Risk Assessments for CMMC Compliance: What DoD Contractors Need

For defense contractors, the question is no longer whether to conduct a cybersecurity risk assessment—it's how to do it correctly before a contracting officer or a Certified Third-Party Assessment Organization (C3PAO) does it for you. With CMMC 2.0's final rule in effect as of November 10, 2025, assessment results directly determine your eligibility for DoD contracts. A low SPRS score makes you a higher-risk supplier in a contracting officer's view. A failed C3PAO assessment can result in a conditional or failed CMMC certification with no path to contract award until remediated. And unlike previous compliance frameworks that operated largely on an honor system, CMMC introduces accountability mechanisms that make inaccurate self-assessments a potential False Claims Act liability. Understanding the risk assessment process from end to end—what it requires, what it costs, and where contractors most often fail—is foundational to building a successful CMMC program.

What Is an SPRS Score and How Is It Calculated?

The Supplier Performance Risk System (SPRS) is the DoD's authoritative database for contractor cybersecurity posture. Under DFARS clause 252.204-7019, defense contractors handling CUI must submit a current cybersecurity self-assessment score to SPRS prior to contract award, and must update that score at least every three years or after significant remediation.

The SPRS score is calculated using the DoD's NIST SP 800-171 Assessment Methodology:

• Maximum possible score: 110 — reflecting full implementation of all 110 NIST SP 800-171 controls.
• Starting point: 110 — each control that is not fully implemented results in a point deduction based on its assigned weight in the DoD Assessment Methodology.
• High-value controls: Controls in areas like Multi-Factor Authentication (3.5.3), Audit Logging (3.3.1/3.3.2), Malware Protection (3.14.2, 3.14.4), and Access Control carry 5-point values in some cases—meaning failing a single high-value control can significantly reduce your score.
• Typical starting score for unprepared contractors: approximately 25 — industry experience consistently shows that contractors who haven't intentionally implemented 800-171 controls score far below the 110 maximum when they first assess themselves honestly.
• Certification benchmark: 88 or higher — a score of 88 or higher may qualify a contractor for conditional CMMC Level 2 certification, but only if all controls that cannot be placed on a POA&M are fully implemented. A score below 88 disqualifies the contractor from conditional certification.

The DoD has made clear that the only fully acceptable SPRS score in the long term is 110—reflecting complete implementation of all 110 controls. Scores below 110 will be acceptable only while contractors remediate gaps under documented POA&Ms, but contracting officers are increasingly using SPRS scores as a risk-based differentiator when evaluating competing bids.

What Are the Three Types of CMMC Assessments?

CMMC 2.0 establishes a tiered assessment structure that matches the sensitivity of the contract:

• Level 1 Self-Assessment (Annual): Contractors handling only Federal Contract Information (FCI) conduct their own annual self-assessment against 15 FAR clause 52.204-21 requirements and enter results in SPRS. There is no third-party verification required at Level 1.
• Level 2 Self-Assessment (Every 3 Years): Some Level 2 contracts allow self-assessment. Contractors assess themselves against all 110 NIST SP 800-171 Rev. 2 controls using the DoD Assessment Methodology, enter their score in SPRS, and provide an annual affirmation to maintain CMMC status. Conditional status is allowed if POA&Ms are documented with closure within 180 days.
• Level 2 C3PAO Assessment (Every 3 Years): For contracts involving the most sensitive CUI, DoD requires an assessment by a Certified Third-Party Assessment Organization (C3PAO). C3PAOs are certified by the Cyber AB (formerly the CMMC Accreditation Body), and their assessors hold individual CMMC Certified Assessor (CCA) credentials. The assessment team evaluates evidence against all 110 controls through a combination of document review, interviews, and technical testing. Results are entered in SPRS by the C3PAO, and the CMMC certification is valid for three years from the assessment date, with annual affirmations.
• Level 3 DIBCAC Assessment (Every 3 Years): The highest-sensitivity CUI programs require a government-conducted assessment by DCMA's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), evaluating 134 controls (110 from NIST 800-171 plus 24 enhanced controls from NIST 800-172).

What Does a C3PAO Assessment Actually Cost?

For small and mid-size defense contractors approaching CMMC Level 2 certification, the total investment is typically higher than anticipated—particularly for organizations that haven't previously implemented a structured cybersecurity program. Based on current market data from C3PAOs and compliance consultants:

• Small contractors (1-50 employees): Total first-year investment of approximately $75,000–$130,000, with C3PAO assessment fees in the $30,000–$50,000 range and preparation and technology costs adding another $35,000–$65,000. Annual ongoing maintenance runs $20,000–$30,000.
• Mid-size contractors (51-200 employees): Total first-year investment of approximately $130,000–$220,000, with assessment fees of $50,000–$80,000 and preparation costs of $65,000–$120,000.
• Large contractors (201-500 employees): Total first-year investment of approximately $220,000–$300,000.

The DoD itself estimates that the 3-year cost for small defense contractors averages $487,970 across the complete compliance lifecycle—a figure that underscores why CMMC preparation should be treated as a long-term operational investment, not a one-time project.

Critically, the assessment fee is only part of the cost. For contractors starting from a low compliance baseline (0-40% of controls implemented), technology and infrastructure remediation can represent 50% or more of total first-year costs. Contractors who begin with a mature security program spend significantly less on remediation.

What Controls Cannot Be on a POA&M—and Will Cause a Failed Assessment?

This is one of the most important—and least understood—aspects of CMMC Level 2 assessments. Under CMMC 2.0, some security controls are so fundamental that they cannot be deferred via a Plan of Action and Milestones (POA&M). Failing to implement these controls at the time of assessment results in a failed assessment—regardless of your overall score.

