What is the minimum SPRS score to be eligible for a DoD contract?

The theoretical minimum score is -203 (all 110 NIST SP 800-171 controls missing). DoD does not require a minimum score for award, but contracting officers use scores as a risk indicator. Scores below 70 often trigger additional scrutiny.

How is the NIST SP 800-171 assessment score calculated?

Start at 110 points. Each unimplemented control deducts points based on its weight (1, 3, or 5 points). A fully compliant system scores 110. The score can go negative if many high-weight controls are missing.

How do we post our score to SPRS?

Log in to SPRS (sprs.csd.disa.mil) with your PIV or CAC card. Navigate to the NIST SP 800-171 Assessment section and enter your score, assessment date, and system boundary information. You'll need your CAGE code.

Is a self-assessment sufficient or do we need a third-party assessment?

For most contracts, a self-assessment is sufficient for 252.204-7019. However, CMMC Level 2 contracts (252.204-7021) require a C3PAO third-party assessment. The two clauses often appear together.

Critical RiskDFARSCybersecurity

252.204-7019 — Notice of NIST SP 800-171 DoD Assessment Requirements

Last updated: 2026-04-09

Researched by the BidStride Research Team

What This Clause Requires

Offerors must have a current (not older than 3 years) NIST SP 800-171 DoD Assessment on record in SPRS before contract award. Requires a minimum score of -203 or above.

Official Regulation Text

See 48 CFR 252.204-7019 for the full regulatory text. This clause requires offerors and contractors to post a current NIST SP 800-171 assessment score in SPRS (Supplier Performance Risk System) before contract award. Assessments must be dated within 3 years of the contract award date.
Source: eCFR, 48 CFR 252.204-7019

Compliance Checklist

Complete a NIST SP 800-171 self-assessment and post results to SPRS
Assessment must be dated within 3 years of contract award date
Score must be calculated per the DoD Assessment Methodology
Maintain a System Security Plan (SSP) and Plan of Action & Milestones (POA&M)

Flow-Down to Subcontractors

Flow-down required

This clause must be included in subcontracts with all subcontractors at all tiers where the subcontractor will perform work covered by this clause. Typically appears in contract Sections H, I, L.

Frequently Asked Questions

BidStride automatically scans your RFPs for 252.204-7019

Stop hunting through solicitations manually. BidStride identifies every FAR and DFARS clause in your RFP, flags risk level, and surfaces compliance requirements before you submit your bid.

This summary is for informational purposes only and reflects the BidStride Research Team's plain-English interpretation of the regulation. It is not legal advice and does not constitute an attorney-client relationship. Always consult the official Federal Acquisition Regulation (FAR) or Defense Federal Acquisition Regulation Supplement (DFARS) text and qualified legal counsel for compliance decisions.