Practitioner Proof · CMMC Level 2
We Scored a Perfect 110 on Our Own CMMC Level 2 Self-Assessment
Almost every firm selling CMMC compliance help has never sat on the other side of the table. They have read NIST SP 800-171. They have not scored their own business against all 110 of its requirements, watched the points come off, and closed every gap before attesting to the result. We did. In June 2026, Petronella Technology Group, Inc. completed a full CMMC Level 2 self-assessment of our own environment and reached a perfect Supplier Performance Risk System score of 110 out of 110, with an empty Plan of Action and Milestones.
We did it for the same reason a surgeon should be willing to be operated on by their own methods: you should not ask a defense contractor to trust you with their compliance if you have never proven you can pass the same bar yourself. This page is the full, honest account of what that score means, exactly how we earned it, and why a compliance partner that has graded its own environment against every objective is a fundamentally different partner than one that has only studied the framework.
What a 110 SPRS score actually means
CMMC Level 2 is built directly on the 110 security requirements in NIST Special Publication 800-171, which decompose into 320 discrete assessment objectives. To produce a Supplier Performance Risk System score, an organization measures itself against all 110 requirements. The scale begins at 110 and subtracts points for every requirement that is not fully met. Some deductions are one point, many are three, and a handful are five points because they represent the highest-risk gaps. Because the deductions are weighted and there are more than 110 points of possible loss, the scale bottoms out at negative 203.
When contractors measure themselves honestly for the first time, the results are sobering. It is common to see initial scores in the double digits, and not unusual to see negative numbers. A 110 is the ceiling: it means every single one of the 110 requirements is fully implemented and the Plan of Action and Milestones, the running list of open gaps, is empty. Nothing is deferred. Nothing is outstanding. For a contractor competing for work that involves Controlled Unclassified Information, a 110 is the score the Department of Defense wants to see before award. Our SPRS calculator lets you model exactly how those deductions add up against your own environment.
Self-assessment, stated plainly and precisely
Precision is the entire discipline in this field, so we will be exact about what we did. What Petronella Technology Group completed is a CMMC Level 2 self-assessment, scored and attested by a CMMC Registered Practitioner. It is not a third-party certification, and we will never describe it as one. Under the CMMC program, only an authorized C3PAO can certify a Level 2 environment, and only the government assesses Level 3. Any vendor promising to make you "CMMC certified" over a weekend is describing something that does not exist, and you should treat that promise as a disqualifying red flag. If and when a formal certification is required, our C3PAO selection guide walks through how to choose an assessor.
How we implemented all 110 requirements
The 110 requirements of NIST 800-171 are organized into fourteen control families. Reaching a 110 is not about one heroic technical control; it is about closing every family completely, including the unglamorous administrative ones that quietly cost the most points. Here is how we approached each domain, described in vendor-neutral terms because we advise our clients never to publish the specific products that protect their environment, and we hold ourselves to the same rule.
Access Control and Identification and Authentication
These two families account for 33 of the 110 requirements, more than any other pair, and they are where scores most often bleed points. We enforce least-privilege access to every system that touches Controlled Unclassified Information, multifactor authentication on all privileged and remote access, unique identification for every user and device, session controls, and a documented process for provisioning and de-provisioning accounts. CUI is confined to an isolated, encrypted enclave rather than scattered across general-purpose file shares, which shrinks the access-control problem to a defensible boundary.
Audit and Accountability, System and Communications Protection, System and Information Integrity
Logging, monitoring, encryption, and integrity make up the technical backbone. We centralize audit logging, retain and review it, encrypt CUI both in transit and at rest with full-disk encryption on endpoints, segment the network, and run continuous monitoring backed by a managed detection stack that pairs automated tooling with human analysts covering SIEM, vulnerability scanning, and threat response. This is the same private, sovereign approach that underpins our private AI infrastructure: sensitive data stays inside a controlled boundary rather than transiting third-party services.
