Is this the same as a SPRS score?

No. SPRS scoring uses the DoW Assessment Methodology and is a formal calculation against all 110 NIST 800-171 controls. This is a fast self-check across six families to surface where the program is and where it isn't, ahead of an SSP / POA&M build or a C3PAO engagement.

Do I need to give an email address?

No. The assessment runs entirely client-side. If you want a written report and a remediation roadmap from our team, you can request one at the end — but the score itself is yours immediately.

Will this prepare me for a C3PAO assessment?

Not by itself. It identifies the obvious gaps before you spend C3PAO money. A formal CMMC Level 2 assessment prep engagement still includes scoping CUI, building / refining the SSP and POA&M, evidence collection, mock assessment, and remediation. See our CMMC compliance service for the full scope.

DoW Contractors · CMMC 2.0 Level 2 · NIST 800-171

CMMC Readiness Assessment.

Eighteen honest questions across the six NIST SP 800-171 control families that anchor CMMC 2.0 Level 2 — Access Control, Audit & Accountability, Configuration Management, Identification & Authentication, Incident Response, and Risk Management. About ten minutes. No email required to see your score.

Mapped to NIST 800-171, CMMC 2.0 L2, DFARS 252.204-7012
SPRS-aware framing — gap surfaced before C3PAO money
Scoring runs locally in your browser
Optional written report + SSP / POA&M roadmap on request

Access Control Audit & Accountability Configuration Management Identification & Authentication Incident Response Risk Management

Question 1 of 18 0%

What it covers

Six 800-171 control families. Eighteen honest questions.

Built around the audit reality your prime, your assessor, and the DoW Assessment Methodology actually care about. The score gives leadership a place to start the SSP / POA&M conversation — not the conversation itself. CUI scoping, encryption (FIPS-validated), CMMC scoping, and a full 110-control walkthrough come next.

See the CMMC 2.0 compliance service for the assessment-prep engagement.

Access Control

AC family — limiting system access to authorized users, processes, and devices acting on behalf of those users.
Audit & Accountability

AU family — creating, protecting, and reviewing audit logs sufficient to support after-the-fact investigation of unauthorized activity.
Configuration Management

CM family — establishing baselines, controlling changes, and restricting non-essential software and ports.
Identification & Authentication

IA family — uniquely identifying users and authenticating identities before granting access.
Incident Response

IR family — establishing a capability to detect, contain, eradicate, and report incidents — including DFARS 72-hour reporting.
Risk Management

RA / SI families — assessing risk, scanning for vulnerabilities, and remediating in time to keep the SPRS score honest.

FAQ

About this assessment

Don't see your question? Talk to a real person — 833-92-CYBER.

Is this the same as a SPRS score?

No. SPRS scoring uses the DoW Assessment Methodology and is a formal calculation against all 110 NIST 800-171 controls. This is a fast self-check across six families to surface where the program is and where it isn't, ahead of an SSP / POA&M build or a C3PAO engagement.
Will this prepare me for a C3PAO assessment?

Not by itself. It identifies the obvious gaps before you spend C3PAO money. A formal CMMC Level 2 assessment prep engagement still includes scoping CUI, building / refining the SSP and POA&M, evidence collection, mock assessment, and remediation. See our CMMC compliance service for the full scope.
Does this account for DFARS 72-hour reporting?

Yes. The Incident Response domain includes a direct question on DFARS 252.204-7012(c) 72-hour reporting to DoW via DIBNet. Failing that question is a near-certain finding in any audit.
Do I need to give an email address?

No. The assessment runs entirely client-side. If you want a written report and a remediation roadmap from our team, you can request one at the end — but the score itself is yours immediately.

About this CMMC readiness assessment

What this CMMC 2.0 readiness assessment measures — and what to do with your score.

This CMMC readiness assessment is built around the six NIST SP 800-171 control families that anchor CMMC 2.0 Level 2 certification for U.S. Department of War (DoW) contractors and subcontractors handling Controlled Unclassified Information (CUI). The eighteen questions are deliberately framed the way a C3PAO (Certified Third-Party Assessor Organization) interviews your team during an actual assessment — not the way a SaaS vendor frames a marketing quiz. If a question feels uncomfortably specific, that's the point: it's surfacing the gap your assessor will ask about, before you've signed the contract that puts your CUI on the line.

Scoring runs locally in your browser — nothing leaves your device unless you explicitly request a written report. Each control family is scored on a four-level maturity scale (Initial, Developing, Managed, Optimized) and the overall score maps to the SPRS (Supplier Performance Risk System) scoring construct that DoD prime contractors check when evaluating subcontractor cyber risk under DFARS 252.204-7012. A score below 88 (out of the 110-point SPRS ceiling) typically indicates Level 2 readiness gaps that should be closed before commissioning a third-party assessment.

How CMMC contractors typically use these results

Three patterns we see most often: (1) internal benchmarking before bringing in a consultant — understand your current state so the scoping call is grounded in reality, not aspirational marketing; (2) board / executive briefing — the framework-mapped breakdown makes it easier to explain CMMC investment requirements to a CFO who hasn't been close to the rule; (3) prime contractor diligence response — some DoW primes now require subs to disclose self-assessment scores during contract qualification, and this assessment produces a defensible snapshot in an hour.

Next steps after the assessment

If you scored above 90, you're in good shape for a Level 2 assessment but should still validate the evidence package with a mock C3PAO review. If you scored between 65 and 90, a structured remediation roadmap closes the gaps in 6–9 months at typical mid-market scale. Below 65 indicates the controls baseline needs material investment before assessment is realistic — usually 9–12 months including GCC High migration if you handle CUI in Microsoft 365.

Cyberuptive's CMMC 2.0 compliance services deliver the full sweep across all six control families — scoping the CUI boundary, NIST 800-171 gap assessment, SSP authoring, POA&M tracking, SPRS scoring support, GCC High migration, and the long-term 24/7 SOC, vulnerability management, and incident response controls that DFARS 252.204-7012 requires you to keep running after the C3PAO leaves. Pacific defense subcontractors with Honolulu / JBPHH / Schofield / Wheeler footprints get HST-primary SOC coverage and U.S.-citizen analyst handling of CUI as part of the standard engagement.

Talk to a real engineer

Ready to talk to a Pacific MSSP that knows your contracts?

Scoping calls are free. We'll come back with a fixed-scope CMMC plan — not a brochure, not a referral chain.

Schedule a discovery call Call 833-92-CYBER

CMMC Readiness Assessment.