If your defense contracts carry the DFARS 252.204-7019 and 7020 clauses, you have to complete a NIST SP 800-171 self-assessment and post the resulting score to the Supplier Performance Risk System. That score is not a private internal metric. A prime contractor checks it before awarding you a subcontract, which means a number you may never have thought about is quietly deciding whether you win work. Most contractors do not understand how it is calculated, post an optimistic figure, and discover the problem only when a deal goes quiet for reasons nobody states out loud. This is how the score actually works.
The scoring starts at 110 and counts down
The methodology is subtraction, not addition. You begin at a perfect 110, which represents all 110 NIST SP 800-171 requirements implemented, and you lose points for each requirement you have not met. The crucial detail is that the deductions are weighted. Not every control is worth the same. The DoD Assessment Methodology assigns each requirement a value of 1, 3, or 5 points based on how much risk its absence creates, so missing a high-impact control like multifactor authentication costs you far more than missing a minor one.
That weighting has a consequence people find startling the first time they see it: the score can go well below zero. If you are missing enough high-weight controls, the deductions stack past 110 and into negative territory. A negative SPRS score is not a rounding quirk. It is a precise signal that your security program has significant, high-risk gaps, and anyone reading it knows exactly what it means.
A partially implemented control rarely earns partial credit
The second thing that surprises contractors is how binary the scoring is. For most requirements you either meet it or you do not. "We are mostly there" usually scores as not met, and you lose the full weighted value. There are narrow, defined exceptions where a control can be scored as partially implemented, but you cannot assume them, and you cannot talk your way into points. This is why an honest self-assessment so often lands lower than the optimistic one a contractor would post if they were guessing. The methodology does not reward intentions.
Why an inflated score is the expensive mistake
The temptation is obvious. A higher number reads better to a prime, so why not post 100 instead of the 72 your gaps actually justify? Because the score is a representation you are making, backed by documentation that has to support it. The moment your number outruns what your System Security Plan and evidence can prove, you have created a gap between what you claimed and what you can demonstrate, and that gap is exactly what a third-party assessment exists to find. An inflated score does not buy you anything durable. It defers the problem to the worst possible moment and adds a credibility question on top of the compliance one.
A truthful score, even a low one, is a stronger position than a fragile high one, because it comes with a documented plan. Which is the other half of the picture.
How you actually raise the number
You raise your SPRS score by closing real gaps, and you do it in the order the weighting dictates. Start with the 5-point controls, because each one you implement recovers the most. Work down to the 3-point and 1-point items. That sequencing turns a daunting list of 110 requirements into a prioritized path where your early effort produces the largest score movement, which is also the most persuasive thing to show a prime: not a perfect score, but a real one that is visibly climbing on a documented plan.
To do any of that, you first need to know your real score, computed control by control with the correct weights, and you need the documentation underneath it to hold up. That is the work: a self-assessment that scores all 110 requirements with their proper point values, a System Security Plan that substantiates every "met," and a Plan of Action and Milestones that accounts for every gap with a date against it. Done that way, the number you post to SPRS is one you can defend, the remediation plan is one a prime can trust, and the score stops being a liability you hope nobody examines and becomes evidence that your program is real and improving.