Submit any questions you would like answered on the podcast!
Is your SPRS score putting your DoD contracts at risk? In this episode of the CMMC Compliance Guide, we break down exactly what the SPRS score is, why it matters, and how to improve it fast—before you lose out on federal work.
Whether you're stuck at -72 or hovering at 80, we’ll walk you through how to get to 110 with practical, plain-English guidance. From gap analysis to POA&Ms, system security plans, encryption, MFA, and the best GRC tools—we’re covering it all.
👉 Schedule your FREE SPRS Roadmap Session (Limited Time): www.cmmccomplianceguide.com/free-sprs-roadmap
✅ $1,500 Value — No pitch, no pressure. Just expert help.
🎯 What You'll Learn:
✅What an SPRS score is and why it matters
✅How to assess your current score (and why most are wrong)
✅What documentation and tech controls you must have
✅How to get to 110 — even if you’re starting from a negative score
Episode Transcript
Hey there.
Welcome to the CMMC ComplianceGuide Podcast.
I'm Stacey.
Brooke (00:04):
And I'm Brooke.
Stacey (00:05):
From Justice IT Consulting, where we help
businesses like yours navigateCMMC and NIST 800-171
compliance.
We're hired guns gettingcompanies fast-tracked to
compliance, but today we're hereto give you all the secrets for
free.
So if you want to tackle ityourself, you're equipped to do
so.
Let's dive into today's episodeand keep your business on
track.
Today we're diving into one ofthe most misunderstood and
(00:28):
critical parts of DoDcompliance.
Your SPRS score or SPRRS score.
Brooke (00:33):
Right
Stacey (00:34):
your score isn't where it should be, you could be
losing contracts without evenknowing it.
Brooke, let's help ourlisteners figure out exactly how
to improve it.
Let's start with the basics.
What exactly is the SPURS scoreor SPRS score and why is it so
important for DoD contractorsright now?
Brooke (00:50):
Your SPRS score is basically an evaluation of your
compliance level, where you'reat in your compliance journey.
You start at, basically youstart at 110 point And then
there's controls that are worthone, three, or five points.
And so for everyone that's notfully implemented, and I stress
that fully implemented becauseyou could have, you know, two of
(01:13):
the objectives of that controlmet but not the other.
And so if you have one out ofthree not met, not implemented,
then it's just not implemented.
You get a deduct for thatscore.
So it's– take the points off,and you can definitely, 100%,
you can end up with a very lownegative score.
(01:35):
We're starting to see wherethey want higher scores for
contracts.
If you've got 110, great, goodon you, but you better make sure
it's 110 that you just didn'tgo through and check a bunch of
boxes off.
You don't want to face anythinglike the False Claims Act or
anything.
That would be not good.
Stacey (01:55):
So what's the first thing contractors should do to
improve their score?
Brooke (01:59):
Well, the first thing you should do to improve your
score really is to do a goodthorough gaps analysis.
And really that's assuming thatyou've already done the
pre-work for that, which isunderstanding what CUI you might
have and understanding the dataflow of that CUI.
So if you understand that, thenyou need to do a good gaps
(02:20):
analysis and figure out whereyour gaps are.
I mean, that's what a gapsanalysis is for.
Once you figure that out, thenyou can start looking at what
exactly you need to do toimprove your score.
Stacey (02:30):
Once they've identified the gaps, what's next?
Brooke (02:33):
Once you've identified your gaps, basically put
together a POAM, but you want tolook at where you can make the
biggest bang for your buck, whatyou can accomplish, and usually
one of the higher pointsdeductions are going to be the
ones you want to address first.
When you do your POAM, youdevelop some projects from that.
A lot of these, you can developa project that will hit several
of these controls, and they mayroll in together a whole bunch
(02:56):
of one-pointers or someone-pointers and three-pointers
pointers, try to develop thoseprojects to get the most bang
out of your buck to hit as manyof those controls.
Stacey (03:03):
Let's talk about your favorite topic, documentation.
It's a hot topic here at CM&CCompliance Guide Pod.
Brooke (03:09):
It is, definitely.
Stacey (03:11):
What do contractors need to have in place to support
their score?
Brooke (03:14):
Well, of course, you need your SSP, your system
security plan in place.
That's a no-brainer.
If you don't have that inplace, you just, you fail the
whole thing.
I mean, really, that's, if youdon't have an SSP in place,
you're done.
So you got to have your SSP inplace.
SSP in place, but more thanthat, if you're not at 110,
you've got to have your POAM inplace.
And so you've got to have yourPOAM with timelines, realistic
(03:39):
timelines, not, yes, I'm goingto meet this 20 years down the
road.
You've got to have all yourpolicies.
You've got to have policiesthat address all of these
things.
You've got to have authorizedlists.
You've got to have proceduresand plans to do these things.
NIST 800-171 and CMMC referenceall this.
So it's, you You've got to haveall that stuff in place.
You can't do this without anabsolute ton of documentation.
