CMMC, SPRS, and Muster — answered plainly

It is a free self-assessment that computes your exact SPRS score under the published DoD Assessment Methodology and shows which NIST SP 800-171 gaps are POA&M-eligible versus must-fix. It runs entirely in your browser, needs no signup, and takes about 20 minutes for the quick estimate.

Never. The platform works entirely from your descriptions of your environment — file uploads are disabled by design, and the rule is simple: describe systems, never their contents. Controlled Unclassified Information is kept out of the platform by architecture, not by a setting.

No. Muster computes your score and drafts your documentation. Certification comes from a third-party C3PAO assessment, and the attestation is yours to make. We make you ready for both, faster and far cheaper than hourly consultants — but we never attest to your implementation status for you.

The math is the DoD methodology applied exactly, and we score conservatively — unanswered requirements count as not implemented, and "partially implemented" takes the full deduction except for the two defined partial-credit cases. The quick mode is a labeled estimate with an uncertainty range; the full 110-requirement assessment is exact.

The Supplier Performance Risk System score (from a maximum of 110 down to a floor of −203) is how DoD tracks your NIST SP 800-171 self-assessment. Under DFARS 252.204-7020, a prime is required to confirm that subcontractors handling covered defense information have a current assessment on record — which is why the request keeps landing in your inbox.

Every contractor starts at 110 points. Each unimplemented requirement deducts a weighted value — 5, 3, or 1 point — across 109 of the 110 requirements; requirement 3.12.4 (the SSP) is unscored. Exactly two requirements earn partial credit: 3.5.3 (MFA) and 3.13.11 (CUI encryption) deduct 3 instead of 5 in their defined partial states.

CMMC Level 2 allows conditional status when your assessment scores at least 88 of 110 and every open gap is on a Plan of Action & Milestones — and only certain requirements are ever POA&M-eligible. Open items must close within 180 days or the conditional status lapses (32 CFR 170.21).

Generally no — access to SPRS scores is restricted, so a prime usually cannot pull a subcontractor’s score on demand. But because they are required to ensure you have a current assessment, they ask you for the score and the date you entered it.

If you hold or pursue DoD contracts or subcontracts, almost certainly. Federal Contract Information (FCI) only points to Level 1 (an annual self-assessment); Controlled Unclassified Information (CUI) points to Level 2, which is mostly C3PAO-assessed under Phase 2.

Phase 2 begins: a C3PAO-assessed Level 2 certificate becomes the default condition of award for DoD contracts involving CUI, applied per-solicitation at contracting-officer discretion and rolling out through full implementation in 2028. Phase 1 (self-assessment and affirmation requirements in new solicitations) has been live since November 10, 2025.

A System Security Plan documents how you meet each of the 110 requirements. Requirement 3.12.4 makes it the gate: without a current SSP, no assessment can be completed at all, and 3.12.4 can never sit on a POA&M. It is also the single longest-lead artifact, so it is the first thing to start.

For the free Muster Score, your answers stay in your own browser — they are not transmitted to us. You can clear them at any time. The platform is built so that the controlled data that makes CMMC hard never enters it in the first place.

It can be. A self-assessed score is a representation you make to the government, and the Department of Justice’s Civil Cyber-Fraud Initiative has used the False Claims Act against contractors who knowingly misrepresent their cybersecurity posture. That is exactly why we score conservatively and trace every statement back to the answer you gave.

The Muster Score self-assessment is free, forever. The Level 2 Readiness Sprint is a fixed $4,995 one-time engagement that delivers a draft SSP, a prioritized POA&M, a CUI scoping memo, your calculated SPRS score, an SPRS submission walkthrough, and a compliance-QA review — and includes 90 days of the Platform. The ongoing Platform subscription keeps your SSP, POA&M, and score living after that.

Consultants hand-write the same artifact types our engine assembles from your structured answers — at $250–400/hour and on their calendar. The Sprint delivers the documentation in days at a fixed price, with an audit trail of where every statement came from. And if you already work with a consultant or RPO, bring them our drafts — documentation hours are usually the bulk of their quote.

The free Muster Score is live today. The done-for-you Sprint is opening to an early-access cohort — join the list to lock in founding-cohort pricing and get launch updates.

Yes. The Partner Engine lets RPOs, MSPs, and compliance consultants draft SSPs and POA&Ms from each client’s own answers under their own brand — from $3,000/year plus $200/client/month, with volume pricing, deal registration, and a no-poach pledge written into the agreement.