CMMC is in contracts now — Phase 2 tightens it further
Know your SPRS score before the DoD asks for it.
Free, private self-assessment tools for small defense contractors — built on the official DoD methodology, with plain-English guidance for every control. No signup. No sales call. Your answers never leave your browser.
Free tools
Real assessments, not lead-capture quizzes. Instant results on screen, exports you can keep, nothing gated behind your email.
SPRS Score Calculator
All 110 NIST 800-171 controls with the official 5/3/1 weights, correct partial credit and N/A rules, plain-English guidance, and a POA&M export sorted by points at risk.
Open the toolCMMC Level 1 Self-Assessment
The 17 FAR 52.204-21 practices, assessed the way the rule demands — binary MET/NOT MET, no POA&Ms — with a downloadable record for your files and SPRS entry.
Open the toolWhich CMMC Level Do I Need?
Prime sent you a flow-down letter? Answer 3–4 questions and get a straight answer: Level 1, Level 2, Level 3, or exempt — and exactly what to do next.
Open the toolThe phase-in already started. The queue is the risk.
Since November 10, 2025, new DoD solicitations can require a current CMMC self-assessment in SPRS as a condition of award. FromNovember 10, 2026 (Phase 2), Level 2 C3PAO certification requirements start appearing — and the pool of authorized C3PAOs is small relative to the tens of thousands of contractors who'll need one.
Contractors who show up in 2027 asking for a certification assessment will find the line already formed in 2026. Whether you self-assess or certify, everything starts in the same place: an honest score and a gap list.
- 1
Now — Phase 1
Self-assessments as a condition of award: Level 1 and Level 2 self-assessments posted in SPRS, with annual affirmations.
- 2
Late 2026 — Phase 2
Level 2 C3PAO certification requirements begin appearing in new solicitations for contracts involving CUI.
- 3
2027+ — Phases 3–4
Certification requirements extend to option periods and to Level 3 programs; CMMC appears in essentially all applicable DoD contracts.
Why this site is different
The official methodology, implemented exactly
Scoring follows the DoD Assessment Methodology v1.2.1 verbatim — including the two partial-credit rules and the five legitimate N/A cases most free calculators ignore. Every rule is documented with its source.
Your answers never leave your browser
These are static pages. Assessment data lives in your browser's local storage — nothing is uploaded, ever. For a defense contractor, your gap list is sensitive; treat tools that email it around accordingly.
Built by a practitioner, not a content farm
Written and maintained by a hands-on IT/cybersecurity practitioner working with small business environments — the guidance assumes Microsoft 365, a firewall, and a two-person IT team, not an enterprise SOC.
Every scoring rule is sourced on the methodology page — check our math.
The DIB Compliance Brief
One short, practical email when something changes — DoD rules, SPRS mechanics, CMMC timelines — and what it means for a 10–200 person shop. No fluff, no daily noise.
Email signup launches soon — check back shortly.
No spam, unsubscribe anytime. We never see your assessment answers.