What is CMMC Level 2 and who needs it?

CMMC Level 2 requires compliance with all 110 controls from NIST SP 800-171 Rev 2. Any Defense Industrial Base (DIB) contractor that handles Controlled Unclassified Information (CUI) on DoD contracts will need CMMC Level 2 certification. This affects an estimated 80,000+ contractors.

When is the CMMC certification deadline?

CMMC Phase 2 requires C3PAO third-party assessments starting November 2026. However, DoD is already including CMMC requirements in new contracts. Starting now gives you time to close gaps, build evidence, and avoid last-minute scrambles when every C3PAO is booked solid.

Can I use CMMC Command for my self-assessment?

Yes. The free tier gives you a complete 110-control NIST SP 800-171 assessment with real-time SPRS score calculation. You can document your status, identify gaps, and calculate your exact SPRS score — which you're already required to submit to SPRS.mil.

How does the AI compliance analyst work?

Our 8 AI features analyze your actual assessment data — not generic templates. The AI generates gap analysis narratives, remediation plans with effort estimates, SSP implementation statements, evidence sufficiency reviews, and realistic C3PAO interview questions. It never sees your uploaded documents or CUI — only control metadata.

Do you store CUI or sensitive documents?

No. CMMC Command stores compliance metadata — control statuses, SPRS scores, task assignments, and evidence references. Uploaded evidence files are scanned for CUI markers and we explicitly do not store controlled unclassified information.

How does CMMC Command compare to hiring a consultant?

A typical CMMC consultant charges $200–$400/hr, and most assessments require 80–200 hours ($16K–$80K). CMMC Command replaces the ongoing assessment tracking, gap analysis, document generation, and remediation planning — for $749/mo.

What integrations are supported?

We connect with 10 security tools: Microsoft Entra ID, Microsoft 365 & Defender, CrowdStrike Falcon, Google Workspace, AWS, SentinelOne, Tenable.io, KnowBe4, Jamf Pro, and Okta. Each integration auto-collects compliance evidence mapped to specific NIST controls.

Can I cancel anytime?

Yes. All plans are month-to-month with no long-term contracts. Annual plans offer 2 months free. If you cancel, you retain read-only access to your data for 30 days. We also support full data export.

How to Calculate Your SPRS Score: DOD Weight Table & Step-by-Step Guide

What Is the SPRS Score?

The Supplier Performance Risk System (SPRS) score is a numerical metric the Department of Defense uses to evaluate a contractor's cybersecurity posture against NIST SP 800-171. Every DIB contractor handling CUI must submit their SPRS score to SPRS.mil per DFARS 252.204-7019.

Your score ranges from -203 to 110, where 110 means every control is fully implemented and -203 means none are.

How the Score Is Calculated

The calculation is straightforward:

Start at 110 (the maximum score)
For each control that is not implemented and does not have a Plan of Action & Milestones (POA&M): subtract the DOD weight (1, 3, or 5)
Controls with a valid POA&M are not deducted — but you must have a documented remediation plan with milestones

The DOD Weight Categories

Weight	Meaning	Count	Max Impact
5	Critical — highest impact on CUI protection	43 controls	215 points
3	Significant — important supporting controls	35 controls	105 points
1	Supporting — foundational but lower risk	32 controls	32 points

Note: The maximum theoretical deduction is 313 points (215 + 105 + 32 - 110 = 203 below zero, which is -203). In practice, your score starts at 110, so the range is -203 to 110.

Score Interpretation

Score Range	Status	What It Means
90-110	Excellent	Minor gaps, likely audit-ready
50-89	Good	Solid foundation, targeted remediation needed
0-49	Fair	Significant gaps in multiple families
-50 to -1	Poor	Major cybersecurity program deficiencies
Below -50	Critical	Fundamental controls missing, high risk

Common SPRS Calculation Mistakes

1. Using Equal Weights

Many spreadsheet-based tools treat all controls equally. This produces wildly inaccurate scores. A weight-5 access control gap costs 5x more than a weight-1 supporting control.

2. Counting Partial as Full

Partially implemented controls should either have a POA&M (no deduction) or be counted as not implemented (full deduction). There's no "half credit" in SPRS scoring.

3. POA&M Without Milestones

A POA&M entry must include specific milestones and target dates. A vague "we plan to fix this" doesn't qualify and assessors will flag it.

4. Not Updating After Changes

Your SPRS score is a living metric. When you implement a control, your score should update. Many contractors submit once and forget to update as they remediate.

Prioritizing by Weight

The fastest way to improve your SPRS score is to focus on weight-5 controls first. Implementing a single weight-5 control recovers 5 points — the same as implementing five weight-1 controls.

High-Impact Control Families

Access Control (AC): 22 controls, many weight-5 — biggest single impact
System & Communications Protection (SC): 16 controls, heavy weight-5 concentration
Identification & Authentication (IA): 11 controls, critical for CUI protection
Audit & Accountability (AU): 9 controls, frequently flagged by assessors

Automated SPRS Calculation

Manually calculating your SPRS score from a spreadsheet is error-prone and time-consuming. CMMC Command calculates your score in real-time using the official DOD weight table as you assess each control.

Features include:

Real-time SPRS score that updates as you change control statuses
SPRS Impact Simulator — see exactly how implementing a specific control changes your score
SPRS trend history — track your score improvement over time
DOD-accurate weights — the exact same weight table used by SPRS.mil

Calculate your SPRS score for free — takes less than 30 minutes.