Free CMMC SPRS Calculator What is your score?
SPRS scores run from -203 to +110. DoD prime contractors check your score before flowing down contracts. Most defense contractors do not know theirs until a C3PAO walks through the door. This tool gives you a credible estimate in 90 seconds, then emails you a personalized POA&M showing which control families to fix first.
Estimate Your CMMC SPRS Score.
Petronella Technology Group, Inc. built this estimator on the official SPRS scoring methodology. You start at +110 and lose points for each control family that is partial, planned, or not implemented. Choose the option that best describes where you stand on each NIST 800-171 control family.
If a C3PAO finds a gap, we fix it free.
Petronella Technology Group has authored CMMC documentation for defense contractors for over two decades. Our promise is straightforward.
The Audit-Ready Promise (verbatim)
Promise. If you engage ComplianceArmor for your CMMC Level 2 documentation package and your C3PAO assessor flags a documentation gap that ComplianceArmor was responsible for, we will revise the documentation at no charge until the gap is closed.
Refund clause. If we cannot close the documentation gap within 30 days of the assessor's written finding, you may request a pro-rata refund of the documentation engagement fee for the affected control families. The refund is paid within 14 days of the request.
What this does not cover. Technical control implementation gaps (your network, your endpoints, your encryption) are remediation work, not documentation work, and are scoped separately. Third-party assessor fees (the C3PAO) are paid directly to the C3PAO and are outside this promise. We use the word promise rather than guarantee for legal precision; in practice the operational outcome is the same.
Common Questions About Your SPRS Estimate.
What CISOs, IT directors, and DoD primes ask before sharing their SPRS number with a contracting officer.
How accurate is this calculator?
It produces a credible estimate, not an official score. The DoD's official SPRS scoring methodology deducts -1, -3, or -5 points for each unimplemented control, summed across all 110 NIST 800-171 controls. Rather than asking 110 questions, we ask 14 and apply per-family weighting that reflects the typical control mix. The estimate is usually within plus or minus 10 points of a self-assessment performed against the full DoD scoring template, which is why we publish a range alongside the point estimate. The official, attested score is what you submit to the SPRS portal after a formal self-assessment or C3PAO assessment.
What is SPRS?
SPRS is the Supplier Performance Risk System, a DoD database that tracks contractor cybersecurity posture. Defense contractors who handle Controlled Unclassified Information (CUI) submit a NIST 800-171 self-assessment score to SPRS as required by DFARS 252.204-7019 and 7020. Prime contractors check SPRS scores before flowing down contracts. A low or missing score can disqualify you from awards.
Why is my prime contractor asking for my SPRS score?
Because DFARS requires it. When a prime contractor flows down a contract that involves CUI, they must verify your SPRS score is current and acceptable before issuing the subcontract. The CMMC Final Rule (32 CFR 170, effective late 2024) tightens this further by requiring CMMC Level 2 certification for handling CUI. Your prime is doing supply chain risk management, and your SPRS score is the first signal they look at.
What does the -203 to +110 range mean?
Plus 110 is the maximum: every NIST 800-171 control is fully implemented. Each unimplemented control deducts points based on its impact: high-impact controls deduct -5, medium-impact controls deduct -3, and low-impact controls deduct -1. If you sum the deductions for all 110 controls being unimplemented, you arrive at -203. So a score of -203 means nothing is implemented, +110 means everything is. Most defense contractors who have not yet undertaken a formal program land somewhere between -50 and +60. After a focused remediation engagement, +88 to +100 is a realistic ready-to-flow-down target.
What counts as "implemented" for a control family?
A control is implemented when (a) the control objective is being met operationally, (b) there is a documented policy or procedure describing how, and (c) there is evidence (logs, configurations, training records, screenshots) that proves it. "Partial" means the control is operational but documentation or evidence is thin. "Planned" means a policy is drafted but the operational practice is not in place yet. "Not implemented" means no work has started. The C3PAO assessor evaluates all three legs (operations, documentation, evidence) when scoring.
Do you sell my information?
No. We do not sell, rent, share, or trade your name, email, company, or answers with any third party. We use your contact info to email you the personalized POA&M and the SPRS scoring reference, and (only if you check the box) to schedule a 30-minute demo. If you ask us to delete your information, we delete it within 7 days. That is the entire policy.
Ready to See Your Real SPRS Score?
The calculator gives you the estimate. ComplianceArmor delivers the documentation set that gets you to +88 or higher and keeps you there. Schedule a 30-minute call. We will scope the work and quote a fixed price.
Related ComplianceArmor resources:
ComplianceArmor hub CMMC software CMMC gap analysis SSP generator ROI calculator CMMC compliance guide