
Manufacturing operations face intense competitive pressures, increasingly complex supply chains, and strict compliance requirements like CMMC and ITAR...
Healthcare providers face mounting pressures from ever-evolving technology...
Accounting firms handle sensitive financial data—from tax filings to audit...
Law firms operate under strict confidentiality obligations and face evolving...
Auto dealerships handle a wealth of customer information, from financing details...
In Oil & Gas, uptime, safety, and data integrity are paramount. Whether you’re managing offshore rigs,...
Financial institutions bear a heavy responsibility: they hold sensitive client information and manage...
In the insurance sector, safeguarding sensitive policyholder information is essential—not just to meet...
Auto dealerships handle a wealth of customer information, from financing details...
Small and medium-sized businesses are the backbone of our economy, but they often face...


Manufacturing operations face intense competitive pressures, increasingly complex supply chains, and strict compliance requirements like CMMC and ITAR...
Healthcare providers face mounting pressures from ever-evolving technology...
Accounting firms handle sensitive financial data—from tax filings to audit...
Law firms operate under strict confidentiality obligations and face evolving...
Auto dealerships handle a wealth of customer information, from financing details...
In Oil & Gas, uptime, safety, and data integrity are paramount. Whether you’re managing offshore rigs,...
Financial institutions bear a heavy responsibility: they hold sensitive client information and manage...
In the insurance sector, safeguarding sensitive policyholder information is essential—not just to meet...
Auto dealerships handle a wealth of customer information, from financing details...
Small and medium-sized businesses are the backbone of our economy, but they often face...


There is no single “passing” CMMC score. What counts as passing depends on which status you are aiming for — and whether you are on a self-assessment path or heading into a C3PAO assessment. For CMMC Level 2, a score of 110 achieves Final status. A score of 88 to 109 achieves Conditional status — a 180-day temporary bridge that requires full remediation to hold. A score below 88 means no CMMC status at all, which means no contract award on solicitations requiring CMMC Level 2.
Understanding what those numbers mean and how they are calculated is more useful to a small defense manufacturer than the numbers themselves.
Most shops want to know one thing: what score do they need? The honest answer is that the number matters less than what drives it. A shop that understands how the SPRS scoring system works can read their own score accurately, understand what the gaps actually cost them, and make a realistic plan. A shop that only knows the target number is likely to either inflate their self-assessment to hit it or spend money closing the wrong gaps first.
Related Topic: Department of War Suspends CMMC Phase II Certification: What It Means for Defense Contractors
Understanding SPRS is the foundation of understanding CMMC compliance. The Supplier Performance Risk System — SPRS — is the DoD’s centralized database where defense contractors submit their CMMC self-assessment scores and certification status. SPRS reflects your compliance posture to every contracting officer and prime contractor evaluating your shop. A missing score, an outdated score, or a score that results in no CMMC status directly affects your ability to win work.
As of November 2025, submitting a current SPRS score is mandatory for any DoD contractor subject to DFARS 252.204-7012. SPRS and CMMC are directly linked — your score in SPRS determines your CMMC certification status, and your status determines your contract eligibility.
Related Topic: CMMC Readiness: Prepare Your Business for Compliance
CMMC Level 2 uses a subtractive scoring methodology based on the DoD Assessment Methodology. Every contractor starts at a baseline score of 110 — the maximum — and deductions are applied for each of the 110 NIST SP 800-171 requirements that is not fully implemented. Assessment objectives for each control define exactly what “fully implemented” means there is no interpretation room.
Each control carries a point value of 1, 3, or 5 based on its security impact. There is no partial credit. A control is either fully implemented no deduction or not implemented full deduction. The one exception is SC.L2-3.13.11, the FIPS-validated cryptography requirement: using non-FIPS encryption results in a 3-point deduction rather than the full 5, while using no encryption at all results in the full 5-point deduction.
Because deductions can exceed the starting value of 110 — when multiple high-value controls are unimplemented — scores can go negative. The floor is -203. First honest assessments at small shops frequently produce negative scores. That is not a disqualifying result on its own. It is the accurate starting point for a remediation plan. Meeting CMMC standards at Level 2 means working from that starting point to 110.
Level 1 works differently. It is pass/fail — all 17 FAR 52.204-21 requirements must be marked Met, or the assessment is Not Met. There is no numeric score and no conditional path.
Related Topic: CMMC Audit Preparation: Avoid Common Compliance Mistakes
The requirements for each CMMC level produce different scoring standards and different maturity levels of certification. At Level 2, three distinct outcomes are possible depending on where your numerical score lands.
A score of 110 — a perfect SPRS score with all 110 controls fully implemented results in Final CMMC Level 2 status. This is the only permanent certification outcome. Final status is valid for three years, with annual affirmations required to confirm the security program has been maintained.
