Are software vendors selling to DoD in scope?

If your product stores, processes, or transmits a customer's CUI, you are an External Service Provider (and, for cloud, a Cloud Service Provider) in scope — and CUI-handling cloud must meet FedRAMP Moderate or equivalency.

We are SaaS — do we self-assess, or does our customer?

Your service is assessed as part of the customer's assessment. You document your responsibilities in a Customer Responsibility Matrix and your SSP.

What does the FedRAMP requirement mean for us?

A CSP handling CUI must meet the FedRAMP Moderate baseline or equivalency under DFARS 252.204-7012 — plan for the bodies of evidence that demonstrate it.

industry

SPRS Score Calculator for Software & SaaS Providers

Prepare CMMC / NIST SP 800-171 scoring for SPRS — for software vendors and SaaS platforms that process DoD customers' CUI.

Start free assessment How scoring works →

Software and SaaS providers that store, process, or transmit a customer's CUI are treated as External Service Providers, and any cloud offering handling CUI must meet the FedRAMP Moderate baseline or equivalency. Getting your scope, shared-responsibility boundary, and Customer Responsibility Matrix right is what keeps both you and your customers defensible.

A CSP handling CUI must meet FedRAMP Moderate (or equivalency) under DFARS 252.204-7012.

What you need to know

Your SPRS score starts at a baseline of 110 and subtracts a weighted value (5, 3, or 1) for each unimplemented requirement — it can go negative (as low as −203).
A score of 110 is a Final self-assessment; 88–109 is Conditional with a POA&M; below 88 you can't affirm a Conditional or Final status.
A Conditional Level 2 self-assessment is valid 180 days to close your POA&M; a Final self-assessment is valid 3 years with annual affirmations.

Read the full walkthrough

Clauses that likely apply to you

DFARS 252.204-7012

DFARS 252.204-7019

DFARS 252.204-7021

DFARS 252.204-7020

See what each clause requires

Know your score before you submit

Run a full 110-requirement self-assessment free — no account required to see your score.

Start free assessment

Free tools

Control Mapper800-171 ↔ CMMC cross-walk for all 110 requirementsOpen →DFARS ReferenceKey DFARS/FAR clauses, obligations, and effective datesOpen →Incident Timer72-hour DFARS cyber-incident reporting countdownOpen →

Frequently asked questions

Are software vendors selling to DoD in scope?: If your product stores, processes, or transmits a customer's CUI, you are an External Service Provider (and, for cloud, a Cloud Service Provider) in scope — and CUI-handling cloud must meet FedRAMP Moderate or equivalency.
We are SaaS — do we self-assess, or does our customer?: Your service is assessed as part of the customer's assessment. You document your responsibilities in a Customer Responsibility Matrix and your SSP.
What does the FedRAMP requirement mean for us?: A CSP handling CUI must meet the FedRAMP Moderate baseline or equivalency under DFARS 252.204-7012 — plan for the bodies of evidence that demonstrate it.

Related guides

Go deeper on scoring, levels, and POA&Ms.

How to Calculate Your SPRS Score (NIST SP 800-171)A step-by-step guide to the SPRS score: the DoD Assessment Methodology, how the 1/3/5 point weights work, why your score can go negative, and how MFA and FIPS partial credit are scored.Read guide CMMC Level 1 vs Level 2: Which Do You Need?FCI vs CUI, FAR 52.204-21 vs NIST SP 800-171, and the NARA Registry / DoD OIG test that decides whether Level 2 needs a self-assessment or a C3PAO certification.Read guide What Is a POA&M? (And Which Gaps Are Eligible)A Plan of Action and Milestones lets you reach a Conditional Level 2 status with a few open gaps — but not every gap qualifies. Here are the 32 CFR 170.21 eligibility rules and the 180-day clock.Read guide How to Prepare for a CMMC / SPRS Self-AssessmentA practical, in-order walkthrough: define your scope, confirm your SSP, assess at the objective level, build your POA&M, affirm, and enter your summary in SPRS.Read guide