Skip to content
SPRS Lab

SPRS Score Calculator

Work through all 110 NIST SP 800-171 requirements and get your exact score under the official DoD Assessment Methodology v1.2.1, including the partial-credit rules for MFA and FIPS crypto and the five legitimate N/A cases. Free, no signup, and your answers never leave your browser.

Projected score

110 / 110

0 of 110 answered0%
  • 3.1.1Level 15 pts

    Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).

    What this means in practice

    Only people, service accounts, and devices you have explicitly approved can sign in to systems that touch FCI/CUI: no shared logins, no unknown devices.

    Typical quick win: Inventory every account in Microsoft 365/AD, disable anything unused for 90+ days, and remove shared credentials.

  • 3.1.2Level 15 pts

    Limit system access to the types of transactions and functions that authorized users are permitted to execute.

    What this means in practice

    Users can only do what their role requires: a shop-floor user shouldn't be able to touch payroll or admin consoles.

    Typical quick win: Map each job role to security groups and strip permissions that don't match the role.

  • 3.1.31 pts

    Control the flow of CUI in accordance with approved authorizations.

    What this means in practice

    CUI moves only along approved paths: you can say where CUI is allowed to flow (which shares, which cloud, which enclave) and block the rest.

  • 3.1.41 pts

    Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

    What this means in practice

    No single person controls a whole risky process end-to-end. For example, the person who approves access isn't the one who grants it to themselves.

  • 3.1.53 pts

    Employ the principle of least privilege, including for specific security functions and privileged accounts.

    What this means in practice

    Everyone, including admins, gets the minimum rights needed. Separate admin accounts from daily-driver accounts.

    Typical quick win: Give admins two accounts: a standard account for email/browsing and a privileged one used only for admin tasks.

  • 3.1.61 pts

    Use non-privileged accounts or roles when accessing non-security functions.

    What this means in practice

    Admins use their normal (non-privileged) account for email, browsing, and documents: the admin account is only for admin work.

  • 3.1.71 pts

    Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

    What this means in practice

    Standard users can't run privileged functions, and any privileged action lands in an audit log.

  • 3.1.81 pts

    Limit unsuccessful logon attempts.

    What this means in practice

    Accounts lock (or throttle) after repeated failed sign-ins to blunt password guessing.

  • 3.1.91 pts

    Provide privacy and security notices consistent with applicable CUI rules.

    What this means in practice

    Systems that handle CUI display the required notice (e.g., a logon banner) telling users about CUI handling rules and monitoring.

  • 3.1.101 pts

    Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.

    What this means in practice

    Screens lock automatically with content hidden (screensaver/lock screen) after inactivity.

  • 3.1.111 pts

    Terminate (automatically) a user session after a defined condition.

    What this means in practice

    Sessions end automatically on defined conditions, such as VPN or web sessions timing out after inactivity or a max duration.

  • 3.1.125 pts

    Monitor and control remote access sessions.

    What this means in practice

    All remote access (VPN, RDP gateways, remote-support tools) is identified, monitored, and controlled: you know who is connected remotely and can cut them off.

    Typical quick win: Funnel all remote access through one VPN/gateway with logging on, and disable direct RDP from the internet everywhere.

    N/A allowed only if remote access not permitted.

  • 3.1.135 pts

    Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

    What this means in practice

    Remote sessions are encrypted with real cryptography (TLS 1.2+, IKEv2/WireGuard): no cleartext or legacy protocols.

    Typical quick win: Verify VPN and remote tools negotiate TLS 1.2+/modern ciphers and disable legacy fallbacks (PPTP, SSLv3, RDP without TLS).

    N/A allowed only if remote access not permitted.

  • 3.1.141 pts

    Route remote access via managed access control points.

    What this means in practice

    Remote traffic enters through a small number of managed choke points (VPN concentrator, gateway), not ad-hoc per-machine access.

  • 3.1.151 pts

    Authorize remote execution of privileged commands and remote access to security-relevant information.

    What this means in practice

    Running privileged commands remotely (remote admin) is a separately authorized privilege, not something every remote user can do.

  • 3.1.165 pts

    Authorize wireless access prior to allowing such connections.

    What this means in practice

    New wireless connections to the corporate network require explicit authorization: guest Wi-Fi is segregated from anything touching CUI.

    Typical quick win: Put guest/IoT Wi-Fi on separate VLANs with no route to CUI systems.

    N/A allowed only if wireless access not permitted.

  • 3.1.175 pts

    Protect wireless access using authentication and encryption.

    What this means in practice

    Corporate Wi-Fi uses strong auth + encryption (WPA2/WPA3-Enterprise or at minimum a strong unique PSK with WPA2/3).

    Typical quick win: Retire WEP/WPA-TKIP and open SSIDs; move to WPA3 or WPA2-AES with 802.1X where possible.

    N/A allowed only if wireless access not permitted.

  • 3.1.185 pts

    Control connection of mobile devices.

    What this means in practice

    Phones/tablets that touch company data are controlled: enrolled in MDM/Intune or blocked from CUI systems entirely.

    Typical quick win: Use Intune (or equivalent) app protection/enrollment as a condition for mobile access to email and files.

    N/A allowed only if connection of mobile devices is not permitted.

