Most companies that sell CMMC compliance help have never been through it themselves. Before we asked another defense contractor to trust us with theirs, we wanted to sit on the other side of the table. So we scored our own business against all 110 requirements of NIST SP 800-171, closed every gap, and attested to the result. In June 2026, Petronella Technology Group, Inc. reached a perfect Supplier Performance Risk System score of 110 out of 110 on our own CMMC Level 2 self-assessment, with an empty Plan of Action and Milestones.
We wrote up the full, honest account, including how the SPRS scoring math works and how we implemented all fourteen control families, on a dedicated page: our CMMC Level 2 self-assessment. This post is the shorter version: five things the exercise taught us that we now bring to every client engagement.
1. Your first honest score is almost always lower than you think
The SPRS scale starts at 110 and subtracts weighted points for every requirement you have not fully met. It bottoms out at negative 203. Most organizations that measure themselves honestly for the first time land far below where they assumed, and negative scores are common. The gap is rarely negligence. It is the difference between running good security tools and being able to prove, with documentation and evidence, that every one of the 110 requirements is satisfied. A readiness assessment turns a vague feeling of being "mostly compliant" into a specific, defensible number. If you have never produced yours, our CMMC readiness assessment is the fastest way to see it, and our SPRS calculator shows how the deductions add up.
2. The unglamorous requirements decide the score
It is tempting to focus on the exciting technical controls, but the requirements that quietly cost the most points are the administrative ones: scheduled security awareness training, defined roles and responsibilities, a documented and tested incident response plan, and physical protection of the environment where Controlled Unclassified Information lives. These are boring to implement and easy to defer, which is exactly why so many self-assessments lose points there. Reaching a 110 meant treating the human and process requirements with the same seriousness as encryption and access control. Our founder's state Digital Forensics Examiner credential sits behind the incident response and personnel requirements as real, documented evidence rather than a promise.
3. Scope is the single biggest lever
The 110 requirements only have to apply where Controlled Unclassified Information actually lives. The tighter you can draw that boundary, the smaller and more defensible your compliance problem becomes. We keep CUI inside an isolated, encrypted enclave rather than letting it spread across general-purpose file shares and laptops. That one architectural decision shrank the surface area for access control, media protection, and physical security dramatically. Before grading a single control for a client, we do the same thing: draw the CUI boundary first. A well-scoped enclave is the difference between a project measured in weeks and one measured in quarters.
4. Documentation should not consume the whole budget
A complete Level 2 package is a System Security Plan, policies and procedures mapped to all 110 requirements, a risk assessment, and the evidence tying each control to how you actually operate. Assembled by hand in a word processor, that work routinely eats months of consultant time and the majority of a compliance budget. We built ours in days using ComplianceArmor, our own compliance documentation platform, and it is the same tool we use to stand up client packages. The point is not speed for its own sake. It is that removing the documentation busywork frees your team to spend its energy on actually implementing and evidencing controls, which is where a score is truly won.
5. Self-assessment is not certification, and that distinction matters
We are careful with our words here because precision is the whole discipline. What we completed is a Level 2 self-assessment, scored and attested by a CMMC Registered Practitioner. It is not a third-party certification. Only an authorized C3PAO can certify a Level 2 environment, and only the government assesses Level 3. Any vendor promising to make you "certified in a weekend" is describing something that does not exist, and you should treat it as a red flag. A strong self-assessment is not a lesser thing, though. It is the exact baseline a certification is built on, done first by you, so there are no surprises when an assessor arrives. When a contract eventually requires certification, our C3PAO selection guide walks through choosing an assessor.
What the DoD actually checks, and why the number is contractual
A SPRS score is not an academic exercise. Under DFARS clause 252.204-7012, any contractor that handles Controlled Unclassified Information must safeguard it in line with NIST SP 800-171 and report cyber incidents to the Department of Defense within 72 hours. DFARS clauses 252.204-7019 and 252.204-7020 go further, requiring contractors to perform the NIST 800-171 self-assessment and post the resulting score to the Supplier Performance Risk System so that contracting officers can see it before an award. In practice, your SPRS score has quietly become a gate. A low or negative number can remove you from consideration for work you are otherwise qualified to win, often without anyone telling you why.
That is the environment our own 110 was produced for. We handle client Controlled Unclassified Information as part of our compliance and managed services work, which places our business inside the same obligations we help clients meet. Scoring ourselves was not marketing. It was the identical requirement every defense contractor faces, met the same way we ask clients to meet it. A senior official also has to affirm the score in SPRS, which means the number is not just a technical artifact but a statement the company stands behind. We wanted to stand behind a 110 before we asked anyone to trust our guidance on reaching theirs.
One more lesson: momentum beats perfection at the start
The contractors who stall are usually the ones waiting to feel ready before they measure. The score does not care how ready you feel. The most valuable thing we did was run the assessment early, get the honest baseline, and then work the gaps in priority order, closing the heaviest weighted requirements first. A moving score, even one that starts negative, is worth far more than an untested assumption that you are "probably fine." Measurement is not the reward at the end of the project. It is the first and most useful step.
Why our score is your advantage
CMMC applies across three levels, and we work across all three. Level 1 covers basic safeguarding of Federal Contract Information. Level 2 is the 110-requirement bar for most Controlled Unclassified Information. Level 3 adds advanced requirements assessed by the government for the highest-risk programs. Having graded ourselves at the Level 2 bar and closed it completely changes the quality of the help we give. When we explain a requirement, we are describing a decision we have already made in our own environment. When we tell you which objectives quietly cost the most points, we are reading from our own scorecard. Learn how we deliver that as ongoing CMMC-aligned managed IT services, or start with the full framework in our CMMC compliance guide.
The honest footnote, the same one we give clients: a 110 is a scored, attested self-assessment and a living discipline, not a trophy. Maintaining evidence for every control, keeping training current, and re-assessing as the environment changes is continuous work. That is the standard we hold ourselves to, and the standard we help you build toward.
Get your own number
If you are a defense contractor or part of the supply chain, the first move is the one we made: measure honestly. Read the full story of our 110, then request a readiness assessment to get your own SPRS self-score and a prioritized plan. Or call Petronella Technology Group at (919) 348-4912 to talk it through with a practitioner who has already earned the score you are working toward.