Estimate your SPRS score. Ten questions. Real weights.
Each question bundles real NIST SP 800-171 controls and applies the same weight (1, 3, or 5 points) the DoD uses when computing an SPRS submission. Partial implementation costs half the full deduction; missing posture costs the full deduction. The result is a defensible estimate — a Gap Assessment is the audit-grade answer.
The 10 questions
- Q01 · NIST 3.5.3, 3.7.5−10 pts max
Phishing-resistant MFA on privileged accounts and remote access
Hardware tokens or FIDO2 for administrators and any access originating outside the trusted boundary.
- Q02 · NIST 3.13.8, 3.13.11−10 pts max
FIPS-validated cryptography for CUI at rest and in transit
FIPS 140-2 / 140-3 validated modules everywhere CUI is encrypted. Bring-your-own-encryption does not qualify.
- Q03 · NIST 3.13.1, 3.13.5, 3.13.6−11 pts max
Network boundary protection: firewall, DMZ, and monitored egress
A documented, diagrammed boundary with proxied egress and explicit deny-by-default rules. Cloud equivalents count.
- Q04 · NIST 3.3.1, 3.3.2, 3.3.4, 3.3.5−12 pts max
Audit log generation, 1+ year retention, and weekly review
Logs from CUI systems, retained one year online and three years archived, with documented periodic review.
- Q05 · NIST 3.11.2, 3.11.3, 3.14.1−9 pts max
Vulnerability scanning monthly + patch SLA enforced
Authenticated scans, critical vulnerabilities remediated within a defined and tracked SLA.
- Q06 · NIST 3.6.1, 3.6.2, 3.6.3−11 pts max
Incident response plan, tested, reportable to DoD within 72 hours
A named DIBNet submitter, a tabletop exercised within 12 months, and a tested 72-hour reporting path.
- Q07 · NIST 3.4.1, 3.4.2, 3.4.3, 3.4.4−10 pts max
Configuration baselines + change control + inventory
Version-controlled baselines per system class, change tickets per modification, current asset inventory.
- Q08 · NIST 3.1.5, 3.1.7, 3.1.10−7 pts max
Least privilege, separation of duties, session lock
Reviewed entitlement assignments, separated duties for privileged actions, automated session lock under 15 minutes.
- Q09 · NIST 3.8.1, 3.8.3, 3.8.5−6 pts max
CUI marking and media protection
CUI banners applied consistently, removable media controlled at the endpoint, sanitization documented.
- Q10 · NIST 3.2.1, 3.2.2, 3.2.3, 3.9.1−4 pts max
Annual security awareness, role-based training, background screening
Training records retained 12+ months, role-based content for privileged users, screening evidence linked to access.
How the math actually works.
SPRS scoring starts every contractor at 110 and deducts a weight for each unmet control. The weights are defined in NIST SP 800-171A as 1, 3, or 5 points, corresponding to the impact of the control. The arithmetic floor is −203; the ceiling is +110; the CMMC 2.0 certification minimum is currently 88.
This estimator collapses the 110-control evaluation into 10 questions. Each question represents a bundle of related controls. Partial implementation halves the deduction; missing posture applies the full deduction. The maximum total deduction in this model is roughly 90 points, which gives a realistic range of 20 to 110.
The estimator is intentionally conservative. A real SPRS submission requires evaluation against the full 110-control inventory using NIST 800-171A determination statements, and the artifacts must survive a hostile read. We perform that evaluation in our two-week Gap Assessment engagement.