Skip to main content

Plain-English SPRS scoring guide · primary sources

How to calculate your SPRS score (step by step)

To calculate your SPRS score: (1) start at 110 points; (2) go through each of the 110 NIST SP 800-171 Rev 2 requirements; (3) deduct 5 points for each unimplemented 5-point requirement, 3 for each 3-point requirement, and 1 for each 1-point requirement; (4) apply partial credit for 3.5.3 and 3.13.11 where it applies; (5) the result is your score — the floor is −203. Source: DoD Assessment Methodology v1.2.1.

The five steps

  1. 1

    Start at 110 points

    Every SPRS self-assessment under the DoD Assessment Methodology starts from a perfect score of 110 — one point of credit, weighted, for each of the 110 NIST SP 800-171 Rev 2 requirements assumed met. You subtract from there.

  2. 2

    Walk all 110 requirements

    Go through each of the 110 NIST SP 800-171 Rev 2 requirements and decide, honestly, whether it is fully implemented. A requirement is "met" only when the control is actually in place and you can describe how — not when it is planned or partly done.

  3. 3

    Deduct by weight (5 / 3 / 1)

    For every unmet requirement, subtract its weight: 44 requirements are worth 5 points each, 14 are worth 3 points each, and 51 are worth 1 point each. One requirement — 3.12.4, the System Security Plan — is unscored, so it never moves the number.

  4. 4

    Apply the two partial-credit cases

    Only two requirements ever give partial credit. 3.5.3 (multifactor authentication) deducts 3 instead of 5 when remote and privileged users are covered but general users are not. 3.13.11 (CUI encryption) deducts 3 instead of 5 when encryption is deployed but not FIPS-validated. Every other requirement is all-or-nothing.

  5. 5

    Read your score (floor is −203)

    What remains after the deductions is your SPRS score. With 313 deductible points across the 109 scored requirements, the score ranges from 110 at the top down to a floor of −203. A negative score is normal for a contractor early in readiness — it is a starting line, not a verdict.

The point values, by weight

The 110 requirements are not weighted equally. The DoD Assessment Methodology assigns each a value of 5, 3, or 1 point, with a single unscored exception. Across the 109 scored requirements that adds up to 313 deductible points — which is why the score floor is 110 − 313 = −203.

WeightNumber of requirementsMax deduction
5 points44 requirements220 points
3 points14 requirements42 points
1 point51 requirements51 points
Unscored1 requirement (3.12.4, the SSP)0 points
Total110 requirements (109 scored)313 points

The full list of which control carries which weight is in the all-110 requirements explorer, searchable by family and point value.

The only two partial-credit cases

Nearly every requirement is all-or-nothing — you take the full deduction or none. Exactly two requirements are scored on a partial scale, and getting them wrong is the most common way a hand-calculated score drifts from the official one:

  • 3.5.3 — multifactor authentication. Normally a 5-point deduction. Deducts 3 instead of 5 when remote and privileged users are covered by MFA but general users are not.
  • 3.13.11 — CUI encryption. Normally a 5-point deduction. Deducts 3 instead of 5 when cryptography is deployed to protect CUI but is not FIPS-validated.

What 88 means

The number contractors ask about most is 88. A score of at least 88 of 110 is the floor for a Conditional Level 2 at a C3PAO assessment — but the score alone is not enough. Every remaining open gap must also be POA&M-eligible (generally only 1-point items, plus the 3.13.11 partial case), and all POA&M items must close within 180 days of the conditional status date (32 CFR 170.21). Six requirements are never POA&M-eligible at all. An 88 with the wrong kind of gap open still fails — the full eligibility rules are in the POA&M template guide and the conditional certification guide.

Sources: DoD Assessment Methodology v1.2.1 (the 5/3/1 weighting and the two partial-credit cases); 32 CFR 170.21 (the 88-point Conditional Level 2 floor, POA&M eligibility, and the 180-day closeout); 32 CFR 170.24 (the 3.12.4 SSP gate). One important caveat: the self-assessment is a representation to the government — score honestly. An inflated score is False Claims Act exposure.

Don’t calculate it by hand

The arithmetic is mechanical and easy to get slightly wrong. The free Muster SPRS calculator applies the 5/3/1 weights and the two partial-credit rules for you as you check off requirements — no signup, runs in your browser.

Open the free SPRS calculator

Straight answers

What is the highest possible SPRS score?

A perfect SPRS score is 110 — every one of the 110 NIST SP 800-171 Rev 2 requirements met. You cannot score above 110; the methodology starts there and only subtracts. The lowest possible score is −203, reached when every deductible requirement is unmet (313 deductible points subtracted from 110). A negative number is common for a contractor at the beginning of readiness.

Why is requirement 3.12.4 unscored?

3.12.4 is the System Security Plan (SSP) requirement, and it is unscored — it never adds or subtracts points. But it is not optional: without a current SSP, no CMMC assessment can be completed at all (32 CFR 170.24), and 3.12.4 may never be placed on a POA&M. Treat it as a gate rather than a line item: you can have a high score on paper, but with no SSP you cannot be assessed.

How do the two partial-credit requirements change the math?

Most requirements are all-or-nothing: you deduct the full weight or nothing. Two are different. 3.5.3 (MFA) normally costs 5 points, but only 3 when remote and privileged users have multifactor authentication and general users do not. 3.13.11 (CUI encryption) normally costs 5 points, but only 3 when encryption is in place but not FIPS-validated. These are the only two partial deductions in the entire methodology.

What SPRS score do I need for CMMC Level 2?

There is no minimum score just to post a self-assessment and bid — you need a current, honest assessment, not a particular number. For a Conditional Level 2 at a C3PAO assessment you need at least 88 of 110, with every remaining gap POA&M-eligible (generally 1-point items only) and closed within 180 days (32 CFR 170.21). A Final Level 2 means every requirement is met or every POA&M item has been closed.

Do I have to calculate my SPRS score by hand?

No. The math is mechanical — start at 110, subtract the weighted deductions, apply the two partial-credit cases — which is exactly what a calculator is for. Muster’s free SPRS calculator applies the 5/3/1 weights and the 3.5.3 and 3.13.11 partial-credit rules automatically as you check off requirements, so you see the number move and avoid arithmetic mistakes. The free Muster Score goes further and walks all 110 requirements with you.

This is compliance information, not legal advice. The SPRS score is a self-assessment you calculate and post; Muster helps you compute it and drafts the documentation you review and attest to. Only an authorized C3PAO can certify you. Score honestly — an inflated score is False Claims Act exposure. For contract or attestation questions, consult qualified counsel.

Know your real number.

The free Muster Score walks all 110 requirements with you, applies the exact DoD methodology, and shows which gaps are POA&M-eligible and which you must fix first.

Get your free Muster Score

The free score is live now. Join the waitlist for early access to the done-for-you Level 2 Readiness Sprint and founding-cohort pricing.