PUBLIC-SIGNAL INTELLIGENCE12–24 MONTHS EARLY · EVIDENCE CITED

Free CMMC tool · unofficial estimate

SPRS score calculator

Estimate a NIST SP 800-171 DoD Assessment score from 110 down to −203 using the official 5, 3, and 1-point deductions and a weighted gap list.

Unofficial estimate — verify before SPRS submission

Estimated SPRS score110
−203110
InterpretationPerfect · 110

All 110 requirements marked met — the maximum SPRS score. Assessors will still want evidence.

Met 110Not met 0Points lost 0
Partial deductions: This binary aid uses 5 points when 3.5.3 or 3.13.11 is unmet. The official methodology permits a 3-point deduction for qualifying partial implementations.
AC · Access Control22/22 met
3.1.1

Limit system access to authorized users, processes, and devices.

5-point deduction
Met
3.1.2

Limit access to the types of transactions and functions authorized users may execute.

5-point deduction
Met
3.1.3

Control the flow of CUI in accordance with approved authorizations.

1-point deduction
Met
3.1.4

Separate duties of individuals to reduce risk of malevolent activity.

1-point deduction
Met
3.1.5

Employ least privilege, including for specific security functions and privileged accounts.

3-point deduction
Met
3.1.6

Use non-privileged accounts when accessing non-security functions.

1-point deduction
Met
3.1.7

Prevent non-privileged users from executing privileged functions; capture in audit logs.

1-point deduction
Met
3.1.8

Limit unsuccessful logon attempts.

1-point deduction
Met
3.1.9

Provide privacy and security notices consistent with applicable CUI rules.

1-point deduction
Met
3.1.10

Use session lock with pattern-hiding displays after inactivity.

1-point deduction
Met
3.1.11

Terminate user sessions after a defined condition.

1-point deduction
Met
3.1.12

Monitor and control remote access sessions.

5-point deduction
Met
3.1.13

Use cryptographic mechanisms to protect remote access sessions.

5-point deduction
Met
3.1.14

Route remote access via managed access control points.

1-point deduction
Met
3.1.15

Authorize remote execution of privileged commands and remote access to security info.

1-point deduction
Met
3.1.16

Authorize wireless access prior to allowing connections.

5-point deduction
Met
3.1.17

Protect wireless access using authentication and encryption.

5-point deduction
Met
3.1.18

Control connection of mobile devices.

5-point deduction
Met
3.1.19

Encrypt CUI on mobile devices and mobile computing platforms.

3-point deduction
Met
3.1.20

Verify and control/limit connections to and use of external systems.

1-point deduction
Met
3.1.21

Limit use of portable storage devices on external systems.

1-point deduction
Met
3.1.22

Control CUI posted or processed on publicly accessible systems.

1-point deduction
Met
AT · Awareness & Training3/3 met
3.2.1

Ensure managers and users are aware of security risks and policies.

5-point deduction
Met
3.2.2

Ensure personnel are trained to carry out their security duties.

5-point deduction
Met
3.2.3

Provide security awareness training on recognizing insider threat.

1-point deduction
Met
AU · Audit & Accountability9/9 met
3.3.1

Create and retain system audit logs and records.

5-point deduction
Met
3.3.2

Ensure actions of individual users can be uniquely traced.

3-point deduction
Met
3.3.3

Review and update logged events.

1-point deduction
Met
3.3.4

Alert in the event of an audit logging process failure.

1-point deduction
Met
3.3.5

Correlate audit record review, analysis, and reporting for investigation.

5-point deduction
Met
3.3.6

Provide audit record reduction and report generation.

1-point deduction
Met
3.3.7

Provide a system capability to compare and synchronize time sources.

1-point deduction
Met
3.3.8

Protect audit information and logging tools from unauthorized access.

1-point deduction
Met
3.3.9

Limit management of audit logging to a subset of privileged users.

1-point deduction
Met
CM · Configuration Management9/9 met
3.4.1

Establish and maintain baseline configurations and inventories.

5-point deduction
Met
3.4.2

Establish and enforce security configuration settings.

5-point deduction
Met
3.4.3

Track, review, approve/disapprove, and log changes to systems.

1-point deduction
Met
3.4.4

Analyze the security impact of changes prior to implementation.