  • 3.1.193 pts

    Encrypt CUI on mobile devices and mobile computing platforms.

    What this means in practice

    Any CUI stored on mobile devices/laptops in the field is encrypted (device encryption on, enforced).

  • 3.1.20Level 11 pts

    Verify and control/limit connections to and use of external systems.

    What this means in practice

    You control which external systems (personal devices, partner networks, public cloud) may connect to yours, and verify their security before allowing use.

    Typical quick win: Block personal-device access to CUI stores via conditional access; document the external services you actually permit.

  • 3.1.211 pts

    Limit use of portable storage devices on external systems.

    What this means in practice

    Company portable storage (USB drives) can't be freely used on external/non-company systems.

  • 3.1.22Level 11 pts

    Control CUI posted or processed on publicly accessible systems.

    What this means in practice

    Nothing marked CUI (or FCI) gets posted to public sites: someone reviews/approves what goes on your website or social media.

Answer all 110 to finish your assessment

110 requirements left. Progress saves automatically in your browser.

How SPRS scoring actually works

The NIST SP 800-171 DoD Assessment Methodology assigns every one of the 110 security requirements a weight of 5, 3, or 1 point based on its impact: 42 requirements are worth 5 points, 14 are worth 3, and 51 are worth 1. You start at 110 and subtract the weight of every requirement you have not fully implemented. "Partially done" counts as not implemented, with exactly two exceptions:

  • 3.5.3 (MFA): subtract 5 if you have no MFA; subtract only 3 if MFA covers remote access and privileged users but not yet general users.
  • 3.13.11 (FIPS-validated crypto): subtract 5 if CUI isn't encrypted at all; subtract only 3 if it's encrypted but the cryptography isn't FIPS-validated.

Five requirements can be legitimately N/A: the remote-access pair (3.1.12, 3.1.13), the wireless pair (3.1.16, 3.1.17), and mobile devices (3.1.18). That applies only when your environment genuinely doesn't permit those capabilities. One requirement is special: 3.12.4, the System Security Plan, has no point value because without an SSP the assessment cannot be completed at all.

What to do with your score

A Basic self-assessment score must be posted toSPRS through PIEE (role: SPRS Cyber Vendor User), with the assessment date, scope, the SSP it covers, and the date you expect to reach 110. Under the CMMC program's phased rollout, self-assessments are already appearing as conditions of award in new DoD solicitations, and Level 2 certification requirements phase in next. A low score today isn't fatal. An absent or dishonest score is. False Claims Act settlements over misstated scores are real, so score honestly, then close gaps in priority order.

The calculator's POA&M export lists your gaps sorted by points at risk, which is (deliberately) the order most consultants would attack them: knock out the 5-pointers, then the 3s, then sweep the 1s.

Frequently asked questions

What is an SPRS score?

Your SPRS score is the result of a NIST SP 800-171 Basic (self) Assessment using the DoD Assessment Methodology. It starts at 110 and subtracts weighted points (1, 3, or 5) for each of the 110 security requirements not fully implemented, so scores range from -203 to +110. Defense contractors post the score to the Supplier Performance Risk System (SPRS) via PIEE, as required by DFARS 252.204-7019/7020.

Is a negative SPRS score possible?

Yes. The minimum possible score is -203, because the weighted deductions across all 110 requirements total 313 points. A company with very little implemented can be deeply negative, and that is common on a first honest assessment.

What SPRS score do I need to win DoD contracts?

There is no published minimum for the Basic self-assessment, but you need a current score posted in SPRS (with an assessment date, scope, and SSP identified) to be eligible for awards involving CUI. For CMMC Level 2 certification, you must reach at least 88 of 110 (with only select 1-point items on a POA&M, closed within 180 days) for a Conditional status, and all POA&M-eligible gaps closed for Final status.

Can I score N/A on any controls?

Only where the methodology allows it: 3.1.12 and 3.1.13 (if remote access is not permitted at all), 3.1.16 and 3.1.17 (if wireless is not permitted), and 3.1.18 (if mobile device connection is not permitted). Everything else must be implemented or costs points. This calculator enforces those rules, which many free calculators don't.

What happens if I don't have a System Security Plan (SSP)?

Without an SSP (requirement 3.12.4), a DoD assessment 'could not be completed due to incomplete information and noncompliance with DFARS clause 252.204-7012.' In practice: you cannot truthfully post a score to SPRS until you have an SSP. Write the SSP first.

Is this calculator really private?

Yes. It is a static page, and your answers are stored only in your own browser (localStorage) and are never transmitted anywhere. You can verify this in your browser's network tab. Export or delete your data anytime.

Get the 110-control evidence checklist

One email, no spam: the checklist of evidence an assessor expects for each control family, plus a monthly note when DoD guidance changes.

Email signup launches soon. Check back shortly.

No spam, unsubscribe anytime. We never see your assessment answers.

Sources: NIST SP 800-171 Rev 2; NIST SP 800-171 DoD Assessment Methodology v1.2.1 (June 24, 2020); DFARS 252.204-7012/-7019/-7020; 32 CFR Part 170 (CMMC Program). This tool implements the published methodology verbatim. See themethodology & sources page. Not legal advice, and not an official DoD tool.