Scoring
Scoring is where the abstract (“are we compliant?”) becomes concrete (“what’s our number?”). The CMMC scoring methodology is defined in 32 CFR § 170.24 and built on the DoD Assessment Methodology. Understanding it is essential — it determines whether you get Final certification, Conditional certification, or no certification at all.
The Three Assessment Findings
Section titled “The Three Assessment Findings”Every requirement results in one of three findings. There is no partial credit within a single requirement.
MET — All applicable assessment objectives for the requirement are satisfied, based on evidence in final form. Not drafts, not working papers, not “we’re about to approve this policy.” Final, approved, operational evidence.
Two special cases still score as MET:
-
Enduring exceptions — documented in your SSP with mitigations — are assessed as MET. An enduring exception is a permanent situation where full compliance isn’t feasible: medical devices, OT systems, GFE, test equipment replicating fielded configurations, IoT. No remediation plan is needed because remediation isn’t feasible. But the exception and its mitigations must be in the SSP. Defined in 32 CFR § 170.4.
-
Temporary deficiencies — documented in an operational plan of action with deficiency reviews and evidence of progress — are assessed as MET. A temporary deficiency is a discovered issue where a fix is known and in progress. The critical distinction: a temporary deficiency arises after implementation, not during initial implementation that’s still in progress. Example: your FIPS-validated crypto module needs a patch, and the patched version hasn’t completed FIPS validation yet. That’s a temporary deficiency. “We haven’t deployed MFA yet” is not a temporary deficiency — it’s an unimplemented requirement.
NOT MET — One or more assessment objectives for the requirement are not satisfied. A single failed objective fails the entire requirement. If a requirement has six objectives and five pass but one fails, the whole requirement is NOT MET.
NOT APPLICABLE — The requirement doesn’t apply to your environment. No wireless means wireless requirements are N/A. No public-facing systems means 3.13.5 is N/A. Must be documented and justified in the SSP, and where the DoD CIO has previously adjudicated a requirement as not applicable, that adjudication must be in the SSP. Scored the same as MET.
How Points Work
Section titled “How Points Work”Each of the 110 Level 2 requirements has a point value: 5, 3, or 1. The maximum score is 110. For every requirement scored NOT MET, its point value is subtracted from 110 — and the score can go negative.
5-point requirements (44 total). Basic and derived requirements whose failure “could lead to significant exploitation of the network, or exfiltration of CUI.” 23 basic + 19 derived + 2 special. The two special cases (3.5.3 MFA and 3.13.11 FIPS encryption) have variable scoring — 5 points if not implemented at all, 3 points if partially implemented (MFA on remote/privileged users only; encryption employed but not FIPS-validated).
3-point requirements (14 total). 7 basic + 7 derived. Their failure has “a specific and confined effect on the security of the network and its data.”
1-point requirements (52 total). All remaining derived requirements whose failure has “a limited or indirect effect.”
The point values come from the DoD Assessment Methodology and reflect whether the requirement is a “basic” security requirement (sourced from FIPS 200) or a “derived” requirement (sourced from NIST 800-53), combined with the assessed severity of the control’s absence.
Certification Outcomes
Section titled “Certification Outcomes”Your assessment result determines your CMMC status:
Final Level 2 (C3PAO) — All 110 requirements scored MET or N/A. Score 110. This is the target. The certification is valid for three years with annual affirmations submitted to SPRS by an Affirming Official.
Conditional Level 2 (C3PAO) — Some requirements NOT MET, but the NOT MET items are all POA&M-eligible (see rules below) and the assessment score divided by 110 is ≥ 0.8 (at least 88 points). You have 180 days from the CMMC Status Date to close every POA&M item and pass a closeout assessment by an authorised C3PAO. If you don’t close within 180 days, the Conditional Status expires — you start over with a new assessment.
Final Level 2 (Self) — Self-assessment equivalent of Final. All requirements MET. Score 110, posted to SPRS with the senior official affirmation.
Conditional Level 2 (Self) — Self-assessment with NOT MET items on POA&M. Same 180-day rule. Closeout self-assessment performed by the OSA in the same manner as the initial self-assessment.
No certification — NOT MET requirements include items that are not POA&M-eligible, or the score is below the 88-point threshold.
POA&M Eligibility
Section titled “POA&M Eligibility”The POA&M rules under 32 CFR § 170.21 are stricter than most people realise. Three rules combine — a requirement is POA&M-eligible only if it passes all three.
Rule 1 — the 80% threshold
Section titled “Rule 1 — the 80% threshold”Your assessment score divided by 110 must be ≥ 0.8 (at least 88 points). Below 88 and no POA&M can save you.