Awareness and Training, Personnel Security, Physical Protection
The requirements auditors weight most heavily are rarely the flashy ones. They are the human controls: scheduled security awareness training, defined roles and responsibilities, screening of personnel with access to CUI, and physical protection of the environment where that data lives. Because CUI in our environment is accessed only through the encrypted enclave and is not stored on local devices, the physical protection requirements are satisfied by design rather than by bolt-on controls. Our security awareness program runs on a fixed cadence, and the completion records are part of the evidence set.
Configuration Management, Maintenance, Media Protection, Risk Assessment, Incident Response, Security Assessment
The remaining families cover disciplined operations: hardened baseline configurations and change control, controlled maintenance, sanitization and handling of media, a documented risk assessment following NIST SP 800-30, a tested incident response plan, and the periodic self-assessment process itself. Our founder holds a state-licensed Digital Forensics Examiner credential, and that expertise sits directly behind the incident response and personnel families as documented evidence rather than as a good intention. We produced a full risk assessment report as part of the package, not a checkbox.
How long it really took, and how we did it
A complete Level 2 package is substantial: a System Security Plan, policies and procedures mapped to all 110 requirements, a risk assessment, and the evidence that connects each control to how the business actually operates. Assembled by hand in a word processor, that work routinely consumes months of consultant time. We built ours in days, because we generated it with ComplianceArmor, our own compliance documentation platform, layering our organization profile, our site details, and the CMMC Level 2 control set into a complete, internally consistent package.
That speed is not a shortcut around the work; it is the removal of the busywork so that the real work, implementing and evidencing controls, gets the attention. It is also the clearest possible demonstration that the same platform we sell can produce a defensible package fast, because we used it to produce our own. Speed applies to the documentation and the self-assessment. It does not apply to certification, which runs on the government and C3PAO timeline, and we never conflate the two.
The DoD mandate behind the score
The reason a SPRS score matters at all is contractual. Under DFARS clause 252.204-7012, any contractor that handles Controlled Unclassified Information must safeguard it in line with NIST SP 800-171 and report cyber incidents to the Department of Defense within 72 hours. DFARS 252.204-7019 and 252.204-7020 go further: they require contractors to perform the NIST 800-171 self-assessment and post the resulting score to the Supplier Performance Risk System, where contracting officers can see it before award. In practice, your SPRS score has become a gating number. A low or negative score can quietly remove you from consideration for work you are otherwise qualified to win.
That is the environment our own 110 was produced for. We handle client Controlled Unclassified Information as part of our compliance and managed services work, which places our business squarely inside the same obligations we help clients meet. Scoring our own environment was not a marketing exercise; it was the same requirement any defense contractor faces, met the same way we ask clients to meet it. If you are early in understanding these obligations, our CMMC compliance guide maps the DFARS clauses to the CMMC levels they drive.
The five-point requirements that decide most scores
Not every requirement is worth the same number of points, and understanding the weighting is the difference between a strategic remediation plan and a scattershot one. The DoD Assessment Methodology assigns a five-point deduction to the requirements that carry the greatest risk when they are missing, a three-point deduction to the next tier, and one point to the rest. A single unmet five-point requirement does more damage to your score than five minor gaps combined.
The heaviest-weighted requirements are consistently the foundational technical controls: multifactor authentication for privileged and remote access, encryption of Controlled Unclassified Information using validated cryptography, boundary protection and network segmentation, and controlling the flow of CUI. These are precisely the controls that a thin, checkbox approach skips or half-implements. Reaching a 110 meant fully satisfying every five-point requirement first, then working down through the three-point and one-point items, rather than chasing easy wins that barely move the number. When we grade a client environment through our readiness assessment, we prioritize the same way, because the fastest path to a defensible score is to stop the biggest deductions first. You can experiment with the weighting yourself in our SPRS calculator.