Controls that cannot be placed on a POA&M include (but are not limited to):

• Access Control: Controls 3.1.1, 3.1.2, 3.1.5 (least privilege), 3.1.12, 3.1.13 (remote access protection), 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.20, 3.1.22
• Awareness and Training: Controls 3.2.1 and 3.2.2 (security awareness training for all users)
• Audit and Accountability: Controls 3.3.1, 3.3.2, 3.3.5 (audit logging and review)
• Configuration Management: Controls 3.4.1, 3.4.2, 3.4.5, 3.4.6, 3.4.7, 3.4.8
• Identification and Authentication: Controls 3.5.1, 3.5.2, 3.5.3 (MFA), 3.5.10

Additionally, under the CMMC scoring rules, a conditional CMMC Level 2 certification requires a score of 88 or higher and a maximum of 47 controls on the POA&M. Only controls with lower point values are eligible for POA&M—high-value controls (3- to 5-point controls) that are deficient count heavily against your ability to achieve conditional status. This leaves an extremely small margin for error: at most 19-22 incomplete requirements while still qualifying for conditional certification.

Furthermore, CA.L2-3.12.4 (System Security Plan documentation) is a prerequisite for the entire assessment—without an adequately documented SSP, a C3PAO assessment cannot even proceed, resulting in an automatic failed assessment before any controls are evaluated.

What Are the Most Common Risk Assessment Failures for Defense Contractors?

Based on DIBCAC assessment data and C3PAO experience, the most frequent causes of failed or significantly deficient CMMC assessments include:

• Inadequate or missing System Security Plan (SSP): The SSP is the foundational document for CMMC. It must accurately describe your environment, identify all systems in scope, and document how each of the 110 controls is implemented. Many contractors either lack an SSP entirely, have one that doesn't reflect their actual systems, or have a generic template that wasn't tailored to their environment.
• Inflated SPRS self-assessments: Contractors often assess themselves higher than warranted, either from misunderstanding control requirements or from optimism bias. When a C3PAO assessment reveals a large gap between the self-assessment score and the actual implementation state, the contractor faces both a compliance gap and potential legal exposure for submitting inaccurate scores to SPRS.
• Missing MFA: Multi-factor authentication (control 3.5.3) cannot be on a POA&M. It is one of the most commonly cited deficiencies in DIBCAC assessments and one of the easiest to address—yet many small contractors still haven't fully implemented it across all CUI-accessing accounts.
• Inadequate audit logging: Controls 3.3.1 and 3.3.2 (event logging and audit review) are mandatory. Many contractors have logging enabled but insufficient coverage—missing authentication events, privileged access logging, or log retention periods that don't meet the required minimums.
• Scope creep without documentation: Contractors often don't clearly define their CUI boundary, leading to assessment scope that's either too broad (creating unnecessary compliance burden) or too narrow (leaving unprotected systems in CUI data flows). An accurate, documented scope is foundational to a defensible assessment.
• No documented POA&Ms for known gaps: Contractors who know they have gaps but haven't documented formal POA&Ms with target closure dates, responsible parties, and resource allocation are not eligible for conditional CMMC status. The POA&M is not just a list of things to fix—it's a formal management document with specific required elements.

How Should Contractors Structure the Risk Assessment Process?

A structured CMMC risk assessment process follows a logical sequence that aligns with the DoD Assessment Methodology:

1. Scoping: Define your CUI boundary by identifying every system, network, and component that processes, stores, or transmits CUI. This defines the scope of your SSP and your CMMC assessment. Keep the scope as narrow as operationally accurate—but don't artificially exclude systems that actually touch CUI.
2. Gap assessment: Evaluate your current implementation status against each of the 110 NIST SP 800-171 controls using the DoD Assessment Methodology. For each control, document whether it is fully implemented, partially implemented, or not implemented. Be honest—an inflated gap assessment will produce a false SPRS score.
3. SSP development: Create or update your System Security Plan to reflect your actual environment and control implementations. The SSP must include all required sections and accurately describe how each control is implemented—or reference a POA&M for those not yet implemented.
4. POA&M creation: For each gap identified, create a formal POA&M entry with: the control ID, description of the deficiency, planned remediation action, responsible party, required resources, and target completion date. POA&Ms must close within 180 days of conditional CMMC status.
5. SPRS score calculation and submission: Calculate your score using the DoD Assessment Methodology and submit to SPRS. This score is visible to contracting officers and prime contractors when evaluating your bids.
6. C3PAO assessment preparation: If Level 2 certification is required, engage a C3PAO for a pre-assessment gap review before the formal assessment. This gives you an opportunity to identify and remediate issues before the clock starts on your formal assessment.

See also our article on Supply Chain Cybersecurity for DoD Contractors for guidance on how SPRS scores affect subcontractor relationships and prime contractor oversight obligations.

What Should Defense Contractors Do Next?

A CMMC risk assessment isn't a box to check—it's the foundation of your compliance program and your defense against losing contract eligibility. With CMMC Phase 1 active and contracting officers increasingly scrutinizing SPRS scores before award, the contractors who invest in accurate, well-documented assessments now will have a significant competitive advantage as CMMC enforcement intensifies through 2028.

NorthStar Technology Group conducts CMMC gap assessments and readiness reviews for defense contractors at every stage of their compliance journey—from initial scoping and SSP development through C3PAO assessment preparation. As an Inc. 5000 company with over 25 years of experience in managed security and IT services, we understand both the technical requirements and the assessment process from the inside. Contact our team at northstartechnologygroup.com/services/dod-cmmc to schedule a CMMC readiness assessment.