(04:02):
And that's not even to mentionall the proof you're going to
need for how you meet thosecontrols whenever you get
assessed.
Stacey (04:09):
What are some technical areas that companies should
focus on next?
Brooke (04:13):
Access control is huge.
You know, who has access towhat and how they access it.
Go along with that, you know,that access.
Implement the idea of leastprivilege.
Just give people exactly whatthey need to accomplish their
job.
Goes along with how youconfigure all the systems too.
Just the necessary functions.
Be able to operate.
No extraneous stuff.
(04:34):
Multi-factor authentication isa big one and Anything over the
network or admin has to have MFAenabled.
Of course, any cloud solution,anything over the network in
your area, any admin function atall needs to have MFA.
So pretty much everything needsto have MFA.
And then encryption is anotherbig thing.
You've got to have all your CUIencrypted.
That encryption has to meetFIPS validated encryption
(04:57):
standards.
So it's got to be FIPSvalidated encryption modules.
So they've got to be approvedon the FIPS list.
If they're not approved,approved on the FIPS list and
show up because when an assessorcomes to assess you, you've got
to be able to say, here's theFIPS modules that we use.
That's another one of thosedocumentation things that we
(05:18):
talked about that you have tohave documented.
This is the FIPS encryption forthis.
This is the FIPS encryption forthat.
You've got to have all thatdocumented.
The other thing you need toimplement is secure media
handling procedures and how youhandle that.
And that's digital and paper,you know.
(05:38):
So you've got to be able tohandle those, you know, lock
filing cabinets, lock room, andall that kind of fun stuff.
Stacey (05:45):
Going a little beyond the tech, what else makes a big
difference?
Brooke (05:49):
Continuous monitoring and management, really, is
what's required by CMMC, as wellas incident handling
capabilities, right?
Instant response capabilities.
In those also is some tech aswell, you know, ongoing
monitoring and management.
You want to make sure you'reyou deploy, have some sort of
SIEM working for you.
(06:09):
Another thing that's not techis going to be your ongoing
training, your cybersecuritytraining, your role-based
training.
You need to make sure you getthose taken care of.
Foster a security-centric,security-first mindset for your
employees that don't necessarilyhave that mindset.
If you do that securityawareness training, that helps
(06:31):
keep cybersecurity maybe not thefirst thing in their mind, but
somewhere there in their...
and their mind rolling aroundso they realize that they have
to pay attention to those emailsor whatever it may be and not
click on the wrong thing.
Stacey (06:44):
For companies that feel overwhelmed, are there tools
that can help speed things
Brooke (06:48):
up?
Sure, there are tools that canhelp speed things up and kind of
help keep everything organized.
One of the things that we'vetalked about a lot is GRC
platform, a governance, risk,and compliance platform.
But that's kind of included insome other things as well.
Some Microsoft GCC highplatform– The Microsoft GCC High
platform has some assessmentcapabilities in it that will
(07:13):
kind of help you out.
I'd argue that that one's kindof a little hard to use, but it
is there, and it does help youknock the stuff out that's
detailed towards GCC High ifthat's what you're using.
Same thing with otherplatforms.
Exostar has some stuff.
Good platform.
Any good GRC platform is goingto help you through this and
(07:34):
kind of guide you through it.
One that we use a lot is FutureFeed.
We really like Future Feed.
It works well.
And they have all sorts ofthings to help guide you through
it.
All these tools are great.
And just make sure they alignwith your needs and just realize
that they aren't necessarilysilver bullets and we'll do
everything for you.
Stacey (07:53):
If someone's listening right now and thinking, where do
I even start?
What can they do?
Brooke (07:58):
They can grab our free SPRS roadmap It's a 90-minute
session.
We review your currentself-assessment.
We identify major gaps.
We give you a step-by-step planto get to a 110.
Normally, it's a $1,500 value,but it's free for a limited
time, very limited time.
There's no pitch, no pressure,just our expert help.
That's what that entails.
Stacey (08:19):
This sounds like it's up your alley.
You can just check the link inthe description below, and you
can go ahead and book a time forthat free SPRS roadmap.
Spots are limited, so as Brookewould say, don't wait.
If you have questions aboutwhat we covered, reach out to
us.
We're here to help fast trackyour compliance journey.
Text, email, or call in yourquestions and we'll answer them
(08:39):
for free here on the podcast.
You can find our contactinformation at
cmmccomplianceguide.com.
Stay tuned for our nextepisode.
Until then, stay compliant andstay secure.
Like, subscribe, and share.
Popular Podcasts
Bookmarked by Reese's Book Club
Welcome to Bookmarked by Reese’s Book Club — the podcast where great stories, bold women, and irresistible conversations collide! Hosted by award-winning journalist Danielle Robay, each week new episodes balance thoughtful literary insight with the fervor of buzzy book trends, pop culture and more. Bookmarked brings together celebrities, tastemakers, influencers and authors from Reese's Book Club and beyond to share stories that transcend the page. Pull up a chair. You’re not just listening — you’re part of the conversation.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!