The honest footnote
A 110 is a scored, Registered-Practitioner-attested self-assessment. It is a genuine achievement and a rare one, and it is also a living discipline rather than a trophy on a shelf. Maintaining evidence for every one of the 110 requirements, keeping training current, reviewing logs, and re-assessing as the environment changes is continuous work. That is precisely the standard we hold ourselves to, and it is the standard we help clients build toward. We would rather tell you this plainly than let a headline number imply that compliance is ever finished.
Why our 110 is your advantage
CMMC applies across three levels, and we work across all three. Level 1 covers basic safeguarding of Federal Contract Information. Level 2 is the 110-requirement bar for most Controlled Unclassified Information, and it is the level most of our defense clients need to reach. Level 3 adds the most advanced requirements and is assessed by the government for the highest-risk programs. We have now measured ourselves at the Level 2 bar and closed it completely.
That changes the quality of the help you get. When we explain a requirement, we are describing a decision we have already made in our own environment. When we tell you how long the documentation takes or which objectives quietly cost the most points, we are reading from our own scorecard, not a training slide. When we say a strong self-assessment is achievable without a year of open-ended consulting fees, we have the receipts on our own books. Explore how we deliver that as CMMC-aligned managed IT services, review the full framework in our CMMC compliance guide, see how CMMC compares in our CMMC versus ISO 27001 breakdown, or weigh the market in our CMMC alternatives analysis. North Carolina contractors can also work with our Raleigh CMMC consultants directly.
From a 110 self-assessment to a C3PAO certification
A perfect self-assessment is not the finish line; it is the strongest possible starting position for whatever comes next. For many contracts, a current self-assessment posted to SPRS, combined with an annual affirmation from a senior company official, is what the contract requires today. For contracts that call for CMMC Level 2 certification, a C3PAO conducts a formal assessment against the same 110 requirements, and a clean, honest self-assessment is exactly what makes that engagement short and predictable. The organizations that struggle with certification are the ones that never measured themselves first and discover their real gaps in front of an assessor.
This is the path we walk clients through: measure with a readiness assessment, close gaps through documentation and technical implementation, maintain the evidence, and, when a contract demands it, prepare for a C3PAO using our C3PAO selection guide. We can deliver the underlying security controls as ongoing CMMC-aligned managed IT services, so the score you reach does not decay the moment the project ends. Because we reached and now maintain our own 110, we are describing a road we travel continuously, not one we have only mapped.
Get your own SPRS score
The first move is the one we made: measure honestly. Our readiness assessment grades your environment against all 110 requirements and hands you your SPRS self-score plus a prioritized remediation plan.
Start your CMMC readiness assessment Talk to a practitionerFrequently asked questions
Is a CMMC Level 2 self-assessment the same as certification?
No. A self-assessment is performed and attested by the organization itself, ideally with a CMMC Registered Practitioner, and it produces a SPRS score. A certification is performed by an authorized C3PAO for Level 2, or by the government for Level 3. Both matter, but they are not interchangeable, and only a C3PAO or the government can certify.
What does a 110 SPRS score mean?
The SPRS scale for NIST 800-171 starts at 110 and subtracts weighted points for every requirement not fully met, bottoming out at negative 203. A 110 means all 110 requirements are fully implemented with no open Plan of Action and Milestones items. It is the maximum possible score.
Why does it matter that Petronella completed its own self-assessment?
Because it proves capability rather than claiming it. A partner that has scored its own environment against all 110 requirements has made the same decisions, produced the same documentation, and closed the same gaps that your assessment will demand. That is experience you cannot get from reading the framework.
How long does a CMMC Level 2 package take to produce?
Assembled manually, the documentation often takes months. Using our ComplianceArmor platform, we produced a complete, internally consistent Level 2 package in days. The technical implementation and evidence work is separate and ongoing, and certification runs on the C3PAO and government timeline.
Can Petronella help us reach our own 110?
Yes. We help contractors at all three CMMC levels, from an initial readiness assessment and SPRS self-score through documentation, technical implementation, and preparation for a formal C3PAO assessment. Start with a readiness assessment or call us at (919) 348-4912.