A defense contract can now be lost on a number you posted to a government database yourself.

That number is your SPRS score: the implied output of a NIST SP 800-171 self-assessment, sitting in the Supplier Performance Risk System, visible to the contracting officer before award. No assessor visits. No site audit. Just your own attestation against 110 security requirements — and the contracting officer's right to take you at your word until the day they don't.

For prime contractors and the supply chain beneath them, the NIST SP 800-171 self-assessment has stopped being a paperwork exercise. Under the CMMC-aligned DFARS clause, it is a condition of eligibility. This is the control-level mechanism: how the score is built, what evidence survives scrutiny, and where contractors quietly lose the points that lose the contract.

Why has a NIST SP 800-171 SPRS score become contract-gating for the defense supply chain?

The Department of Defense protects a category of data called controlled unclassified information (CUI) — technical drawings, specifications, research, and operational data that is not classified but is not for public release either. When CUI lands on a contractor's system, the government wants assurance that the contractor is protecting it to a defined standard.

That standard is NIST SP 800-171. The current catalog is Revision 3, titled "Protecting CUI," and it sets out the security requirements a nonfederal organization must meet to safeguard CUI on its own systems.

The enforcement mechanism is contractual. DFARS 252.204-7012 obligates contractors handling covered defense information to implement NIST SP 800-171 and to report cyber incidents. A second clause requires the contractor to record a self-assessment score in SPRS, where it becomes a gating factor for award and a flow-down obligation through the supply chain.

The shift that caught firms off guard: this was never a "best effort" expectation. The DFARS clause turns the control catalog into a contractual baseline, and the SPRS score turns your implementation status into a public, machine-readable claim the government can act on.

What changed in Revision 3 — and how does the CMMC-aligned DFARS clause flow down to subcontractors?

Revision 3 restructured the catalog around control families and tightened the assessment model. Each requirement now carries explicit assessment objectives — the specific determinations an assessor makes to decide whether the control is met — and organization-defined parameters (ODPs) the contractor must set, such as how often a requirement is reviewed.

This matters because the assessment objectives are the actual test. A control is not "in place" because you bought a tool. It is in place when every assessment objective for that requirement is satisfied and evidenced.

The flow-down is the part subcontractors underestimate. DFARS 252.204-7012 requires the prime to include the clause in subcontracts where the subcontractor will handle CUI. The obligation propagates: the prime's contract depends partly on whether the firms beneath it are also implementing NIST SP 800-171 and posting their own SPRS scores. CMMC compliance formalizes this by tying certification level to the sensitivity of the information handled, with the self-assessment-and-SPRS mechanism remaining the foundation at the lower levels.

So the supply chain inherits a single standard with many attestations. A prime cannot fully control a subcontractor's posture, but it can — and increasingly does — make the subcontractor's SPRS score a condition of the subcontract.

How is an SPRS self-assessment score actually calculated against the 110 controls?

The SPRS scoring methodology is defined by the DoD assessment guidance rather than by the SP 800-171 control text itself, so attribute the arithmetic to that guidance, not to the catalog. The mechanism, in plain terms:

The assessment starts at a perfect score and subtracts points for each of the 110 controls that is not fully implemented. Most controls carry a weight of one point. A smaller set of controls — the ones DoD treats as foundational to protecting CUI — carry heavier deductions because their absence exposes the whole system.

The controls that tend to carry the heaviest weight are exactly the ones the catalog treats as load-bearing. Multi-factor authentication is one. SP 800-171 requires multi-factor authentication for access to privileged accounts and for access to non-privileged accounts — not one or the other. A firm that has MFA on admin logins but not on standard user accounts has not met the requirement, and the deduction reflects how much that gap matters.

The output is a single integer. It is the number you post to SPRS, and it is the number the contracting officer reads. A high score with no supporting evidence is a liability waiting for an assessment. A modest score backed by a clean SSP and an honest POA&M is defensible.

This is where most self-assessments go wrong: they score the intent, not the implementation. The control catalog is built around assessment objectives precisely so that "implemented" has a verifiable meaning.

What evidence does an SSP and POA&M need to survive a DCMA or third-party assessment?

Two documents carry the weight: the System Security Plan (SSP) and the Plan of Action and Milestones (POA&M). The catalog specifies what each must contain.

SP 800-171 requires a system security plan that, in its own terms, defines the constituent system components; identifies the information types processed, stored, and transmitted by the system; describes specific threats to the system that are of concern to the organization; describes the operational environment and any dependencies on or connections to other systems; provides an overview of the security requirements; describes the safeguards in place or planned for meeting those requirements; and identifies the individuals who fulfill system roles and responsibilities. The catalog further requires the SSP to be reviewed and updated, and protected from unauthorized disclosure.

Read that list as an assessor would. The SSP is not a narrative. It is a structured claim about your CUI boundary — what is in scope, what data it holds, who is responsible, and what is protecting it. An SSP that cannot say where CUI lives cannot support any score above it.

