top of page
Search

When Do I Get The Points? Understanding SPRS Scoring in 2026

Many companies in the Defense Industrial Base (DIB) are working to update their SPRS score. Traditionally, this has been a simple exercise: conduct a self-assessment, calculate the score, upload it to SPRS, and move on.


For organizations preparing for CMMC compliance, however, the process looks different.


SPRS Scoring as an Executive Metric


Most CMMC-bound organizations now use their SPRS score as a progress indicator, not a one-time submission. The pattern often looks like this:

  • Conduct a gap assessment → Score: -53

  • Complete a remediation project → Score: -40

  • Address additional POAMS → Score: -10

  • Reach 110 → “We’re done.”


In principle, this isn’t a bad approach. Identifying gaps, documenting Plans of Action & Milestones (POAMs), and systematically working them down is exactly what the framework intends.


But this leads to a critical question:


When are you actually allowed to “take the points”?


The Trap: Treating SPRS Like a Finish Line


Executives understandably focus on the score. When the number reaches 110 (i.e, perfection) the instinct is to breathe a sigh of relief and move on … perhaps revisiting the issue again in three years.


Unfortunately, that mindset is a carryover from older compliance models and does not reflect the reality of CMMC.


We increasingly encounter organizations that:

  • Entered SPRS scores years ago when DFARS 7019/7020 first appeared

  • Failed to update them annually, as required

  • Used optimistic or incomplete scoring

  • Are now reassessing and discovering their true readiness gap is much larger


CMMC has exposed those shortcuts.


So, When Do You Get the Points?


In a continuous-monitoring model (rather than a single self-assessment), points should only be taken when all three of the following are true.


  1. The Control is Fully Implemented

“Almost implemented,” “mostly implemented,” or “planned for next quarter” does not qualify.


To earn the points:

  • The control must be implemented everywhere it applies

  • Exceptions must be addressed

  • The practice must be operational, not theoretical

If it isn’t fully implemented, it gets zero points.


  1. The Control is Fully Documented

Many organizations assume documentation is easy and can be done later. In CMMC, that assumption is dangerous.


Documentation is:

  • Mandatory

  • Extensive

  • Actively evaluated


In reality, CMMC is roughly 70% documentation and 30% implementation. Policies, procedures, and standards must be finalized, approved, and in effect, not aspirational drafts.


If the documentation isn’t complete, you don’t get the points.


  1. Objective Evidence Exists


This is where many programs break down.


For each assessment objective under a control, you must answer:


“What is adequate and sufficient evidence that we are doing this?”


Evidence does not appear automatically. In many cases, organizations must deliberately design processes to generate evidence over time (including logs, tickets, access reviews, screenshots, audit records, and reports.


Remember:


  • Points are awarded at the control level

  • Every assessment objective must be satisfied

  • Evidence must align to those objectives


If evidence is missing, incomplete, or inconsistent, the points do not hold.


The Bottom Line


To legitimately “get the points,” your organization must be able to demonstrate that each control is:


☑️ Fully implemented

☑️ Fully documented

☑️ Supported by objective evidence 


This discipline makes scoring slower, but it can also make your organization CMMC-ready, not just SPRS-compliant.


Getting honest about when points are earned is one of the most effective ways to move a CMMC program forward.


 
 
bottom of page