What is CMMC and who needs to comply?

CMMC (Cybersecurity Maturity Model Certification) is a DoD requirement for all defense contractors that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). CMMC compliance is mandatory with full enforcement expected by November 2026.

What is the difference between CMMC Level 1 and Level 2?

CMMC Level 1 covers 17 basic practices for contractors handling FCI. CMMC Level 2 covers 110 practices aligned with NIST SP 800-171 for contractors handling CUI. Level 2 requires a third-party C3PAO assessment.

How long does CMMC Level 2 certification take?

CMMC Level 2 certification typically takes 6 to 18 months. The process includes gap assessment (4-6 weeks), remediation (3-12 months), and C3PAO assessment scheduling (3-6 month wait times currently).

What is a C3PAO and why does it matter?

A C3PAO (Certified Third-Party Assessment Organization) is a DoD-approved firm authorized to conduct CMMC Level 2 assessments. C3PAO slots are booking 3-6 months in advance ahead of the 2026 deadline.

What happens if a defense contractor misses the CMMC deadline?

Defense contractors who have not achieved required CMMC certification will be ineligible to bid on or continue performing DoD contracts requiring that CMMC level. New contracts will include CMMC as mandatory contract clauses.

The SPRS Score Gap: What Defense Contractors Think vs. Reality

## SPRS Scoring 101: Why Negative Scores Are the Norm, Not the Exception

The Supplier Performance Risk System (SPRS) score quantifies your NIST SP 800-171 Rev 2 implementation across 110 controls, required under DFARS 252.204-7019/7020 since 2020. **Scores range from -203 (zero controls) to +110 (perfect implementation).** You don’t add points — you start at +110 and **subtract weighted deductions** (1, 3, or 5 points per unmet control) per the DoD Assessment Methodology.

**High-impact controls drive massive deductions:**
– MFA (3.5.3): 5 points
– FIPS-validated crypto (3.13.11): 5 points
– Audit review (3.3.2): 3 points
– Incident response testing (3.6.3): 3 points

CyberSheath’s 2025 DIB survey pegs the **median self-assessed score at 60**, with 17% negative. But practitioner audits reveal the truth: **average audited scores cluster around -20 to +40**, a 50–80 point inflation in self-reports.

Boeing cybersecurity lead Brett Cox notes: **”60% of assessment objectives are paperwork.”** Over 60 controls (164 points) demand policy evidence — existence alone fails without enforcement proof.

—

## The Self-Assessment Delusion: 69% Compliant in Theory, 4% in Practice

Contractors aren’t lying — they’re over-optimistic. **CyberSheath/Merrill Research: 75% believed compliant on self-assessment; only 4% passed third-party.** The “SPRS Score Gap” emerges systematically:

– **Self-assessed median: +60 to +88**
– **Audited reality: -30 to +40**

**Case Study 1: The 88 → -30 Client**
A mid-sized IT services firm (50–150 employees) self-scored +88 after “implementing” MFA, policies, and endpoint tools via their MSP. Gap assessment revealed:
– MFA partial (email only, not VPN/privileged): Full 5-point deduction.
– Policies unsigned, un-enforced: 40+ points lost.
– Scope ignored remote workers/home offices: 25+ endpoints unassessed.
**Net: -30. Gap: 118 points.** Remediation took 9 months, $120K.

**Case Study 2: MORSECORP’s $4.6M Lesson**
MORSECORP self-certified SPRS **+104** using an unverified third-party assessor. DOJ investigation (Mar 2025 settlement) exposed: no SSP updates, incomplete controls. Audited score: **-142**. Gap: **246 points**. No breach — just false certification.

**Case Study 3: Ntiva-Style MSP Baseline**
MSPs like Ntiva (top MSP 501) deliver “managed IT” but start contractors at **-150**: no centralized logging, ad-hoc patching, weak AD. Kieri Solutions client paid $80K for GCC High — got zero policies, bad perms. **Gap to compliant: 18–24 months, $200K+.**

These aren’t outliers. CorpInfoTech assessors review 4,000+ pages pre-assessment, grilling procurement/HR — not tech. OSIbeyond requests 254 evidence items; screenshots >30 days old fail.

—

## Root Causes: Five Systematic Errors Inflating Your Score

The gap traces to misapplying the DoD Assessment Methodology. Contractors score “Met” where assessors demand “MET with evidence.”