A score of 88 to 109 — most controls implemented, remaining gaps documented in a Plan of Action and Milestones — results in Conditional CMMC Level 2 status. Conditional status is a temporary bridge, valid for 180 days only. A closeout assessment is required to confirm POA&M remediation before Final status is granted. Conditional status does allow contract award and performance you can continue working on DoD contracts as a CMMC L2 contractor while closing remaining gaps — but the 180-day clock is real. It does not extend.
A score below 88 results in No CMMC Status. No contract award. No conditional path. The shop must remediate, achieve an SPRS score of at least 88, and resubmit before becoming eligible.
Related Topic: C3PAO: What It Is and How to Choose One for CMMC Level 2
Not every unimplemented control is POA&M-eligible. This is the detail that catches small contractors off guard most often and it is the reason a score of 88 does not automatically guarantee Conditional status.
To achieve Conditional status with a score of 88 or above, every unmet control on the POA&M must be a 1-point control. Any unimplemented 3-point or 5-point control — regardless of your overall score disqualifies you from Conditional status. A shop with a score of 95 that has one unimplemented 5-point control does not qualify for Conditional status. They get No CMMC Status until that control is fully implemented.
Additionally, six specific controls defined in 32 CFR § 170.21(a)(2)(iii) cannot be placed on a POA&M under any circumstances. If any of those six are not fully implemented, the result is No CMMC Status regardless of score.
One more requirement that trips up first-time submissions: the System Security Plan control CA.L2-3.12.4 must be marked Met before SPRS will generate any score at all. If the SSP requirement is Not Met, SPRS returns No Score. No score means no CMMC status and no contract eligibility. The SSP is the entry ticket to everything else.
Related Topic: DIBCAC: What Defense Contractors Need to Know
This is the piece of the SPRS conversation that matters most for a small defense manufacturer and it is rarely discussed directly.
SPRS scores are self-reported. A shop assesses its own controls, calculates its own score, and submits. There is no independent verification in the self-assessment path. The consequence is that scores frequently reflect what a contractor believes to be true about their environment not what an independent assessor would confirm.
Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) research found that many self-reported perfect scores of 110 were inaccurate, which is one of the driving reasons CMMC 2.0 moved toward third-party assessments. A shop may believe its IT provider reported 80, yet C3PAO assessors may score 40 using DoD assessment methodology correctly.
The gap between a self-assessed score and a C3PAO-verified score is where budget surprises come from. If your current IT provider has told you your score is 80 or 90 and you budget for CMMC accordingly, a gap assessment by an independent party may reveal a significantly different picture. The minimum SPRS score that qualifies for Conditional status is 88 — but only if your controls actually meet that threshold, not just if your self-assessment says they do. That difference in controls, in cost, in timeline is better discovered before engaging a C3PAO than during the formal assessment.
There is also a False Claims Act dimension. Submitting an inaccurate SPRS score even unintentionally creates legal exposure. Contracting officers and the DoD are both checking SPRS, and an inflated score that does not hold up under Industrial Base Cybersecurity Assessment Center scrutiny is a documented liability.
Related Topic: What Is CUI in Cybersecurity and Why Is It Important?
Calculating your score requires a gap assessment against all 110 NIST SP 800-171 requirements using the DoD Assessment Methodology. For each control, you determine whether it is fully implemented, not implemented, or not applicable to your environment. Not applicable controls — documented and justified in your SSP — carry no deduction. For each not-implemented control, you apply the weighted deduction.
The result is your SPRS score. Before submitting, verify SSP requirements are met, confirm POA&M includes only eligible 1-point controls, and ensure your score exceeds 88.
Submission is through the SPRS portal via PIEE at piee.eb.mil. A senior official must submit an affirmation certifying the accuracy of the assessment information. Keeping an up-to-date SPRS score — updated at least annually or whenever your security posture changes materially — is a CMMC program requirement, not just good practice. That affirmation carries legal weight under the False Claims Act — it is not a formality.
Right Hand Technology Group works with defense contractors to conduct honest gap assessments against the DoD Assessment Methodology, calculate accurate SPRS scores, and build the documentation programs that support them. Learn more about our CMMC compliance services, or schedule a free consultation to understand where your current score stands and what closing the gaps actually requires.
Related Topic: How to Get Ready for a CMMC Assessment in 2026
What score do you need to pass CMMC?
Achieve 110 points for Final CMMC Level 2 certification or at least 88 for Conditional status with eligible POA&M remediation.
What is a CMMC score of 88?
A score of 88 earns Conditional CMMC Level 2 status when only eligible 1-point controls remain incomplete and require remediation.
What is the score for CMMC Level 2?
CMMC Level 2 uses a 110-point system. Earn 110 for Final status or at least 88 for eligible Conditional status.
What happens if you fail a CMMC audit?
Missing critical controls or scoring below 88 results in No CMMC Status and requires remediation before reassessment.
There is no single “passing” CMMC score. What counts as passing depends on which…
On July 13, 2026, the Department of War suspended CMMC Phase II certification requirements…
CMMC readiness is the state of having fully implemented, documented, and operationalized the cybersecurity…