Skip to content
SPRS Lab

CMMC is in contracts now — Phase 2 tightens it further

Know your SPRS score before the DoD asks for it.

Free, private self-assessment tools for small defense contractors — built on the official DoD methodology, with plain-English guidance for every control. No signup. No sales call. Your answers never leave your browser.

Free tools

Real assessments, not lead-capture quizzes. Instant results on screen, exports you can keep, nothing gated behind your email.

The phase-in already started. The queue is the risk.

Since November 10, 2025, new DoD solicitations can require a current CMMC self-assessment in SPRS as a condition of award. FromNovember 10, 2026 (Phase 2), Level 2 C3PAO certification requirements start appearing — and the pool of authorized C3PAOs is small relative to the tens of thousands of contractors who'll need one.

Contractors who show up in 2027 asking for a certification assessment will find the line already formed in 2026. Whether you self-assess or certify, everything starts in the same place: an honest score and a gap list.

  1. 1

    Now — Phase 1

    Self-assessments as a condition of award: Level 1 and Level 2 self-assessments posted in SPRS, with annual affirmations.

  2. 2

    Late 2026 — Phase 2

    Level 2 C3PAO certification requirements begin appearing in new solicitations for contracts involving CUI.

  3. 3

    2027+ — Phases 3–4

    Certification requirements extend to option periods and to Level 3 programs; CMMC appears in essentially all applicable DoD contracts.

Why this site is different

The official methodology, implemented exactly

Scoring follows the DoD Assessment Methodology v1.2.1 verbatim — including the two partial-credit rules and the five legitimate N/A cases most free calculators ignore. Every rule is documented with its source.

Your answers never leave your browser

These are static pages. Assessment data lives in your browser's local storage — nothing is uploaded, ever. For a defense contractor, your gap list is sensitive; treat tools that email it around accordingly.

Built by a practitioner, not a content farm

Written and maintained by a hands-on IT/cybersecurity practitioner working with small business environments — the guidance assumes Microsoft 365, a firewall, and a two-person IT team, not an enterprise SOC.

Every scoring rule is sourced on the methodology page — check our math.

The DIB Compliance Brief

One short, practical email when something changes — DoD rules, SPRS mechanics, CMMC timelines — and what it means for a 10–200 person shop. No fluff, no daily noise.

Email signup launches soon — check back shortly.

No spam, unsubscribe anytime. We never see your assessment answers.