The POA&M is the companion document for what is not yet done. The catalog requires a plan of action and milestones that documents the planned remediation actions to correct weaknesses or deficiencies noted during security assessments and to reduce or eliminate known system vulnerabilities. It must be updated based on findings from security assessments, from audits or reviews, and from continuous monitoring activities.

The catalog is explicit about why these matter to the government: it states that federal agencies may consider system security plans and POAMs as inputs to risk-based decisions on whether to process, store, or transmit CUI on a system hosted by a nonfederal organization. Your SSP and POA&M are not internal hygiene. They are inputs the government uses to decide whether to trust you with CUI.

Behind both sits the risk assessment. SP 800-171 requires the contractor to assess the risk — including supply chain risk — of unauthorized disclosure resulting from the processing, storage, or transmission of CUI, and to update that assessment. The catalog explicitly extends this to risks from external parties such as contractors operating systems on the organization's behalf and service providers. The supply chain is inside your assessment boundary, not outside it.

Where do prime contractors and subcontractors most often lose points (and contracts)?

The losses cluster in predictable places. Each maps to a control whose assessment objective is harder to satisfy than firms assume.

Partial multi-factor authentication. As above, the catalog requires MFA for both privileged and non-privileged accounts. Stopping at admin accounts is the single most common heavy-weight miss.

An SSP that doesn't define the CUI boundary. If the plan does not identify the information types processed, stored, and transmitted by the system, every downstream control claim is unanchored. Assessors start here, and a weak boundary collapses the rest.

Policies that exist but were never disseminated or reviewed. The catalog requires that the policies and procedures needed to satisfy the CUI security requirements are developed, documented, and disseminated to organizational personnel or roles, and reviewed and updated. A policy in a drawer fails the dissemination objective.

Rules of behavior with no signed acknowledgement. The catalog requires a documented acknowledgement from individuals that they have read, understand, and agree to abide by the rules of behavior before authorizing access to CUI and the system. No signatures, no control.

Media sanitization gaps. The catalog requires that system media containing CUI are sanitized prior to disposal, release out of organizational control, or release for reuse. Decommissioned laptops and copiers are a recurring finding.

A POA&M that is a wish list, not a plan. The control requires milestones and updates driven by assessment, audit, and continuous monitoring findings. A POA&M with open items and no dates is evidence of a gap, not a plan to close it.

The pattern underneath all of these: the point-in-time self-assessment captures a claim, but the assessor tests the evidence. Where the claim and the evidence diverge, points — and contracts — are lost.

How do you move from a point-in-time self-assessment to continuous, evidence-backed CUI readiness?

The structural problem with the self-assessment is that it is a snapshot. The SPRS score reflects the day you posted it. The contract obligation is continuous. Between the two sits the risk that your posture drifts while your attestation stays frozen.

The catalog already points toward the fix. It requires SSP review and update, POA&M updates from continuous monitoring, risk assessment updates, and policy and procedure review on a defined cadence. Revision 3 made these recurring obligations explicit through organization-defined parameters. The standard does not want a one-time document. It wants a living record.

The operational shift is to treat every control as a claim bound to evidence, and every piece of evidence to its source obligation. That is the model Aegis GRC is built on: one organizational profile describing what you are and what data you hold, deterministically mapped to the obligations that actually apply, with every obligation traced to a verbatim quote from the source text. No AI hallucinations. A score you can defend in front of a contracting officer, a DCMA assessor, or a CMMC third-party assessor.

When your CUI obligations, your SSP claims, and your POA&M items live in one structured map instead of three disconnected spreadsheets, the assessment stops being a project and becomes a query. The evidence is already attached. The gaps are already named.

Map your CUI obligations and SPRS evidence gaps in one organizational profile at aegis-grc.com — see your defense-contract exposure before your next assessment.

FAQ: SPRS scoring, CMMC levels, flow-down, and re-assessment timing

Is a NIST SP 800-171 self-assessment enough, or do I need a third-party CMMC assessment? It depends on the sensitivity of the information you handle and the contract's CMMC level. The self-assessment and SPRS score remain the foundation at the lower CMMC levels; higher levels require third-party assessment. The self-assessment and the underlying SSP and POA&M are required either way — the third-party assessor checks the same controls.

How is the SPRS score calculated? Under the DoD assessment methodology (not the SP 800-171 control text itself), the score starts at the maximum and deducts points for each of the 110 controls not fully implemented, with heavier weights for foundational controls such as multi-factor authentication. The result is a single integer posted to SPRS.

Does the DFARS clause really flow down to subcontractors? Yes. DFARS 252.204-7012 requires the prime to include the clause in subcontracts where the subcontractor will handle CUI. Subcontractors implement NIST SP 800-171 and post their own SPRS scores, and primes increasingly make that score a condition of the subcontract.

How often must I re-assess and update my SPRS score? The catalog requires recurring review and update of the SSP, risk assessment, policies, and POA&M, with cadences set as organization-defined parameters. The practical answer: re-assess whenever your CUI environment changes, when an assessment or audit produces findings, and on the schedule your contract and CMMC level require — not once and never again.