Limit system access to authorized users, processes, and devices.
5-point deductionFree CMMC tool · unofficial estimate
SPRS score calculator
Estimate a NIST SP 800-171 DoD Assessment score from 110 down to −203 using the official 5, 3, and 1-point deductions and a weighted gap list.
Unofficial estimate — verify before SPRS submission
How the SPRS score is calculated
The Basic Assessment begins at 110 and subtracts the Annex A value for each unmet requirement. Fully unmet requirements deduct 5, 3, or 1 point; the minimum score is −203. The gap list orders the largest deductions first.
Important scoring exceptions
Requirements 3.5.3 and 3.13.11 can receive a 3-point partial deduction in the circumstances described by the DoD methodology, while a fully unmet implementation deducts 5. Requirement 3.12.4 is not assigned a point value: without a system security plan, the assessment cannot be completed.
Unofficial estimate; your official score is self-attested in SPRS. Control values are reconciled to the published NIST SP 800-171 DoD Assessment Methodology, but this binary aid cannot decide partial implementation or evidence sufficiency. Verify every status before submitting an official assessment.
Published references
Open the source material and verify the requirements or values that apply to your situation.
Questions to verify
Frequently asked questions
Is this my official SPRS score?
No. It is an unofficial estimate. Your organization is responsible for the assessment, supporting evidence, and the score submitted in SPRS.
Why can the score be negative?
The DoD methodology subtracts up to 313 points from 110, producing the published minimum of −203.
How are partial MFA or FIPS implementations handled?
This binary calculator uses the fully-unmet 5-point deduction. Review the methodology before submission because qualifying partial implementations of 3.5.3 or 3.13.11 may deduct 3 points instead.
LongLead flags which upcoming DoD projects will trigger CMMC requirements 12–24 months early.
See LongLead Cyber