The SPRS score ranges from −203 to 110. Every defense contractor handling CUI starts at 110 and deducts 5, 3, or 1 points for each unmet NIST SP 800-171 requirement — 313 possible deduction points across 109 scored requirements. DoD sees the score in the Supplier Performance Risk System; 110 means everything is implemented.
Estimate your score in two minutes
Everything starts as implemented (110). Check each requirement you have not implemented and watch the deductions land — these are the real Annex A point values from the DoD Assessment Methodology, family by family.
AC — Access Control22 requirementsAT — Awareness and Training3 requirementsAU — Audit and Accountability9 requirementsCM — Configuration Management9 requirementsIA — Identification and Authentication11 requirementsIR — Incident Response3 requirementsMA — Maintenance6 requirementsMP — Media Protection9 requirementsPS — Personnel Security2 requirementsPE — Physical Protection6 requirementsRA — Risk Assessment3 requirementsCA — Security Assessment4 requirementsSC — System and Communications Protection16 requirementsSI — System and Information Integrity7 requirements
Estimated SPRS score
110
of 110 (floor −203)
No requirements checked — every box you tick deducts its points.
At or above the 88-point conditional threshold — but conditional status also requires every open gap to be POA&M-eligible, which this quick estimator doesn't check.
Quick estimator only. Every checked item counts as fully unimplemented — partial credit (3.5.3, 3.13.11) and N/A determinations aren't captured here, and gaps aren't classified for POA&M eligibility. For your exact score, run the free full assessment. Scores are self-reported readiness estimates — not a certification, and not a prediction of C3PAO assessment results.
Partial credit: the only two exceptions
Two requirements — only two — earn a reduced deduction under the DoD methodology:
3.5.3 (multifactor authentication): deduct 3 instead of 5 when MFA covers remote access and privileged accounts but not yet general users.
3.13.11 (CUI encryption): deduct 3 instead of 5 when encryption is deployed but not FIPS-validated.
Everything else is all-or-nothing: "partially implemented" takes the full deduction. This estimator treats every checked item as a full deduction; the full assessment captures both partial-credit cases.
The 3.12.4 gate: unscored, but existential
The System Security Plan requirement (3.12.4) carries no point value because it's more serious than points: without a current SSP, no CMMC assessment can be completed at all, and 3.12.4 may never sit on a POA&M. A 110 without an SSP is a number you can't take to an assessor. If your SSP is the gap, start there — the full assessment drafts one from your answers.
The 88-point conditional threshold
CMMC Level 2 allows conditional status when an assessment scores at least 88 of 110and every open gap is POA&M-eligible — generally the 1-point items, with 3.13.11 allowed only in its 3-point partial case, and six requirements never eligible at all (3.1.20, 3.1.22, 3.12.4, 3.10.3, 3.10.4, 3.10.5). Open POA&M items must close within 180 days of the conditional status date or the status lapses (32 CFR 170.21). A score of 88 with the wrong kind of gap still fails — which is why the full assessment classifies every gap as POA&M-eligible or must-fix.
Wondering what closing those gaps costs? The honest price bands — self-serve, consultant-led, enclave, and the separate C3PAO fee — are in the CMMC Level 2 cost guide.
Stop estimating. Know your number.
The free full assessment walks all 110 requirements, applies the partial-credit rules, separates POA&M-eligible gaps from must-fix gaps, and drafts the SSP that opens the assessment gate.