The Gap Assessment evaluates your organisation's current implementation status against all CMMC practices for your target level. It produces a domain-by-domain breakdown and calculates your SPRS (Supplier Performance Risk System) score, which is required for DoD contract eligibility.
SPRS Score Calculation
- Start at 110 points (perfect score = all 110 NIST SP 800-171 requirements fully implemented)
- Each unimplemented requirement deducts a weighted value (1, 3, or 5 points)
- The minimum possible score is -203
- Requirements on a POA&M still count as deductions until fully implemented
Score Interpretation
| 110 | Full implementation of all requirements |
| 90-109 | Strong posture; likely assessment-ready |
| 70-89 | Good progress; focused remediation needed |
| 40-69 | Moderate; significant work required |
| Below 40 | Early stages; major remediation needed |
Requirement Weights
| Weight | Deduction | Examples |
|---|
| 5 points | Critical | MFA, CUI encryption, audit logging |
| 3 points | Significant | Config baselines, IR plans, risk assessments |
| 1 point | Standard | Content reviews, maintenance tools, visitor records |
