NIST 800-171 Self-Assessment Template — Free Download with SPRS Scoring Logic

This template covers all 110 NIST 800-171 Rev 2 controls, the official DoD scoring weights (1, 3, or 5 points per control), and the format you need to post a Supplier Performance Risk System (SPRS) score. Free download. No email required for the spreadsheet itself; the longer SSP narrative template is gated.

What this template does for you

Three deliverables in one workbook:

1. Control implementation log — all 110 controls, family/control-ID, control text, your status (Implemented / Partial / Not Implemented / Not Applicable), evidence pointer, and notes.
2. Auto-calculated SPRS score — formulas in the spreadsheet weight your status and produce a number from -203 to 110. This is the number you post to SPRS.
3. POA&M draft — controls marked Partial or Not Implemented auto-populate a Plan of Action and Milestones tab with target-date and owner columns ready to fill in.

It does not write your SSP. The SSP is the longer narrative document that walks through how each control is implemented in your environment. The template gives you a structured place to gather the inputs the SSP will reference.

Get the template

Download the spreadsheet (XLSX, ~80KB). No email gate.

Get the SSP narrative template — the structured document a contracting officer or DIBCAC assessor will actually read. Email gated because it includes our internal interpretation guidance and we want to know who's using it.

How the SPRS scoring logic works

DoD's NIST SP 800-171 DoD Assessment Methodology assigns each control a value of 1, 3, or 5 points based on the impact of that control being unimplemented. Your starting score is 110 (perfect). Each unimplemented control subtracts its weight. Some controls have additional partial-credit logic.

The 110-point ceiling means a perfect score isn't impossible — most contractors with a mature implementation land between 70 and 100. The floor is -203 because some control families have many high-value controls that compound when missing.

Quick reference for the scoring weights:

• 5-point controls (32 total) — high-impact controls. Examples: 3.1.1 (limit access), 3.1.2 (control flow), 3.5.1 (identify users), 3.13.1 (monitor boundaries), 3.13.5 (subnetworks), 3.14.2 (malicious code).
• 3-point controls (15 total) — medium impact. Examples: 3.1.5 (least privilege), 3.5.2 (authenticate), 3.13.6 (deny by default).
• 1-point controls (63 total) — lower impact. Most of the 14 families' tail controls.

The full weighting is documented in the DoD methodology PDF and is built into the spreadsheet formulas.

How to use the template

Step 1 — Read each control honestly. The trap is checking "Implemented" because you sort-of-do-the-thing. The standard is whether you have evidence an auditor would accept. If a DIBCAC assessor asked "show me how 3.5.1 (identify users) is implemented for your timekeeping system," can you produce a screenshot of unique user accounts plus a screenshot of the access log within 5 minutes? If yes, Implemented. If no, Partial or Not Implemented.

Step 2 — Mark Partial only when half the work is done. The DoD methodology gives partial credit for some controls. Use it sparingly. If you have MFA on email but not on the file system, that's Partial for 3.5.3 (MFA). If you have nothing, mark Not Implemented and put it on the POA&M.

Step 3 — Use Not Applicable with documented justification. Some controls genuinely don't apply. 3.10.6 (alternate work site protections) might be N/A if you have no alternate sites. 3.7.5 (multi-factor for nonlocal maintenance) is N/A if you don't allow nonlocal maintenance. Every N/A needs a one-sentence justification in the Notes column.

Step 4 — Add evidence pointers as you go. The Evidence column should reference where the proof lives — file path, screenshot directory, vendor portal URL, contract number. The point is that 18 months from now, when an assessor or auditor asks, you can find the evidence in 30 seconds.

Step 5 — Auto-generate the POA&M. Filter the workbook to Partial + Not Implemented. The POA&M tab pulls those rows and lets you fill in Target Date, Owner, and Status. Update monthly.

Step 6 — Compute your score and post to SPRS. The Score tab shows your number. Log into SPRS (https://www.sprs.csd.disa.mil), navigate to NIST SP 800-171 Assessments, and enter the score with the methodology version date. Self-assessments are valid for 3 years.

