Methodology & sources
Compliance tooling is only worth using if you can check its math. This page documents every rule our tools implement and the primary source for each. If you find a discrepancy, tell us. We treat scoring bugs as severity-one.
SPRS Score Calculator
Implements the NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1 (June 24, 2020), Annex A, verbatim:
- Score starts at 110, and each requirement not fully implemented subtracts its Annex A weight.
- Weights in our dataset: 42 five-point, 14 three-point, 51 one-point requirements, plus two variable and one unscored (below). Possible range: -203 to +110.
- 3.5.3 (MFA): minus 5 if not implemented, or minus 3 if implemented for remote and privileged users but not general users.
- 3.13.11 (FIPS crypto): minus 5 if no cryptography protects CUI, or minus 3 if cryptography is employed but is mostly not FIPS-validated.
- N/A permitted only for: 3.1.12 & 3.1.13 (when remote access is not permitted), 3.1.16 & 3.1.17 (when wireless is not permitted), and 3.1.18 (when mobile device connection is not permitted), per the Annex A comment column.
- 3.12.4 (SSP): carries no point value. Per the methodology, absence of an SSP means the assessment "could not be completed due to incomplete information and noncompliance with DFARS clause 252.204-7012." Our tool flags this as a blocking condition rather than a deduction.
CMMC Level 1 Self-Assessment
- The 17 practices are the NIST SP 800-171 requirements marked with an asterisk in Annex A, i.e., the basic safeguarding requirements of FAR 52.204-21(b)(1)(i) through (xv) (paragraph (b)(1)(ix) maps to three practices).
- Results are binary MET / NOT MET, and no POA&Ms are permitted at Level 1, per the CMMC Program rule (32 CFR Part 170). The tool will not report an overall MET until all 17 are met.
- Level 1 requires an annual self-assessment with results in SPRS and an annual affirmation by an Affirming Official.
Which-level wizard
- Level definitions, the COTS exclusion, and assessment types follow 32 CFR Part 170 (CMMC Program) and the 48 CFR CMMC acquisition rule (DFARS 252.204-7021).
- Phase descriptions follow the published four-phase implementation schedule (Phase 1 began November 10, 2025).
Primary sources
- NIST SP 800-171 Rev 2 (requirement text is public-domain U.S. government work)
- NIST SP 800-171 DoD Assessment Methodology v1.2.1, incl. Annex A weights
- 32 CFR Part 170 (CMMC Program final rule)
- DFARS 252.204-7012, -7019, -7020, -7021; FAR 52.204-21
- SPRS documentation at sprs.csd.disa.mil
Scoring dataset
The complete control dataset our tools use (all 110 requirements with weights, N/A conditions, and special rules) ships in the page source and can be inspected freely. It is a faithful transcription of Annex A, and the requirement text itself is public domain.
What our tools are not
A self-assessment tool is not an assessment, a certification, or legal advice. It computes exactly what the methodology says with the answers you give it, so the honesty of the answers is on you (and that's true of every tool in this market, whatever their marketing implies).