CMMC L2 in Plain English: The 110-Point DoD Scoring System Explained
The CMMC SPRS scoring system looks intimidating at first. Here is how the 110-point model works, why each control matters, and how automated evidence capture improves your score.
The 110-Point Starting Score
The Supplier Performance Risk System (SPRS) is the DoD's way of measuring whether your organization can safely handle Controlled Unclassified Information (CUI). The scoring works like a video game where you start at 110 points and lose points for unimplemented security requirements. Your final SPRS score determines three things: (1) whether you can bid on DoD contracts, (2) which level of CMMC certification is required for your contracts, and (3) how much trust the DoD places in your security posture. A score above 100 is passing. Below 100 you have risk factors that will hurt your contract eligibility. Most contractors currently score between 60 and 80, which explains why so many are failing CMMC readiness surveys.
How Points Are Deducted: The Weighted System
You do not lose the same number of points for every missing control. The SPRS system uses weighted deductions based on control criticality. Tier 1 controls (most critical) cost 5 points each if unimplemented. Tier 2 controls cost 3 points each. Tier 3 controls cost 1 point each. There is also a Tier 0 with one control that costs 0 points (meaning it does not affect your score even though it is part of NIST 800-171). This weighting creates incentives: closing a single Tier 1 gap is worth more than closing five Tier 3 gaps. For defense contractors, the strategic insight is clear: focus on the high-value Tier 1 and Tier 2 controls first. For change management and access controls, most of the heavy weights are Tier 1 and Tier 2, which means automated evidence for these controls has outsized impact on your SPRS score.
The 22 CMMC L2 Controls: Which Ones Matter Most
CMMC L2 contains 110 NIST SP 800-171 controls split across five domains: Access Control, Asset Management, Identification and Authentication, Incident Response, and System and Communications Protection. For change management specifically, Requirements 3.4.3, 3.4.4, and 3.4.5 carry the highest weights. Requirement 3.4.3 (change tracking and approval) costs 5 points. Requirement 3.4.4 (security impact analysis) costs 5 points. Requirement 3.4.5 (access restriction to changes) costs 3 points. Together these three controls represent 13 out of 110 possible deduction points just in the change management domain. If you are currently unimplemented in all three, closing this gap alone improves your SPRS score by 13 points, potentially moving you from failing to passing. For organizations handling CUI in software development, these are the controls that matter most for audit readiness.
Two Special Conditional Controls: MFA and FIPS
The SPRS formula includes two conditional deductions that increase in value based on context. Requirement 3.5.3 (MFA) normally costs 5 points if unimplemented, but if you are responsible for systems storing sensitive DoD information, it jumps to 9 points. Similarly, Requirement 3.13.11 (FIPS cryptography) normally costs 5 points, but increases to 8 points for sensitive data systems. Understanding whether your organization falls into these conditional categories is critical because the deduction for a single control can double. If you handle sensitive data and have not implemented MFA, you are looking at a 9-point penalty for one control instead of 5. This is why many contractors discover mid-assessment that they scored worse than expected: they missed the conditional categories.
Why Organizations Score Below 100
Industry data shows most contractors score between 60 and 80 out of 110. Here is why. The typical gaps are: change management controls unimplemented (13 points), access controls incomplete (15-20 points), incident response capabilities missing (10-15 points), and system monitoring/logging insufficient (10-15 points). The reason these accumulate is that contractors often treat security as infrastructure-only (firewalls, encryption, access systems) and neglect process security (change approval, authorization flows, incident response procedures). Since many of these gaps are process-based rather than technology-based, they are invisible to vulnerability scanners. A contractor with excellent firewall rules and patch management might still score 70 if their change management process is informal and untracked.
How Automated Evidence Boosts Your Score
MergeWhy includes a native SPRS scoring engine that maps your change evidence to NIST 800-171 requirements in real time. As you automate change management evidence capture (Requirements 3.4.3, 3.4.4, 3.4.5), your SPRS score improves automatically. The engine accounts for the weighted deduction system and the conditional MFA/FIPS rules. When you enable the GitHub App and start merging pull requests with captured evidence (authorization, peer review, testing, approval), the scoring engine evaluates each change against the control requirements and indicates whether you are meeting the control. For example, Requirement 3.4.3 requires documented approval before and during change implementation. If every merged PR has a documented approval and the system captures it, the engine marks 3.4.3 as PASS. Do this consistently and your SPRS score reflects the implementation. No manual assessment needed.
The CUI Boundary Constraint: Air-Gapped Evidence Collection
Here is the catch that catches most software contractors: if your source code is CUI, it cannot leave your network boundary. This eliminates most cloud-based compliance tools that require uploading data to a third-party SaaS platform. The DoD Cybersecurity Maturity Model Certification guidance is explicit: artifacts marked as CUI cannot be transmitted outside your facility without authorization. For contractors in this situation, the only viable approach is self-hosted evidence collection. MergeWhy includes an open-source Docker agent that runs inside your network, evaluates your change evidence locally using the same scoring engines and SPRS calculation as the SaaS platform, and transmits only structured evidence scores and control pass/fail results. Your source code never leaves your facility. Only the evidence that your code changes are authorized, reviewed, tested, and approved gets transmitted to the MergeWhy SaaS platform for dashboarding and reporting.
The SPRS Portal Submission: What You Need
When you submit to the SPRS portal, the DoD asks for your organization's SPRS score along with supporting documentation. Most contractors manually assemble this by running a CMMC assessment tool, filling out spreadsheets, and compiling evidence. With MergeWhy, your SPRS score is calculated continuously based on live evidence collection. You can export a SPRS report at any time showing your current score, the point deductions by domain, the evidence trail for each implemented control, and gaps remaining. The report format matches what the DoD SPRS portal expects. Rather than scrambling to gather evidence at submission time, you can demonstrate a continuous compliance posture with months of evidence history backing up your score.
Preparing for C3PAO Assessment: Phase 2 Readiness
Phase 2 of CMMC enforcement (November 2026) makes third-party assessment mandatory for Level 2 contracts. Third-party assessors (C3PAOs) are more rigorous than self-assessment. They will ask to see evidence for every control in scope, they will test the evidence for completeness and consistency, and they will issue findings for gaps. Organizations that automate evidence capture now will have 12 months of clean, consistent evidence when the C3PAO arrives in late 2026. Organizations that wait will face the same cramming that makes SOC 2 audits painful. The C3PAOs have already signaled that they prefer organizations with structured, machine-generated evidence over hand-assembled evidence packages because it reduces assessment time and improves confidence in findings. Start automating change evidence now so you are ready when your assessment date arrives.
The Practical Path Forward
Start with the high-value controls: change management (Requirements 3.4.3, 3.4.4, 3.4.5), access controls (Requirements 3.1.1, 3.1.2, 3.1.3), and authentication (Requirements 3.5.1, 3.5.2). These 8 controls represent roughly 35 of the 110 possible deduction points. Automating evidence for these alone can lift your SPRS score from the 70s to the 80s. Install the GitHub App in your development environment. For contractors handling CUI, deploy the self-hosted collector agent inside your network. Configure your framework selection for CMMC Level 2 (or Level 1 if you are starting there). Start merging PRs with evidence capture. Watch your SPRS score improve. Aim to have solid evidence coverage for the high-value Tier 1 and Tier 2 controls before your C3PAO assessment. The earlier you start, the more evidence history you build, and the stronger your assessment position becomes.
Ready to automate your change evidence?
Install the GitHub App and start capturing compliance evidence from your first PR merge. Free 14-day trial, no credit card.
Get Started Free