Every defense contractor handling Controlled Unclassified Information has a SPRS score. The Supplier Performance Risk System score — derived from a self-assessment against NIST SP 800-171 — tells contracting officers whether your cybersecurity posture meets the minimum bar for handling CUI. Scores range from -203 (no controls implemented) to 110 (full implementation). The DoD checks SPRS before awarding contracts. A low score doesn't just mean compliance risk — it means lost contracts.
Rutagon engineers the cloud security architecture that moves SPRS scores from failing to passing. Not by filling out spreadsheets or writing policies that collect dust — by implementing the actual technical controls in production infrastructure. When a defense contractor's SPRS score is red, the problem isn't documentation. The problem is architecture.
What SPRS Actually Measures
The SPRS assessment maps to 110 security requirements across 14 control families in NIST 800-171 Rev 2. Each unimplemented control carries a negative weight. The math is straightforward: start at 110, subtract points for every control not fully implemented, and the result is your score.
The controls that carry the heaviest negative weights — and therefore tank scores the fastest — are concentrated in a few families:
| Control Family | Max Negative Impact | Common Gaps |
|---|---|---|
| Access Control (3.1) | -28 | No MFA, shared accounts, excessive permissions |
| Audit & Accountability (3.3) | -20 | No centralized logging, missing audit trails |
| Configuration Management (3.4) | -14 | No baseline configs, uncontrolled changes |
| Identification & Authentication (3.5) | -18 | Weak passwords, no session timeouts, no OIDC |
| System & Communications Protection (3.13) | -16 | Unencrypted data at rest/in transit, no network segmentation |
A contractor with gaps in just these five families can easily score below zero. And below zero is where contracts stop flowing.
How Rutagon Addresses the Architecture
When Rutagon engineers a SPRS remediation, the work is infrastructure — not policy documents. Every control maps to a specific technical implementation:
Access Control: Zero Trust by Default
The biggest point losses come from access control failures. Shared credentials, standing admin access, and missing MFA account for the most common gaps Rutagon addresses:
# Terraform — enforce MFA on all IAM users
resource "aws_iam_account_password_policy" "strict" {
minimum_password_length = 14
require_uppercase_characters = true
require_lowercase_characters = true
require_numbers = true
require_symbols = true
max_password_age = 90
password_reuse_prevention = 24
}
# Require MFA for all console access
data "aws_iam_policy_document" "require_mfa" {
statement {
sid = "DenyAllExceptMFA"
effect = "Deny"
not_actions = [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken"
]
resources = ["*"]
condition {
test = "BoolIfExists"
variable = "aws:MultiFactorAuthPresent"
values = ["false"]
}
}
}Beyond password policy, Rutagon eliminates long-lived credentials entirely through OIDC federation. CI/CD pipelines authenticate with short-lived tokens. No AWS access keys stored anywhere — not in environment variables, not in secrets managers, not in developer laptops. When there are no credentials to steal, the blast radius of a compromise drops to near zero.
Audit and Accountability: Immutable Logging
NIST 800-171 requires audit records that capture who did what, when, and from where — and those records must be protected from tampering. Rutagon implements this with CloudTrail feeding into a dedicated log archive account with S3 Object Lock:
resource "aws_s3_bucket" "audit_logs" {
bucket = "org-audit-logs-${var.account_id}"
object_lock_configuration {
object_lock_enabled = "Enabled"
}
}
resource "aws_s3_bucket_object_lock_configuration" "compliance" {
bucket = aws_s3_bucket.audit_logs.id
rule {
default_retention {
mode = "COMPLIANCE"
days = 365
}
}
}Compliance mode Object Lock means no one — not even the root account — can delete or modify log records during the retention period. When an assessor asks "can your admins tamper with audit logs?" the answer is architecturally enforced, not policy-dependent.
Configuration Management: Infrastructure as Code
Uncontrolled configuration changes are a leading cause of SPRS score deficiencies. When infrastructure is provisioned manually through console clicks, there's no record of what changed, who changed it, or why. Rutagon eliminates this by managing all infrastructure through Terraform with strict version control:
- Every infrastructure change is a pull request with peer review
- Terraform state files are encrypted and versioned in S3
- AWS Config rules continuously monitor for configuration drift
- Automated remediation reverts unauthorized changes within minutes
The result: every system configuration is documented in code, every change is tracked in Git, and drift detection ensures reality matches the defined baseline. That's configuration management controls 3.4.1 through 3.4.9 addressed through architecture, not spreadsheets.
