CUI Registry

The National Archives and Records Administration manages an online searchable repository of CUI data at .

Use the service to help determine the classification of data and to inform your policies and conversations – reach out to your prime or agency of record for specifics regarding your project.

What is an SPRS score?

An SPRS Score is a numerical representation of your NIST 800-171/53 compliance maturity level. This score is used to determine your eligibility to receive awards from the DOD.

What does SPRS stand for?

Supplier Performance Risk System

What is the SPRS system?

The Supplier Performance Risk System documents vendor self assessment results for DOD Acquisition Professionals. This system is ONLY used by DOD personnel – not primes or subs.

How do you get an SPRS score?

You get an SPRS score from conducting a self assessment of your NIST 800-171/53 adoption/compliance.

What is an SPRS score?

An SPRS score is calculated based upon your “adoption” and “maturity of” adoption of specific NIST controls. You will use a pre-formatted spreadsheet to conduct your analysis and arrive at a score.

Where do I get a spreadsheet for calculating my SPRS score?

Roll your own from the documentation OR contact us and we will send you one.

What will we need?

A current CAGE Code

Can I create an SPRS score myself or would you recommend assistance from a Infosec Professional?

An InfoSec professional familiar with the process will save you time and be able to identify systems/services that may improve your score. You may not need much help, but laser focused assistance can save you a lot of time and money.

How do we get started?

DIB Frameworks

Compliance Frameworks

Federal Acquisition Regulation Clause (FAR)

  • 15 Practices
  • Self Attestation

Defense Federal Acquisition Regulation Supplement DFARS

  • NIST 800-171
  • Self Attestation
  • SSP & POAM

The Federal Information Security Management Act (FISMA)

  • NIST 800-53


  • Cybersecurity framework and maturity model that combines the above + additional practices identified by the DOD and industry


Federal Contract Information


FCI is information provided by or generated for the Government under contract not intended for public release. (FARS)

Federal Acquisition Regulation Clause 52.204-21

Required Protection

  • 15 CMMC Controls
  • 17 NIST Practices
  • CMMC Equivalency: Level 1


Controlled Unclassified Information


Information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

Defense Federal Acquisition Regulation Supplement DFARS Clause 252.204-7012

CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended.

Required Protection

  • NIST 800-171
  • 130 Practices
  • CMMC Equivalency: Level 3 or higher