144 CMMC
144 CMMC
CMMC, NIST 800-171, SPRS, the deadline, and how 144 fits in — in plain English.
CMMC (Cybersecurity Maturity Model Certification) is the Department of Defense's program for verifying that its contractors protect sensitive information. For most companies handling Controlled Unclassified Information (CUI), the relevant bar is CMMC Level 2, which is built on the security requirements in NIST SP 800-171.
It's the federal standard that defines how non-government systems should protect CUI. Revision 2 contains 110 security requirements ("controls") grouped into 14 families — things like access control, multifactor authentication, audit logging, and incident response. CMMC Level 2 essentially means "implement all 110."
The Supplier Performance Risk System (SPRS) score is how the DoD measures your NIST 800-171 progress. You start at 110 and subtract points for each control you haven't implemented (1, 3, or 5 points depending on the control). The scale runs from −203 to 110. A score of 88 or higher, with a plan to close the rest, is the threshold for conditional eligibility.
The phased CMMC rollout makes Level 2 requirements a condition of new DoD contracts, with the key date being November 10, 2026. After that, contractors who can't demonstrate compliance risk losing the ability to win or keep covered work. Because remediation takes months, the practical deadline to start is now.
No. 144 is a readiness tool. It gets you prepared so that when an accredited assessor evaluates you, you pass. Official certification can only be issued by a Certified Third-Party Assessment Organization (C3PAO) after a formal assessment.
A Certified Third-Party Assessment Organization — an accredited firm authorized to perform the official CMMC Level 2 assessment that results in certification. You'd engage one after you're ready. 144 helps you get to that point.
The System Security Plan (SSP) describes how you meet each control. The Plan of Action & Milestones (POA&M) lists the gaps you haven't closed yet and how you'll fix them. Both are documents an assessor expects to see, and 144 generates drafts of each from your assessment.
No — by design. The evidence register records what your proof is and where it lives in your own systems; it never stores the files themselves. Your Controlled Unclassified Information stays with you and never touches our servers.
No. 144 tells you exactly what to fix, in what order, and what it will cost — but turning on MFA, configuring your firewall, or writing a policy happens in your environment, by you or your IT provider. 144 is the guide and the system of record.
The SPRS calculator is free with no signup. The full app is a monthly subscription — see pricing. It's a fraction of the $20,000–$50,000+ a consultant typically charges for the same readiness work.
Yes. Many small contractors lean on an MSP — your IT partner can work through the same assessment alongside you.
That's exactly who it's built for. Every control is written in plain language, and the roadmap turns the 110-item standard into a simple, prioritized to-do list.
Start with your free SPRS score, or get in touch and we'll help.