Encryption Everywhere
Data protection controls require encryption at rest and in transit. Rutagon deploys this as a non-negotiable baseline using AWS KMS with customer-managed keys:
- All EBS volumes, S3 buckets, RDS instances, and DynamoDB tables encrypted with KMS CMKs
- TLS 1.2+ enforced on all endpoints — no exceptions
- KMS key policies restrict decryption to specific IAM roles
- Key rotation automated on a 365-day cycle
When encryption is baked into the Terraform modules, every new resource inherits it automatically. Engineers don't have to remember to enable encryption — it's impossible to deploy without it.
The SPRS-to-CMMC Pipeline
SPRS is the self-assessment today. CMMC Level 2 is the third-party certification coming for contracts requiring CUI protection. The same 110 controls apply — but under CMMC, a Certified Third-Party Assessment Organization (C3PAO) verifies implementation rather than accepting a self-assessment.
Rutagon engineers SPRS remediations with CMMC in mind. Every technical control implemented for the SPRS assessment is built to withstand C3PAO scrutiny:
- Evidence is automated: Compliance artifacts are generated by CI/CD pipelines, not manually assembled before an audit
- Controls are continuous: AWS Config, CloudTrail, and Security Hub provide real-time compliance monitoring — not point-in-time snapshots
- Documentation is code: System Security Plans reference the actual Terraform modules that implement each control, creating a living document that stays current as infrastructure evolves
This approach means the SPRS remediation is also CMMC Level 2 preparation. One engineering effort satisfies both requirements.
What Buyers Should Expect
Government contracting officers evaluating SPRS scores should look for architectural evidence, not policy binders. The questions that reveal whether a contractor's SPRS score reflects real implementation:
- "Show me your access control architecture." Look for zero standing access, OIDC-based authentication, and automated permission boundaries — not just an MFA policy that employees may or may not follow.
- "Where are your audit logs stored?" Look for immutable storage in a separate account with compliance-mode retention — not CloudWatch logs in the same account as production.
- "How do you manage configuration changes?" Look for infrastructure as code with version control and drift detection — not documented change management procedures that rely on humans following process.
- "How do you prepare for assessment?" Look for automated evidence collection — not a team scrambling to gather screenshots before the assessor arrives.
Rutagon's clients pass assessments because the controls are architectural. They're not bolted on for compliance theater — they're how the systems actually work.
Frequently Asked Questions
What is a good SPRS score for winning DoD contracts?
A score of 110 indicates full NIST 800-171 implementation. Most contracting officers view scores above 70 as competitive, though requirements vary by contract. Any score below 0 is a significant red flag that will likely disqualify a contractor from CUI-handling contracts.
How long does it take to improve a SPRS score?
Timeline depends on the starting point and existing infrastructure. Rutagon typically engineers a 50-80 point SPRS improvement in 8-12 weeks for organizations with existing cloud infrastructure. Organizations starting from on-premises environments with no cloud presence require longer engagements.
Is SPRS going away when CMMC takes effect?
No. SPRS remains the self-assessment mechanism. CMMC Level 2 adds third-party verification on top of it. Contractors still submit SPRS scores, and C3PAO assessments verify that the self-reported score reflects actual implementation. A strong SPRS score backed by real architecture makes CMMC certification smoother.
Does Rutagon handle the SPRS assessment itself?
Rutagon engineers the technical controls — the infrastructure, automation, and monitoring that implement NIST 800-171 requirements. The assessment scoring and submission is performed by the contractor. Rutagon ensures that when the controls are assessed, they pass — because they're architecturally enforced, not policy-dependent.
What cloud provider does Rutagon use for SPRS remediation?
Rutagon's primary platform is AWS, with deep experience in GovCloud for CUI-handling environments. All infrastructure is managed through Terraform, making the architectural patterns portable across cloud providers when contract requirements demand multi-cloud or Azure/GCP implementations.
Discuss your project with Rutagon
Contact Us →