1-point deduction
Met
3.4.5

Define, document, and enforce access restrictions for changes.

5-point deduction
Met
3.4.6

Employ the principle of least functionality.

5-point deduction
Met
3.4.7

Restrict, disable, or prevent nonessential programs, functions, ports, protocols.

5-point deduction
Met
3.4.8

Apply deny-by-exception (blacklist) or permit-by-exception (whitelist) policy.

5-point deduction
Met
3.4.9

Control and monitor user-installed software.

1-point deduction
Met
IA · Identification & Authentication11/11 met
3.5.1

Identify system users, processes acting on behalf of users, and devices.

5-point deduction
Met
3.5.2

Authenticate identities as a prerequisite to system access.

5-point deduction
Met
3.5.3

Use multifactor authentication for privileged and network access.

5-point deduction
Met
3.5.4

Employ replay-resistant authentication mechanisms.

1-point deduction
Met
3.5.5

Prevent reuse of identifiers for a defined period.

1-point deduction
Met
3.5.6

Disable identifiers after a defined period of inactivity.

1-point deduction
Met
3.5.7

Enforce a minimum password complexity and change of characters.

1-point deduction
Met
3.5.8

Prohibit password reuse for a specified number of generations.

1-point deduction
Met
3.5.9

Allow temporary password use with immediate change to permanent.

1-point deduction
Met
3.5.10

Store and transmit only cryptographically-protected passwords.

5-point deduction
Met
3.5.11

Obscure feedback of authentication information.

1-point deduction
Met
IR · Incident Response3/3 met
3.6.1

Establish an operational incident-handling capability.

5-point deduction
Met
3.6.2

Track, document, and report incidents to designated officials.

5-point deduction
Met
3.6.3

Test the organizational incident response capability.

1-point deduction
Met
MA · Maintenance6/6 met
3.7.1

Perform maintenance on organizational systems.

3-point deduction
Met
3.7.2

Provide controls on tools, techniques, mechanisms, and personnel for maintenance.

5-point deduction
Met
3.7.3

Sanitize equipment removed for off-site maintenance of any CUI.

1-point deduction
Met
3.7.4

Check media containing diagnostic/test programs for malicious code.

3-point deduction
Met
3.7.5

Require multifactor authentication to establish nonlocal maintenance sessions.

5-point deduction
Met
3.7.6

Supervise maintenance activities of personnel without required access.

1-point deduction
Met
MP · Media Protection9/9 met
3.8.1

Protect system media containing CUI, both paper and digital.

3-point deduction
Met
3.8.2

Limit access to CUI on system media to authorized users.

3-point deduction
Met
3.8.3

Sanitize or destroy media containing CUI before disposal or reuse.

5-point deduction
Met
3.8.4

Mark media with necessary CUI markings and distribution limitations.

1-point deduction
Met
3.8.5

Control access to and account for media during transport.

1-point deduction
Met
3.8.6

Implement cryptographic mechanisms to protect CUI on transported media.

1-point deduction
Met
3.8.7

Control the use of removable media on system components.

5-point deduction
Met
3.8.8

Prohibit use of portable storage devices with no identifiable owner.

3-point deduction
Met
3.8.9

Protect the confidentiality of backup CUI at storage locations.

1-point deduction
Met
PS · Personnel Security2/2 met
3.9.1

Screen individuals prior to authorizing access to CUI systems.

3-point deduction
Met
3.9.2

Protect CUI during and after personnel actions (terminations, transfers).

5-point deduction
Met
PE · Physical Protection6/6 met
3.10.1

Limit physical access to systems, equipment, and operating environments.

5-point deduction
Met
3.10.2

Protect and monitor the physical facility and support infrastructure.

5-point deduction
Met
3.10.3

Escort visitors and monitor visitor activity.

1-point deduction
Met
3.10.4

Maintain audit logs of physical access.

1-point deduction
Met
3.10.5

Control and manage physical access devices.

1-point deduction
Met
3.10.6

Enforce safeguarding measures for CUI at alternate work sites.

1-point deduction
Met
RA · Risk Assessment3/3 met
3.11.1

Periodically assess risk to operations, assets, and individuals.

3-point deduction
Met
3.11.2

Scan for vulnerabilities in systems and applications periodically.

5-point deduction
Met
3.11.3

Remediate vulnerabilities in accordance with risk assessments.

