Not ready for a Complete Pen Test? How about finding out your Cyber Score in 2 mins? Click here for your Cyber Score
Published by Capital Cyber | Leesburg, VA | (571) 410 3066
Your SPRS score is the single most visible indicator of your cybersecurity posture to the Department of Defense. Contracting officers check it. DIBCAC auditors use it as a baseline. And under the False Claims Act, an inaccurate score can create legal liability that threatens your entire business.
Yet most defense manufacturers have SPRS scores that don’t reflect reality. They submitted optimistic numbers without performing a meaningful self assessment.
Here’s what you need to know.
The Supplier Performance Risk System tracks contractor risk information for the DoD. For cybersecurity, SPRS stores NIST SP 800-171 self assessment scores.
Under DFARS 252.204-7019, every defense contractor handling CUI must have a current score posted in SPRS. Think of it as your cybersecurity credit score for defense contracts.
A perfect score is 110. The minimum is negative 203. Where does yours fall?
Each of the 110 controls in NIST SP 800-171 is worth 1, 3, or 5 points. Start with 110. Subtract for every control not fully implemented.
The 5-point controls are the critical ones: multi-factor authentication, encryption of CUI, incident response capabilities. Missing several of these drops your score fast.
Here’s the catch: ‘implemented’ doesn’t mean ‘downloaded’ or ‘configured.’ It means operational, consistently applied, and demonstrable to an assessor.
We see the same patterns across manufacturing clients:
Many shops still run passwords-only on shop floor workstations and legacy systems. This is a 5-point control you might be missing.
Sending technical drawings and specs via unencrypted email is more common than you’d think. CUI must be encrypted in transit and at rest.
Documented plan, trained personnel, detection and recovery capabilities. Most small manufacturers have none of this.
Administrator access for everyone. No formal access control policies. This is exactly what assessors look for.
Formal awareness training for all employees. Not just IT. Everyone.
The average honest score we see runs 30-70 points below what manufacturers reported.
Before you submit or update your score, answer these honestly:
If you hesitated on any of these, your score needs work.
Not all gaps are equal. Here’s where to focus first:
Deploy MFA everywhere, especially on email and network access. This alone can move the needle 10-20 points.
Get CUI off unencrypted file servers and into protected locations. Both in transit and at rest.
You need audit logs, protected and retained, with regular review. This is often overlooked.
Break up shared accounts. Implement least privilege. Document it.
These four areas represent the fastest path to a better score without a full system overhaul.
Here’s why accuracy matters more than you think.
The False Claims Act imposes penalties for false representations to the government. If your SPRS score is optimistic and an auditor finds gaps, you’re exposed.
We see manufacturers who reported scores in the 80s but honestly sit at 40-50 after independent assessment. The correction feels risky. But continuing with an inaccurate score is far more dangerous.
Update your score. Show the DoD you’re addressing gaps. That’s better than waiting for an audit to reveal what you already knew.
Capital Cyber works with defense manufacturers to close SPRS gaps and prepare for CMMC assessment. We understand manufacturing environments and the reality of shop floor IT.
Schedule a call with Rick to get an honest assessment of where you stand.
Capital Cyber | 1019B Edwards Ferry Rd. #1183, Leesburg, VA 20176.
A cybersecurity firm providing IT, not an IT company providing cybersecurity.