How to Improve Your SPRS Score Before It Costs You Contracts

Show Notes

Is your SPRS score putting your DoD contracts at risk? In this episode of the CMMC Compliance Guide, we break down exactly what the SPRS score is, why it matters, and how to improve it fast—before you lose out on federal work.

Whether you're stuck at -72 or hovering at 80, we’ll walk you through how to get to 110 with practical, plain-English guidance. From gap analysis to POA&Ms, system security plans, encryption, MFA, and the best GRC tools—we’re covering it all.

👉 Schedule your FREE SPRS Roadmap Session (Limited Time):  www.cmmccomplianceguide.com/free-sprs-roadmap
✅ $1,500 Value — No pitch, no pressure. Just expert help.

🎯 What You'll Learn:
✅What an SPRS score is and why it matters
✅How to assess your current score (and why most are wrong)
✅What documentation and tech controls you must have
✅How to get to 110 — even if you’re starting from a negative score

Transcript

Stacey: 0:21

Hey there. Welcome to the CMMC Compliance Guide Podcast. I'm Stacey.

Brooke: 0:26

And I'm Brooke.

Stacey: 0:27

From Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hired guns getting companies fast-tracked to compliance, but today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today we're diving into one of the most misunderstood and critical parts of DoD compliance. Your SPRS score or SPRRS score.

Brooke: 0:54

Right

Stacey: 0:55

your score isn't where it should be, you could be losing contracts without even knowing it. Brooke, let's help our listeners figure out exactly how to improve it. Let's start with the basics. What exactly is the SPURS score or SPRS score and why is it so important for DoD contractors right now?

Brooke: 1:12

Your SPRS score is basically an evaluation of your compliance level, where you're at in your compliance journey. You start at, basically you start at 110 point And then there's controls that are worth one, three, or five points. And so for everyone that's not fully implemented, and I stress that fully implemented because you could have, you know, two of the objectives of that control met but not the other. And so if you have one out of three not met, not implemented, then it's just not implemented. You get a deduct for that score. So it's– take the points off, and you can definitely, 100%, you can end up with a very low negative score. We're starting to see where they want higher scores for contracts. If you've got 110, great, good on you, but you better make sure it's 110 that you just didn't go through and check a bunch of boxes off. You don't want to face anything like the False Claims Act or anything. That would be not good.

Stacey: 2:17

So what's the first thing contractors should do to improve their score?

Brooke: 2:21

Well, the first thing you should do to improve your score really is to do a good thorough gaps analysis. And really that's assuming that you've already done the pre-work for that, which is understanding what CUI you might have and understanding the data flow of that CUI. So if you understand that, then you need to do a good gaps analysis and figure out where your gaps are. I mean, that's what a gaps analysis is for. Once you figure that out, then you can start looking at what exactly you need to do to improve your score.

Stacey: 2:52

Once they've identified the gaps, what's next?

Brooke: 2:55

Once you've identified your gaps, basically put together a POAM, but you want to look at where you can make the biggest bang for your buck, what you can accomplish, and usually one of the higher points deductions are going to be the ones you want to address first. When you do your POAM, you develop some projects from that. A lot of these, you can develop a project that will hit several of these controls, and they may roll in together a whole bunch of one-pointers or some one-pointers and three-pointers pointers, try to develop those projects to get the most bang out of your buck to hit as many of those controls.

Stacey: 3:25

Let's talk about your favorite topic, documentation. It's a hot topic here at CM&C Compliance Guide Pod.

Brooke: 3:31

It is, definitely.

Stacey: 3:33

What do contractors need to have in place to support their score?

Brooke: 3:36

Well, of course, you need your SSP, your system security plan in place. That's a no-brainer. If you don't have that in place, you just, you fail the whole thing. I mean, really, that's, if you don't have an SSP in place, you're done. So you got to have your SSP in place. SSP in place, but more than that, if you're not at 110, you've got to have your POAM in place. And so you've got to have your POAM with timelines, realistic timelines, not, yes, I'm going to meet this 20 years down the road. You've got to have all your policies. You've got to have policies that address all of these things. You've got to have authorized lists. You've got to have procedures and plans to do these things. NIST 800-171 and CMMC reference all this. So it's, you You've got to have all that stuff in place. You can't do this without an absolute ton of documentation. And that's not even to mention all the proof you're going to need for how you meet those controls whenever you get assessed.

