that has produced False Claims Act settlements. SPRS is the interim proof of compliance; CMMC (DFARS 7021) is the maturing, assessor-verified successor.
When It Applies
- Before award of a DoD contract subject to DFARS 7012 β the offeror must have a current SPRS assessment posted.
- Before exercising an option or extending a covered contract β the score must remain current.
- When DoD elects to perform a Medium or High Assessment and requires access to your systems and evidence.
- As a flow-down: subcontractors handling CDI must also have a current assessment posted in SPRS.
Key Features
| Feature | What It Means |
|---|---|
| Self-assessment (Basic Assessment) | You score your own NIST SP 800-171 implementation under the DoD methodology and post the summary result to SPRS. |
| SPRS posting is an award gate | DFARS 7019 makes a current posted score a condition of eligibility β no current score, no award or option. |
| DoD can escalate to Medium/High | DFARS 7020 lets DoD conduct its own Medium or High Assessment and requires you to provide access and evidence. |
| Currency requirement | A 'current' assessment is generally not more than three years old; you must refresh it to stay eligible. |
| A representation, not a formality | The posted score is made to obtain awards; an inflated score is a false statement with False Claims Act exposure. |
The SDVOSB Angle
The SPRS score is the single most concrete DoD cybersecurity gate a small SDVOSB hits, and the most common way a small firm gets quietly screened out: if there's no current score posted, the contracting officer can't award, no matter how strong the proposal. Get the assessment done and posted before you bid, not after you're the apparent awardee. Two SDVOSB-specific cautions. First, resist the temptation to post a flattering score β the number is a representation, DoD can escalate to a Medium/High assessment to check it, and the Department of Justice has treated inflated scores as False Claims Act violations, with real settlements against small contractors. Second, the flow-down bites: if a similarly situated subcontractor handles CDI, they need their own current SPRS score, so verify it during teaming rather than discovering the gap at award. An honest, current score plus a credible POA&M keeps you eligible; an empty SPRS record or a fabricated one does the opposite.
How to Comply
- Perform a Basic (self) Assessment of your NIST SP 800-171 implementation using the DoD Assessment Methodology.
- Post the summary-level score, assessment date, scope, and plan-of-action closure date to SPRS before you bid.
- Keep the assessment current β refresh it at least every three years and after material system changes.
- Preserve the evidence and SSP behind the score in case DoD conducts a Medium or High Assessment.
- Confirm subcontractors handling CDI have their own current SPRS scores before you team or award.
Watch Out For
- Bidding without a current SPRS score posted β it blocks award even when your proposal is best.
- Posting an inflated score β it's a representation and a documented False Claims Act risk.
- Letting the score lapse past three years, quietly making you ineligible for the next option.
- Assuming only the prime needs a score β CDI subcontractors need their own posted scores.
Run the Numbers
Frequently Asked
What is a SPRS score?
A SPRS score is a contractor's NIST SP 800-171 DoD Assessment result posted to the Supplier Performance Risk System (SPRS). Under DFARS 252.204-7019 and 252.204-7020, a DoD contractor whose systems handle Covered Defense Information must self-assess against the 110 NIST SP 800-171 requirements using the DoD methodology (starting at 110 and subtracting weighted points for gaps) and post the summary score. A current score is a condition of eligibility for award, so contracting officers check SPRS before awarding covered contracts.
Do I need a SPRS score to win a DoD contract?
If the contract is subject to DFARS 252.204-7012 (your systems will handle Covered Defense Information), then yes β DFARS 252.204-7019 requires a current NIST SP 800-171 assessment posted in SPRS as a condition of eligibility, and the contracting officer must verify it before award. You should complete and post the self-assessment before you submit your offer. Subcontractors that will handle Covered Defense Information also need their own current SPRS scores.
Can I post a low SPRS score and still be eligible?
Generally yes β the requirement is to have a current, accurate assessment posted, not necessarily a perfect 110. A lower score paired with an honest System Security Plan and a Plan of Action & Milestones can still make you eligible for award, though some contracts or an agency's risk tolerance may effectively require a higher score. What you must not do is inflate the score: it is a representation, DoD can escalate to a Medium or High Assessment to verify it, and overstating it has produced False Claims Act settlements.
Primary Sources
- DFARS 252.204-7019 β Notice of NIST SP 800-171 DoD Assessment Requirements
- DFARS 252.204-7020 β NIST SP 800-171 DoD Assessment Requirements
- Supplier Performance Risk System (SPRS)
Plain-English reference, not legal advice. Cybersecurity and information-safeguarding rules are fact-specific and change often β the FAR, DFARS, NIST publications, and the CMMC program rule are amended and phased in over time. Always read the current FAR/DFARS text and the safeguarding clauses in your specific contract, check the version of NIST SP 800-171 your contract requires, confirm the SPRS and CMMC requirements with the contracting officer, and consult qualified counsel or a cybersecurity professional before relying on a compliance position or making a certification.
Change log (1)
- LaunchedPublished the federal contract cybersecurity & information safeguarding requirements reference covering the obligations an SDVOSB takes on across a federal (especially DoD) set-aside β basic safeguarding of Federal Contract Information (FAR 52.204-21), the Section 889 covered-telecom prohibition (FAR 52.204-25), the DoD safeguarding of Covered Defense Information and 72-hour cyber-incident reporting (DFARS 252.204-7012), the NIST SP 800-171 control set with its System Security Plan and POA&M, the SPRS self-assessment score (DFARS 252.204-7019 / -7020), the CMMC program and its three levels (DFARS 252.204-7021 / 32 CFR Part 170), Controlled Unclassified Information marking and handling (32 CFR Part 2002 / EO 13556), and the emerging governmentwide FAR CUI rule β each with an at-a-glance quick-facts card, a when-it-applies list, a key-features table, an SDVOSB-specific angle, a how-to-comply checklist, watch-outs, FAQPage, Article, Dataset, and BreadcrumbList structured data, primary-source FAR/DFARS/CFR/NIST citations, and cross-links into the glossary, contracting systems (SPRS, SAM.gov), clauses, forms, contract types, how-to guides, FAQ, and the price-to-win and win-probability calculators.