SPRS Validation FCA Risk Analysis South Brunswick, NJ

SPRS Score Assessment
Know Your Real Number

Your SPRS score must reflect actual technical implementation of NIST 800-171 controls. We validate your score against your real infrastructure, identify False Claims Act exposure, and give you a ranked roadmap to improve it.

Schedule an SPRS Validation Call Start with a Gap Analysis
110
Max SPRS Score
FCA
Risk Assessed
IaC
Remediation Path

The SPRS Score and Why Accuracy Matters

The Supplier Performance Risk System (SPRS) score is a self-assessed measure of NIST SP 800-171 compliance. Under DFARS 252.204-7019, DoD contractors must complete a self-assessment and submit their score to SPRS before being awarded a contract. The maximum score is 110, representing full implementation of all 110 requirements. Each unimplemented control reduces the score.

The problem is the self-assessment process. Many contractors submit scores based on policies and intent rather than on actual technical implementation. A score of 88 on paper, with 22 controls listed as in-progress, often reflects a very different reality when assessed against infrastructure evidence.

A CMMC Level 2 C3PAO assessment will compare your submitted SPRS score against what is actually running in your environment. A significant discrepancy between submitted score and assessed score creates False Claims Act exposure in addition to assessment failure.

SPRS score ranges and what they indicate

110
Full implementation

All 110 controls technically implemented and verifiable. CMMC Level 2 assessment-ready.

88-109
Minor gaps

Fewer than 22 controls open. Targeted remediation typically achievable in weeks to a few months.

1-87
Significant gaps

More than 22 controls open. Structured remediation program needed. POA&M required.

<0
Critical gaps

High-weight controls unimplemented. Assessment failure very likely without structured remediation. Possible FCA exposure if score was previously reported higher.

How VIS LLC Validates Your SPRS Score

Each control evaluated against technical evidence from your actual infrastructure, not your policy documentation.

01

Current Score Review

Review your current SPRS submission and the self-assessment methodology used to produce it. Identify which controls were rated and what evidence was used.

02

Technical Validation

Evaluate each control against configuration exports, access logs, MFA state, encryption settings, patch records, and network architecture. Evidence-first evaluation against what is in your infrastructure.

03

Score Gap Analysis

Compare your submitted score to the technically-validated score. Identify the delta, which controls account for it, and whether the discrepancy carries FCA exposure given contract history and submission timing.

04

Improvement Roadmap

Prioritized list of open controls ordered by SPRS point value. IaC-based remediation path for each gap. Timeline to reach target score for CMMC Level 2 assessment readiness.

SPRS Score Assessment: Common Questions

What contractors need to know before validating their SPRS submission.

What is an SPRS score and how is it calculated?
The SPRS score measures NIST SP 800-171 compliance. The maximum is 110, one point for each implemented requirement. Unimplemented controls are deducted. A fully compliant contractor scores 110. Under DFARS 252.204-7019, contractors must self-assess and submit their score before being eligible for DoD contract awards.
What is the False Claims Act risk of an inflated SPRS score?
Submitting an SPRS score that does not reflect actual NIST 800-171 implementation can constitute a false statement to the federal government. DoJ has brought enforcement actions against contractors with inflated scores. Risk is highest when contractors submit high scores despite documented gaps, or when scores are unchanged across years without remediation activity. A technically validated score is the best protection.
How does VIS LLC validate an SPRS score?
VIS LLC evaluates each of the 110 NIST 800-171 requirements against technical evidence: configuration exports, access control settings, audit log configuration, MFA enforcement, encryption state, and network architecture. Each control is rated Met, Partially Met, or Not Met. The resulting score is compared to your current SPRS submission to identify the gap between reported and actual compliance.
What is a reasonable target SPRS score for CMMC Level 2?
For CMMC Level 2 certification, all 110 requirements must be met and the target SPRS score is 110. Contractors with current scores below 88 have more than 22 open controls and typically need a structured remediation program. VIS LLC produces a roadmap ordered by SPRS point impact so you achieve the greatest score improvement per remediation hour invested.

Related Services

CMMC Gap Analysis

Control-by-control evaluation before committing to remediation. Produces the evidence base for a validated SPRS score.

Learn more

CMMC Readiness Consulting

End-to-end readiness engagement: gap to validated SPRS score to C3PAO assessment preparation.

Learn more

NIST 800-171 Consulting

Implement the open controls that are dragging your SPRS score down — written into your infrastructure using IaC.

Learn more

Validate Your SPRS Score Before a C3PAO Does

A 30-minute call is enough to understand what your current submission says, what your infrastructure actually shows, and what the gap means for your contracts and your schedule.

Schedule a Free SPRS Validation Conversation

Virtual Infrastructure Services LLC · South Brunswick, NJ · +1 (732) 200-7352