Stacey: 4:31

What are some technical areas that companies should focus on next?

Brooke: 4:35

Access control is huge. You know, who has access to what and how they access it. Go along with that, you know, that access. Implement the idea of least privilege. Just give people exactly what they need to accomplish their job. Goes along with how you configure all the systems too. Just the necessary functions. Be able to operate. No extraneous stuff. Multi-factor authentication is a big one and Anything over the network or admin has to have MFA enabled. Of course, any cloud solution, anything over the network in your area, any admin function at all needs to have MFA. So pretty much everything needs to have MFA. And then encryption is another big thing. You've got to have all your CUI encrypted. That encryption has to meet FIPS validated encryption standards. So it's got to be FIPS validated encryption modules. So they've got to be approved on the FIPS list. If they're not approved, approved on the FIPS list and show up because when an assessor comes to assess you, you've got to be able to say, here's the FIPS modules that we use. That's another one of those documentation things that we talked about that you have to have documented. This is the FIPS encryption for this. This is the FIPS encryption for that. You've got to have all that documented. The other thing you need to implement is secure media handling procedures and how you handle that. And that's digital and paper, you know. So you've got to be able to handle those, you know, lock filing cabinets, lock room, and all that kind of fun stuff.

Stacey: 6:07

Going a little beyond the tech, what else makes a big difference?

Brooke: 6:10

Continuous monitoring and management, really, is what's required by CMMC, as well as incident handling capabilities, right? Instant response capabilities. In those also is some tech as well, you know, ongoing monitoring and management. You want to make sure you're you deploy, have some sort of SIEM working for you. Another thing that's not tech is going to be your ongoing training, your cybersecurity training, your role-based training. You need to make sure you get those taken care of. Foster a security-centric, security-first mindset for your employees that don't necessarily have that mindset. If you do that security awareness training, that helps keep cybersecurity maybe not the first thing in their mind, but somewhere there in their... and their mind rolling around so they realize that they have to pay attention to those emails or whatever it may be and not click on the wrong thing.

Stacey: 7:05

For companies that feel overwhelmed, are there tools that can help speed things

Brooke: 7:10

up? Sure, there are tools that can help speed things up and kind of help keep everything organized. One of the things that we've talked about a lot is GRC platform, a governance, risk, and compliance platform. But that's kind of included in some other things as well. Some Microsoft GCC high platform– The Microsoft GCC High platform has some assessment capabilities in it that will kind of help you out. I'd argue that that one's kind of a little hard to use, but it is there, and it does help you knock the stuff out that's detailed towards GCC High if that's what you're using. Same thing with other platforms. Exostar has some stuff. Good platform. Any good GRC platform is going to help you through this and kind of guide you through it. One that we use a lot is Future Feed. We really like Future Feed. It works well. And they have all sorts of things to help guide you through it. All these tools are great. And just make sure they align with your needs and just realize that they aren't necessarily silver bullets and we'll do everything for you.

Stacey: 8:14

If someone's listening right now and thinking, where do I even start? What can they do?

Brooke: 8:20

They can grab our free SPRS roadmap It's a 90-minute session. We review your current self-assessment. We identify major gaps. We give you a step-by-step plan to get to a 110. Normally, it's a $1,500 value, but it's free for a limited time, very limited time. There's no pitch, no pressure, just our expert help. That's what that entails.

Stacey: 8:40

This sounds like it's up your alley. You can just check the link in the description below, and you can go ahead and book a time for that free SPRS roadmap. Spots are limited, so as Brooke would say, don't wait. If you have questions about what we covered, reach out to us. We're here to help fast track your compliance journey. Text, email, or call in your questions and we'll answer them for free here on the podcast. You can find our contact information at cmmccomplianceguide.com. Stay tuned for our next episode. Until then, stay compliant and stay secure. Like, subscribe, and share.