The four families to focus on (per our earlier guide)

If you're scoring under 60 today, the four families that produce the most lost points for SMBs are:

1. 3.13 System and Communications Protection — typically -45 points if you're not on M365 GCC or equivalent FIPS-validated platform
2. 3.5 Identification and Authentication — typically -30 points if MFA isn't enforced across all CUI-touching systems
3. 3.3 Audit and Accountability — typically -20 points if you don't have logging across email, file storage, and accounting
4. 3.4 Configuration Management — typically -25 points if devices are unmanaged

Fix those four families and most contractors move from -50 (typical starting score for a small shop with no investment) to +60 in about six weeks.

See NIST 800-171 compliance for small government contractors for the full breakdown of where points actually get lost.

What honest scoring looks like

Three example contractors, all 20 people, all working on DFARS 7012 contracts:

Contractor A — Just signed first CUI contract, no security investment yet

• All 32 high-value controls: not implemented (-160 from those alone)
• Most other controls: partial or not implemented
• Realistic score: -85 to -120
• POA&M: 60+ items
• Path to +60 in 6 weeks: M365 GCC migration, MFA enforcement, IR plan, vulnerability scanning

Contractor B — Mid-sized investment, M365 GCC + Intune deployed

• 3.13 family: mostly implemented (FIPS crypto via M365 GCC)
• 3.5 family: implemented (Entra ID MFA)
• 3.3 family: partial (logging exists but not centralized)
• 3.4 family: implemented (Intune baselines)
• 3.11 family: missing (no formal vulnerability scanning)
• Realistic score: 75–85
• POA&M: 8–12 items
• Path to 100+: SIEM rollout, vulnerability scanner, SR family supply chain documentation

Contractor C — Mature posture, 3+ years of investment

• All families substantially implemented
• 3 or 4 controls on POA&M with realistic dates
• Realistic score: 100–108
• The remaining gaps are usually edge cases (specific CUI-handling scenarios that haven't come up yet)

If you self-score above 100 in your first attempt without the underlying investment, you're scoring incorrectly. DIBCAC has caught contractors at this — and the False Claims Act consequences are real.

What goes in the SSP that doesn't go in the spreadsheet

The spreadsheet captures the status of each control. The System Security Plan (SSP) captures the implementation narrative — the prose description of HOW each control is implemented. An SSP entry for control 3.1.1 (limit access) doesn't say "Implemented" — it says:

"Access to systems containing CUI is limited to authorized users via Microsoft 365 GCC tenant authentication. User accounts are created in Entra ID with role-based access control. The contracting officer's representative for each project is the access-approval authority. Account creation, modification, and termination are logged in the Entra ID audit log with 90-day online retention and 1-year archive retention. The current authorized user list for each project is maintained in [path]."

That's what an assessor reads. The spreadsheet's "Implemented" status is a pointer to the SSP narrative, which is a pointer to the evidence.

The SSP narrative template is at /dcaa-readiness/nist-ssp-narrative — email-gated because it includes interpretation guidance.

What to do this week

1. Download the spreadsheet.
2. Spend 90 minutes scoring yourself honestly — don't optimize, just record reality.
3. Read your number. If it's below zero, that's normal for an unsecured starting position.
4. Decide your top three POA&M items by impact-per-dollar.
5. If you don't have an SPRS score posted at all and you have an active DFARS 7012 contract, post your honest current score. Even a low score with a credible POA&M is better than no score.

The contracting officer needs something on file. They can work with a 35 plus an active POA&M. They can't legally award you a CUI-bearing contract with nothing in SPRS at all.

Related reading

• NIST 800-171 compliance for small government contractors — full guide
• NIST 800-171 Rev 3 vs Rev 2 — what changed
• DFARS clauses 7012, 7019, 7020, 7021 explained
• CUI handling for small government contractors
• How DCAA-compliant accounting satisfies family 3.3