Rule 2 — only ≤ 1-point requirements (with one exception)
Section titled “Rule 2 — only ≤ 1-point requirements (with one exception)”Per 32 CFR § 170.21(a)(2)(ii): no requirement worth more than 1 point can be on the POA&M.
The one exception: SC.L2-3.13.11 (CUI Encryption) may be POA&M’d if encryption is employed but not FIPS-validated — that scenario triggers the 3-point partial scoring, and that 3-point version is POA&M-eligible. If encryption isn’t employed at all, the full 5-point deduction applies and SC.L2-3.13.11 cannot be POA&M’d.
This means 3.5.3 (MFA) is never POA&M-eligible. Even when partially implemented (MFA on remote/privileged users only), it scores 3 points — above the 1-point ceiling, and not the same regulatory exception as 3.13.11. MFA must be MET on assessment day.
Rule 3 — six requirements explicitly excluded regardless of point value
Section titled “Rule 3 — six requirements explicitly excluded regardless of point value”Per 32 CFR § 170.21(a)(2)(iii), these six 1-point requirements are excluded from POA&M eligibility regardless of their point value:
| Practice | Title |
|---|---|
| AC.L2-3.1.20 | External Connections (CUI Data) |
| AC.L2-3.1.22 | Control Public Information (CUI Data) |
| CA.L2-3.12.4 | System Security Plan |
| PE.L2-3.10.3 | Escort Visitors (CUI Data) |
| PE.L2-3.10.4 | Physical Access Logs (CUI Data) |
| PE.L2-3.10.5 | Manage Physical Access (CUI Data) |
These six must all be MET or N/A — even though each is only 1 point and would otherwise pass Rule 2.
The Operational Plan of Action vs. the CMMC POA&M
Section titled “The Operational Plan of Action vs. the CMMC POA&M”These are two different documents that people constantly confuse.
Operational plan of action (your internal document) — required by CA.L2-3.12.2. This is your living tracker of temporary deficiencies — issues you’ve discovered and are actively fixing. Items on an operational plan of action can still be scored MET because they represent temporary deficiencies that arose after implementation, not initial implementation gaps. The format is yours to define: spreadsheet, GRC tool, database. Sometimes called an “OPA” in DoD documentation.
CMMC POA&M (assessment output) — created by the C3PAO when NOT MET findings exist after the assessment. This triggers Conditional Status with the 180-day clock. The CMMC POA&M is governed by 32 CFR § 170.21 and has specific rules: each item needs a finding description, severity, owner, target date, resources, and status. Items must be closed within 180 days and verified by a closeout assessment. For Level 2 self, the OSA performs the closeout self-assessment. For Level 2 (C3PAO), an authorised or accredited C3PAO performs the closeout certification assessment.
The distinction matters: a temporary deficiency documented in your operational plan of action is scored MET. An unimplemented requirement that appears in the CMMC POA&M is scored NOT MET.
Key CMMC Terms the Assessor Uses
Section titled “Key CMMC Terms the Assessor Uses”Enduring exception — A permanent situation where full compliance isn’t feasible. Examples from 32 CFR § 170.4: systems replicating fielded configurations, medical devices, test equipment, OT, IoT, GFE. Documented in the SSP with mitigations. No remediation plan required. Assessed as MET. Specialised Assets and GFE may qualify.
Temporary deficiency — A discovered issue where remediation is feasible and a fix is available or in progress. Must arise after implementation, not during initial rollout — unless a limited subset of equipment has a specific issue discovered during deployment. Documented in the operational plan of action. No standard maximum duration. Example: a FIPS-validated crypto module needs a patch, and the patched version hasn’t been re-validated. Assessed as MET.
Periodically — At a regular interval you define, not exceeding one year. When a requirement says “periodically review” something, you set the frequency (quarterly, semi-annually, annually) and document it. The assessor checks that a value is defined, reasonable, and followed.
Organisation-defined — You set the specific value: timeout period, password length, scan frequency. The assessor checks three things: is a value defined? Is it reasonable? Is it enforced?
Evidence in final form — Approved, operational documents. Not drafts, not working papers, not policies pending signature. If it’s not signed and in effect, it’s not evidence.
SPRS Reporting
Section titled “SPRS Reporting”Your score — whether from a self-assessment or a C3PAO assessment — is reported in the Supplier Performance Risk System (SPRS). Contracting officers check SPRS before making award decisions. A score below 110 with no active POA&M, or a missing SPRS entry entirely, can disqualify you from contract award.
Each assessment is assigned a CMMC Unique Identifier (UID) which serves as the primary tracking mechanism in SPRS.
The SPRS score represents a point-in-time assessment. Annual affirmations are required by the Affirming Official to maintain CMMC status, confirming that you still meet the requirements within the existing assessment scope. Significant changes to the assessment scope (network expansions, mergers, acquisitions, cloud migrations) may require a new assessment rather than just an affirmation.