1-point deduction
Met
CA · Security Assessment4/4 met
3.12.1

Periodically assess security controls for effectiveness.

5-point deduction
Met
3.12.2

Develop and implement plans of action to correct deficiencies.

3-point deduction
Met
3.12.3

Monitor security controls on an ongoing basis.

5-point deduction
Met
3.12.4

Develop, document, and update system security plans.

Assessment blocker
Met
SC · System & Communications Protection16/16 met
3.13.1

Monitor, control, and protect communications at external and key internal boundaries.

5-point deduction
Met
3.13.2

Employ architectural designs and principles that promote effective security.

5-point deduction
Met
3.13.3

Separate user functionality from system management functionality.

1-point deduction
Met
3.13.4

Prevent unauthorized and unintended information transfer via shared resources.

1-point deduction
Met
3.13.5

Implement subnetworks for publicly accessible components (DMZ).

5-point deduction
Met
3.13.6

Deny network traffic by default and allow by exception.

5-point deduction
Met
3.13.7

Prevent remote devices from split tunneling into external networks.

1-point deduction
Met
3.13.8

Use cryptographic mechanisms to prevent disclosure of CUI in transit.

3-point deduction
Met
3.13.9

Terminate network connections at end of session or after inactivity.

1-point deduction
Met
3.13.10

Establish and manage cryptographic keys.

1-point deduction
Met
3.13.11

Employ FIPS-validated cryptography to protect CUI.

5-point deduction
Met
3.13.12

Prohibit remote activation of collaborative devices; indicate use to users.

1-point deduction
Met
3.13.13

Control and monitor use of mobile code.

1-point deduction
Met
3.13.14

Control and monitor use of Voice over Internet Protocol (VoIP).

1-point deduction
Met
3.13.15

Protect the authenticity of communications sessions.

5-point deduction
Met
3.13.16

Protect the confidentiality of CUI at rest.

1-point deduction
Met
SI · System & Information Integrity7/7 met
3.14.1

Identify, report, and correct system flaws in a timely manner.

5-point deduction
Met
3.14.2

Provide protection from malicious code at designated locations.

5-point deduction
Met
3.14.3

Monitor system security alerts and advisories and take action.

5-point deduction
Met
3.14.4

Update malicious code protection mechanisms when new releases are available.

5-point deduction
Met
3.14.5

Perform periodic and real-time scans of files from external sources.

3-point deduction
Met
3.14.6

Monitor systems, including inbound and outbound traffic, to detect attacks.

5-point deduction
Met
3.14.7

Identify unauthorized use of organizational systems.

3-point deduction
Met
Point-weighted gaps0

All requirements are currently marked met. An assessor will still expect evidence.

How the SPRS score is calculated

The Basic Assessment begins at 110 and subtracts the Annex A value for each unmet requirement. Fully unmet requirements deduct 5, 3, or 1 point; the minimum score is −203. The gap list orders the largest deductions first.

Important scoring exceptions

Requirements 3.5.3 and 3.13.11 can receive a 3-point partial deduction in the circumstances described by the DoD methodology, while a fully unmet implementation deducts 5. Requirement 3.12.4 is not assigned a point value: without a system security plan, the assessment cannot be completed.

Important

Unofficial estimate; your official score is self-attested in SPRS. Control values are reconciled to the published NIST SP 800-171 DoD Assessment Methodology, but this binary aid cannot decide partial implementation or evidence sufficiency. Verify every status before submitting an official assessment.

Published references

Open the source material and verify the requirements or values that apply to your situation.

NIST SP 800-171 DoD Assessment Methodology v1.2.1

Questions to verify

Frequently asked questions

Is this my official SPRS score?

No. It is an unofficial estimate. Your organization is responsible for the assessment, supporting evidence, and the score submitted in SPRS.

Why can the score be negative?

The DoD methodology subtracts up to 313 points from 110, producing the published minimum of −203.

How are partial MFA or FIPS implementations handled?

This binary calculator uses the fully-unmet 5-point deduction. Review the methodology before submission because qualifying partial implementations of 3.5.3 or 3.13.11 may deduct 3 points instead.

LongLead flags which upcoming DoD projects will trigger CMMC requirements 12–24 months early.

See LongLead Cyber