Working with SPRS scoring
The Supplier Performance Risk System (SPRS) score measures progress towards cyber security compliance with NIST 800-171, as required by the CMMC proposed rule. For detailed information on SPRS scoring, review the following resources:
The SPRS score ranges from a maximum of 110 points to a minimum of -203. Points are awarded for each requirement that is implemented.
Using Hyperproof, you can continuously calculate your SPRS score and monitor your progress towards compliance. Hyperproof supports SPRS scoring by providing a scoring mechanism that is linked to the NIST 800-171 security requirements in the NIST 800-171 and CMMC 2.0 Level 2 and 3 frameworks. Those are the only frameworks that support SPRS scoring.
To use SPRS scoring:
Confer with your DoD program manager or prime contractor to determine the implementation of your NIST 800-171 program.
Review and understand how the SPRS score is calculated. See Understanding the SPRS score calculation.
Update and review the SPRS status and calculated score for the affected requirements. See SPRS statuses and Updating requirement SPRS statuses.
Record any deficiencies in a POA&M. Many organizations use the Risk Register or Issues features to record deficiencies. See Risk Register and Work items: Issues.
Review the program dashboard to monitor your SPRS score. See Understanding the SPRS scoring widgets.
Export the results of the scoring to memorialize the Total Score and Status values. See Exporting your SPRS score and statuses.
Watch this video for a short overview about SPRS scoring and Hyperproof.