SPRS Score Calculator
Work through all 110 NIST SP 800-171 requirements and get your exact score under the official DoD Assessment Methodology v1.2.1, including the partial-credit rules for MFA and FIPS crypto and the five legitimate N/A cases. Free, no signup, and your answers never leave your browser.
- Official weights (5/3/1)
- POA&M draft export
- Autosaves locally
- Plain-English guidance per control
110 / 110
3.1.1Level 15 pts
Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
What this means in practice
Only people, service accounts, and devices you have explicitly approved can sign in to systems that touch FCI/CUI: no shared logins, no unknown devices.
Typical quick win: Inventory every account in Microsoft 365/AD, disable anything unused for 90+ days, and remove shared credentials.
3.1.2Level 15 pts
Limit system access to the types of transactions and functions that authorized users are permitted to execute.
What this means in practice
Users can only do what their role requires: a shop-floor user shouldn't be able to touch payroll or admin consoles.
Typical quick win: Map each job role to security groups and strip permissions that don't match the role.
3.1.31 pts
Control the flow of CUI in accordance with approved authorizations.
What this means in practice
CUI moves only along approved paths: you can say where CUI is allowed to flow (which shares, which cloud, which enclave) and block the rest.
3.1.41 pts
Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
What this means in practice
No single person controls a whole risky process end-to-end. For example, the person who approves access isn't the one who grants it to themselves.
3.1.53 pts
Employ the principle of least privilege, including for specific security functions and privileged accounts.
What this means in practice
Everyone, including admins, gets the minimum rights needed. Separate admin accounts from daily-driver accounts.
Typical quick win: Give admins two accounts: a standard account for email/browsing and a privileged one used only for admin tasks.
3.1.61 pts
Use non-privileged accounts or roles when accessing non-security functions.
What this means in practice
Admins use their normal (non-privileged) account for email, browsing, and documents: the admin account is only for admin work.
3.1.71 pts
Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
What this means in practice
Standard users can't run privileged functions, and any privileged action lands in an audit log.
3.1.81 pts
Limit unsuccessful logon attempts.
What this means in practice
Accounts lock (or throttle) after repeated failed sign-ins to blunt password guessing.
3.1.91 pts
Provide privacy and security notices consistent with applicable CUI rules.
What this means in practice
Systems that handle CUI display the required notice (e.g., a logon banner) telling users about CUI handling rules and monitoring.
3.1.101 pts
Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
What this means in practice
Screens lock automatically with content hidden (screensaver/lock screen) after inactivity.
3.1.111 pts
Terminate (automatically) a user session after a defined condition.
What this means in practice
Sessions end automatically on defined conditions, such as VPN or web sessions timing out after inactivity or a max duration.
3.1.125 pts
Monitor and control remote access sessions.
What this means in practice
All remote access (VPN, RDP gateways, remote-support tools) is identified, monitored, and controlled: you know who is connected remotely and can cut them off.
Typical quick win: Funnel all remote access through one VPN/gateway with logging on, and disable direct RDP from the internet everywhere.
N/A allowed only if remote access not permitted.
3.1.135 pts
Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
What this means in practice
Remote sessions are encrypted with real cryptography (TLS 1.2+, IKEv2/WireGuard): no cleartext or legacy protocols.
Typical quick win: Verify VPN and remote tools negotiate TLS 1.2+/modern ciphers and disable legacy fallbacks (PPTP, SSLv3, RDP without TLS).
N/A allowed only if remote access not permitted.
3.1.141 pts
Route remote access via managed access control points.
What this means in practice
Remote traffic enters through a small number of managed choke points (VPN concentrator, gateway), not ad-hoc per-machine access.
3.1.151 pts
Authorize remote execution of privileged commands and remote access to security-relevant information.
What this means in practice
Running privileged commands remotely (remote admin) is a separately authorized privilege, not something every remote user can do.
3.1.165 pts
Authorize wireless access prior to allowing such connections.
What this means in practice
New wireless connections to the corporate network require explicit authorization: guest Wi-Fi is segregated from anything touching CUI.
Typical quick win: Put guest/IoT Wi-Fi on separate VLANs with no route to CUI systems.
N/A allowed only if wireless access not permitted.
3.1.175 pts
Protect wireless access using authentication and encryption.
What this means in practice
Corporate Wi-Fi uses strong auth + encryption (WPA2/WPA3-Enterprise or at minimum a strong unique PSK with WPA2/3).
Typical quick win: Retire WEP/WPA-TKIP and open SSIDs; move to WPA3 or WPA2-AES with 802.1X where possible.
N/A allowed only if wireless access not permitted.
3.1.185 pts
Control connection of mobile devices.
What this means in practice
Phones/tablets that touch company data are controlled: enrolled in MDM/Intune or blocked from CUI systems entirely.
Typical quick win: Use Intune (or equivalent) app protection/enrollment as a condition for mobile access to email and files.
N/A allowed only if connection of mobile devices is not permitted.
3.1.193 pts
Encrypt CUI on mobile devices and mobile computing platforms.
