Skip to content
SPRS Lab

CMMC is in contracts now, and Phase 2 tightens it further

Know your SPRS score before the DoD asks for it.

Free, private self-assessment tools for small defense contractors, built on the official DoD methodology, with plain-English guidance for every control. No signup. No sales call. Your answers never leave your browser.

Free tools

Real assessments, not lead-capture quizzes. Instant results on screen, exports you can keep, nothing gated behind your email.

The phase-in already started. The queue is the risk.

Since November 10, 2025, new DoD solicitations can require a current CMMC self-assessment in SPRS as a condition of award. FromNovember 10, 2026 (Phase 2), Level 2 C3PAO certification requirements start appearing, and the pool of authorized C3PAOs is small relative to the tens of thousands of contractors who'll need one.

Contractors who show up in 2027 asking for a certification assessment will find the line already formed in 2026. Whether you self-assess or certify, everything starts in the same place: an honest score and a gap list.

  1. 1

    Phase 1 (now)

    Self-assessments as a condition of award: Level 1 and Level 2 self-assessments posted in SPRS, with annual affirmations.

  2. 2

    Phase 2 (November 10, 2026)

    Level 2 C3PAO certification requirements begin appearing in new solicitations for contracts involving CUI.

  3. 3

    Phases 3 and 4 (2027 to 2028)

    Certification requirements extend to option periods and to Level 3 programs. CMMC appears in essentially all applicable DoD contracts.

Why this site is different

The official methodology, implemented exactly

Scoring follows the DoD Assessment Methodology v1.2.1 verbatim, including the two partial-credit rules and the five legitimate N/A cases most free calculators ignore. Every rule is documented with its source.

Your answers never leave your browser

These are static pages. Assessment data lives in your browser's local storage, and nothing is uploaded, ever. For a defense contractor, your gap list is sensitive, so treat tools that email it around accordingly.

Built by a practitioner, not a content farm

Written and maintained by a hands-on IT and cybersecurity practitioner working with small business environments. The guidance assumes Microsoft 365, a firewall, and a two-person IT team, not an enterprise SOC.

Every scoring rule is sourced on the methodology page, so you can check our math.

The DIB Compliance Brief

One short, practical email when something changes, whether that is DoD rules, SPRS mechanics, or CMMC timelines, and what it means for a 10 to 200 person shop. No fluff, no daily noise.

Email signup launches soon. Check back shortly.

No spam, unsubscribe anytime. We never see your assessment answers.