CMMC is in contracts now, and Phase 2 tightens it further
Know your SPRS score before the DoD asks for it.
Free, private self-assessment tools for small defense contractors, built on the official DoD methodology, with plain-English guidance for every control. No signup. No sales call. Your answers never leave your browser.
Free tools
Real assessments, not lead-capture quizzes. Instant results on screen, exports you can keep, nothing gated behind your email.
SPRS Score Calculator
All 110 NIST 800-171 controls with the official 5/3/1 weights, correct partial credit and N/A rules, plain-English guidance, and a POA&M export sorted by points at risk.
Open the toolCMMC Level 1 Self-Assessment
The 17 FAR 52.204-21 practices, assessed the way the rule demands: binary MET/NOT MET, no POA&Ms, with a downloadable record for your files and SPRS entry.
Open the toolWhich CMMC Level Do I Need?
Prime sent you a flow-down letter? Answer a few questions and get a straight answer: Level 1, Level 2, Level 3, or exempt, plus exactly what to do next.
Open the toolThe phase-in already started. The queue is the risk.
Since November 10, 2025, new DoD solicitations can require a current CMMC self-assessment in SPRS as a condition of award. FromNovember 10, 2026 (Phase 2), Level 2 C3PAO certification requirements start appearing, and the pool of authorized C3PAOs is small relative to the tens of thousands of contractors who'll need one.
Contractors who show up in 2027 asking for a certification assessment will find the line already formed in 2026. Whether you self-assess or certify, everything starts in the same place: an honest score and a gap list.
- 1
Phase 1 (now)
Self-assessments as a condition of award: Level 1 and Level 2 self-assessments posted in SPRS, with annual affirmations.
- 2
Phase 2 (November 10, 2026)
Level 2 C3PAO certification requirements begin appearing in new solicitations for contracts involving CUI.
- 3
Phases 3 and 4 (2027 to 2028)
Certification requirements extend to option periods and to Level 3 programs. CMMC appears in essentially all applicable DoD contracts.
Why this site is different
The official methodology, implemented exactly
Scoring follows the DoD Assessment Methodology v1.2.1 verbatim, including the two partial-credit rules and the five legitimate N/A cases most free calculators ignore. Every rule is documented with its source.
Your answers never leave your browser
These are static pages. Assessment data lives in your browser's local storage, and nothing is uploaded, ever. For a defense contractor, your gap list is sensitive, so treat tools that email it around accordingly.
Built by a practitioner, not a content farm
Written and maintained by a hands-on IT and cybersecurity practitioner working with small business environments. The guidance assumes Microsoft 365, a firewall, and a two-person IT team, not an enterprise SOC.
Every scoring rule is sourced on the methodology page, so you can check our math.
The DIB Compliance Brief
One short, practical email when something changes, whether that is DoD rules, SPRS mechanics, or CMMC timelines, and what it means for a 10 to 200 person shop. No fluff, no daily noise.
Email signup launches soon. Check back shortly.
No spam, unsubscribe anytime. We never see your assessment answers.