What this means in practice
Any CUI stored on mobile devices/laptops in the field is encrypted (device encryption on, enforced).
3.1.20Level 11 pts
Verify and control/limit connections to and use of external systems.
What this means in practice
You control which external systems (personal devices, partner networks, public cloud) may connect to yours, and verify their security before allowing use.
Typical quick win: Block personal-device access to CUI stores via conditional access; document the external services you actually permit.
3.1.211 pts
Limit use of portable storage devices on external systems.
What this means in practice
Company portable storage (USB drives) can't be freely used on external/non-company systems.
3.1.22Level 11 pts
Control CUI posted or processed on publicly accessible systems.
What this means in practice
Nothing marked CUI (or FCI) gets posted to public sites: someone reviews/approves what goes on your website or social media.
Answer all 110 to finish your assessment
110 requirements left. Progress saves automatically in your browser.
How SPRS scoring actually works
The NIST SP 800-171 DoD Assessment Methodology assigns every one of the 110 security requirements a weight of 5, 3, or 1 point based on its impact: 42 requirements are worth 5 points, 14 are worth 3, and 51 are worth 1. You start at 110 and subtract the weight of every requirement you have not fully implemented. "Partially done" counts as not implemented, with exactly two exceptions:
- 3.5.3 (MFA): subtract 5 if you have no MFA; subtract only 3 if MFA covers remote access and privileged users but not yet general users.
- 3.13.11 (FIPS-validated crypto): subtract 5 if CUI isn't encrypted at all; subtract only 3 if it's encrypted but the cryptography isn't FIPS-validated.
Five requirements can be legitimately N/A: the remote-access pair (3.1.12, 3.1.13), the wireless pair (3.1.16, 3.1.17), and mobile devices (3.1.18). That applies only when your environment genuinely doesn't permit those capabilities. One requirement is special: 3.12.4, the System Security Plan, has no point value because without an SSP the assessment cannot be completed at all.
What to do with your score
A Basic self-assessment score must be posted toSPRS through PIEE (role: SPRS Cyber Vendor User), with the assessment date, scope, the SSP it covers, and the date you expect to reach 110. Under the CMMC program's phased rollout, self-assessments are already appearing as conditions of award in new DoD solicitations, and Level 2 certification requirements phase in next. A low score today isn't fatal. An absent or dishonest score is. False Claims Act settlements over misstated scores are real, so score honestly, then close gaps in priority order.
The calculator's POA&M export lists your gaps sorted by points at risk, which is (deliberately) the order most consultants would attack them: knock out the 5-pointers, then the 3s, then sweep the 1s.
Frequently asked questions
What is an SPRS score?
Your SPRS score is the result of a NIST SP 800-171 Basic (self) Assessment using the DoD Assessment Methodology. It starts at 110 and subtracts weighted points (1, 3, or 5) for each of the 110 security requirements not fully implemented, so scores range from -203 to +110. Defense contractors post the score to the Supplier Performance Risk System (SPRS) via PIEE, as required by DFARS 252.204-7019/7020.
Is a negative SPRS score possible?
Yes. The minimum possible score is -203, because the weighted deductions across all 110 requirements total 313 points. A company with very little implemented can be deeply negative, and that is common on a first honest assessment.
What SPRS score do I need to win DoD contracts?
There is no published minimum for the Basic self-assessment, but you need a current score posted in SPRS (with an assessment date, scope, and SSP identified) to be eligible for awards involving CUI. For CMMC Level 2 certification, you must reach at least 88 of 110 (with only select 1-point items on a POA&M, closed within 180 days) for a Conditional status, and all POA&M-eligible gaps closed for Final status.
Can I score N/A on any controls?
Only where the methodology allows it: 3.1.12 and 3.1.13 (if remote access is not permitted at all), 3.1.16 and 3.1.17 (if wireless is not permitted), and 3.1.18 (if mobile device connection is not permitted). Everything else must be implemented or costs points. This calculator enforces those rules, which many free calculators don't.
What happens if I don't have a System Security Plan (SSP)?
Without an SSP (requirement 3.12.4), a DoD assessment 'could not be completed due to incomplete information and noncompliance with DFARS clause 252.204-7012.' In practice: you cannot truthfully post a score to SPRS until you have an SSP. Write the SSP first.
Is this calculator really private?
Yes. It is a static page, and your answers are stored only in your own browser (localStorage) and are never transmitted anywhere. You can verify this in your browser's network tab. Export or delete your data anytime.
Get the 110-control evidence checklist
One email, no spam: the checklist of evidence an assessor expects for each control family, plus a monthly note when DoD guidance changes.
Email signup launches soon. Check back shortly.
No spam, unsubscribe anytime. We never see your assessment answers.
Sources: NIST SP 800-171 Rev 2; NIST SP 800-171 DoD Assessment Methodology v1.2.1 (June 24, 2020); DFARS 252.204-7012/-7019/-7020; 32 CFR Part 170 (CMMC Program). This tool implements the published methodology verbatim. See themethodology & sources page. Not legal advice, and not an official DoD tool.