**1. Partial Implementation = Not Met**
MFA on email? Score Met. Reality: NIST requires *all* privileged/non-privileged access. VPN, RDP, local logons excluded? Full 5-point hit. **73% failure rate per CyberSheath.**

**2. Policy Existence ≠ Enforcement**
AUP policy filed? Met. But unsigned, uncommunicated, no enforcement logs? Not Met across 60+ controls. Boeing: **”Paperwork is 60% of the game.”**

**3. Scope Creep Ignored**
CUI enclave secured? Great — but home offices, mobiles, cleaners (after-hours access) touch CUI? All in-scope. 150-employee firm scoped to 15: perfect score.

**4. MSP Over-Reliance**
“MSP handles endpoints.” But no Shared Responsibility Matrix proving DoD-grade impl? Not Met. MSPs in-scope; their gaps = yours.

**5. Methodology Mismatch**
Basic self-assess vs. Medium/High for DoD contracts. No correlated log analysis? Audit controls tank (3.3.3–3.3.5).

DIBCAC’s 117 assessments: Top failures — FIPS crypto (52%), MFA (73%), audits (top 3).

—

## The Stakes: Inflated SPRS = FCA Liability + Prime Exclusion

**No “passing” SPRS threshold exists — but accuracy does.** DFARS 252.204-7020 demands “complete and accurate” submission. +88 self-assess → C3PAO finds -30? Adverse SPRS flag + FCA exposure.

**2025 DOJ haul: $51.8M (233% YoY).** MORSECORP, Georgia Tech ($875K, fake +98), RTX ($8.4M successor liability). **979 whistleblowers filed qui tam (FY2024 record).**

Primes enforce harder: Lockheed’s Exostar CCRA reds out low-SPRS suppliers. Northrop: “No POs for non-compliant.” 47% subs hit with flow-downs (Redspin 2025).

**CMMC Timeline Impact:**
| Self-Assessed | Audited Reality | CMMC Path |
|—————|—————–|———–|
| +90–110 | +50–88 | 6–9 mo |
| +50–89 | +1–49 | 9–14 mo |
| +1–49 | -50–0 | 14–18 mo |
| Negative | <-50 | 18–24+ mo| C3PAO backlog (97 orgs, 80K need): 3–12 mo waits. Start with accurate SPRS or requalify. --- ## Closing the Gap: Your Defensible SPRS Roadmap **Step 1: Accurate Gap Assessment ($5K–20K, 2–4 weeks).** Practitioner-led, DoD methodology. Outputs: true SPRS, control heatmap, scope map. **Step 2: Quick Wins (30–60 days, +30–50 points).** MFA everywhere, EDR, training, USB block, account hygiene. **Step 3: Documentation Overhaul (4–8 weeks).** SSP/POA&M with evidence narratives. 200–500 hrs — outsource if lean. **Step 4: High-Weight Remediation (3–12 mo).** SIEM/logs (3.3.x), FIPS crypto, IR testing. Enclave for scope shrink. **Step 5: Mock Assessment ($15K–40K).** RPO simulates C3PAO. Skip = high fail risk. **Step 6: SPRS Resubmit.** Annual req'd; update post-gaps. **Pro Tip: Scope Reduction.** Map CUI flows — isolate to 10–20% assets. PreVeil enclave: 102/110 controls, $5K/yr. Total to +88: **6–12 mo, $100K–250K** (small biz). Annual maint: $30K–50K. --- ## Get Your SPRS Gap Assessed Free Inflated self-assessments cost time, money, contracts. CMMCFirst's free readiness review flags common errors, estimates your true score, timelines. [Schedule your SPRS reality check →](https://cmmcfirst.com/contact/) --- ## FAQ **What's a realistic SPRS score pre-CMMC?** +88+ signals readiness. Median audited: -20 to +40. Negatives common sans program. **Negative SPRS = CMMC death?** No — remediable. But signals 18+ mo path. Scope shrink accelerates. **MSP SPRS liability?** MSP in-scope. Their gaps deduct from yours. Demand SRM. **Update frequency?** Annual +30 days post-change. C3PAO updates SPRS directly. **FCA risk from bad SPRS?** Yes — "complete/accurate" cert. MORSECORP paid $4.6M. --- *Related reading:* - *[SPRS Score Explained](/content/blog/sprs-score-explained-defense-contractors.md)* - *[DOJ FCA CMMC Settlements](/content/blog/doj-false-claims-act-cmmc-settlements.md)* - *[CMMC Level 2 Timeline](/content/blog/timeline-to-cmmc-certification-how-long.md)*

The SPRS Score Gap: What Companies Think vs. Reality