SPRS score accuracy
Why most SPRS calculators give you the wrong score
A free, single-page calculator hands you a number in seconds. The problem is how it gets there: it scores at the requirement level and skips three things the DoD assessment methodology actually requires. The result can be off by points — or wrong about whether you can submit at all.
See the difference
Pick a real scenario and compare the estimate a requirement-level calculator produces with the objective-level result the methodology requires. Figures are illustrative examples.
Scenario · IA.L2-3.5.3: You enforce multi-factor authentication for remote and privileged accounts — but not yet for all general users.
A yes/no tool asks “Do you use MFA?”, takes the “yes,” and counts 3.5.3 as fully met — zero deduction.
3.5.3 has three levels: full coverage (0), remote/privileged only (−3), none (−5). Partial coverage is a −3 — so the real score is 107, not 110.
A requirement-level tool tells you you’re Final. You’re actually Conditional.
Source: DoD Assessment Methodology v1.2.1 (3.5.3 partial credit)
Three things requirement-level tools miss
The 110 requirements break down into 319 assessment objectives. A requirement is Met only when every applicable objective is met — if any one is Not Met, the whole requirement is Not Met (an N/A objective counts as Met). A tool that asks one yes/no question per requirement can’t see a requirement that’s 80% done — so it scores it as fully met and overstates your number.
Source: NIST SP 800-171A · 32 CFR 170.24(b)
Two requirements are scored on a sliding scale, not a binary. Multi-factor authentication (3.5.3) and FIPS-validated cryptography (3.13.11) each deduct 0, 3, or 5 points depending on coverage — MFA for remote/privileged users only is a −3, not a −5 or a 0; encryption that isn’t FIPS-validated is a −3, not “met.” Binary tools collapse these to yes/no and miss the middle.
Source: DoD Assessment Methodology v1.2.1
A score at or above 88 is only part of qualifying for a Conditional self-assessment. You also can’t have any high-weight gap on your POA&M, and six specific requirements can never be deferred at all. If one of those is Not Met, the answer is “No CMMC Status” — no matter how high the number. A score-only calculator can’t tell you that, so it tells you you’re fine when you aren’t.
Source: 32 CFR 170.21
Side by side
| Capability | Most free SPRS calculators | SentryNexus |
|---|---|---|
| Scores the 110 requirements | ||
| Objective-level assessment (319 objectives) | ||
| Correct partial credit (3.5.3 MFA · 3.13.11 FIPS) | Estimate | |
| POA&M-eligible vs disqualifying split (32 CFR 170.21) | ||
| Asset scoping (32 CFR 170.19) | ||
| Validity & reaffirmation tracking | ||
| Saved progress & resume | ||
| Deliverables (SSP, POA&M, evidence, exports) | ||
| Prepares the exact SPRS entry fields | Estimate |
“Most free SPRS calculators” describes the common single-page, lead-magnet tools as a category — no specific product is named, and individual tools vary.
Get a score you can actually defend
Run the full 110-requirement, objective-level self-assessment free — no account needed — and see your real score, status, and POA&M-eligibility before you enter anything in SPRS.
Sources
- NIST SP 800-171A — assessment objectives and Examine/Interview/Test methods (the 319 objectives across the 110 requirements).
- DoD Assessment Methodology for NIST SP 800-171, v1.2.1 — baseline of 110, weighted deductions (5 / 3 / 1), and the 3.5.3 / 3.13.11 partial-credit rules.
- 32 CFR 170.21 — POA&M-eligibility: the 88/110 threshold, high-weight limits, and the six requirements that can’t be deferred.
- 32 CFR 170.24(b) — the Met / Not Met / N/A finding model (N/A scored as Met).
- 32 CFR 170.19 — CMMC assessment scope and asset categories.
SentryNexus is a preparation and self-assessment tool. It is not affiliated with the DoD, does not connect to SPRS, and does not submit anything to the government. Figures on this page are illustrative examples, not compliance or legal advice.