Docs / SPRS score explained

SPRS score explained

The number primes and the DoD actually look at. Bastion calculates it live using the official DoD weighted methodology — here's exactly how it works.

On this page

What the SPRS score is

The Supplier Performance Risk System (SPRS) is the DoD system of record where your NIST SP 800-171 assessment score lives. Under DFARS 252.204-7019/7020, contractors handling CUI must have a current self-assessment score posted in SPRS to be eligible for award. The score is a single number that summarizes how much of NIST 800-171 you've implemented.

A perfect score is 110 — every control implemented. You start there and lose points for each control that isn't fully Met. The floor is −203.

The weighted methodology (5 / 3 / 1)

Not all controls are equal. DoD's NIST SP 800-171 DoD Assessment Methodology assigns each control a weight based on how much risk it carries if it's missing. When a control isn't Met, you subtract its weight from 110:

WeightMeaningPoints lost if not Met
5Highest-impact controls — a missing one substantially raises risk to CUI.−5 each
3Significant controls with meaningful risk impact.−3 each
1Important but lower individual risk impact.−1 each

So the formula is simply:

SPRS score = 110 − (sum of weights of all controls not fully Met)

A few special cases the DoD methodology accounts for, which Bastion applies for you:

Because the highest weights cluster on a handful of controls, fixing the right 5-point gaps moves your score far more than chipping away at 1-point items. Bastion's top remediation priorities rank gaps by exactly this leverage, and the what-if projected SPRS in the remediation planner shows the payoff before you do the work.

Why "Partially Met" earns no credit

This surprises people: in the DoD methodology there is no partial credit. A control is either fully implemented (scored as Met) or it isn't (you lose its full weight). Marking a control Partially Met in Bastion costs you the same points as Not Met.

That's intentional, and it reflects reality: a half-configured control often provides little real protection to CUI. A door that locks 80% of the time isn't 80% locked. The "Partially Met" status still matters — it tells you (and your POA&M) that work is underway and how much remains — but it does not improve your score until the control is fully Met.

Don't chase the score by leaving things at "Partially Met." The score only rewards finished controls. Use partial status to track progress, then close it out to earn the points.

What a negative score means

Because each unmet control subtracts its weight from a starting 110, and the weights add up to far more than 110, a posture with many gaps lands below zero — all the way down to the −203 floor. A negative score isn't an error; it's the methodology working as designed, and many suppliers genuinely start in negative territory before remediation.

What matters is the trajectory. Post an honest score, attach a POA&M, and show steady improvement. Bastion's score-history snapshots document that climb over time, which is exactly the story a prime or assessor wants to see.

How to report your score to SPRS

Bastion calculates the score; you post it to the official DoD SPRS system. The high-level process:

Complete your assessment in Bastion and confirm the score reflects reality.
Note your assessment date, the score, the scope (CAGE code / enclave), and your target date for reaching 110 (the date your POA&M closes).
Log into the DoD SPRS application (via PIEE) and enter the self-assessment as a "Basic" assessment.
Keep your SSP and POA&M on hand — they support the score you posted and are what an assessor or prime will request.

Bastion does not connect to or submit anything to SPRS, PIEE, or the DoD. It produces the score and the supporting artifacts; reporting is a manual step you perform in the official system.

What primes look for

When a prime like Boeing evaluates a supplier, they're weighing more than the raw number:

Next: Integrations Back to docs