Scoring

Scoring is where the abstract (“are we compliant?”) becomes concrete (“what’s our number?”). The CMMC scoring methodology is defined in 32 CFR § 170.24 and built on the DoD Assessment Methodology. Understanding it is essential — it determines whether you get Final certification, Conditional certification, or no certification at all.

The Three Assessment Findings

Every requirement results in one of three findings. There is no partial credit within a single requirement.

MET — All applicable assessment objectives for the requirement are satisfied, based on evidence in final form. Not drafts, not working papers, not “we’re about to approve this policy.” Final, approved, operational evidence.

Two special cases still score as MET:

• Enduring exceptions — documented in your SSP with mitigations — are assessed as MET. An enduring exception is a permanent situation where full compliance isn’t feasible: medical devices, OT systems, GFE, test equipment replicating fielded configurations. No remediation plan is needed because remediation isn’t feasible. But the exception and its mitigations must be in the SSP.

• Temporary deficiencies — documented in an operational plan of action with deficiency reviews and evidence of progress — are assessed as MET. A temporary deficiency is a discovered issue where a fix is known and in progress. The critical distinction: a temporary deficiency arises after implementation, not during initial implementation that’s still in progress. Example: your FIPS-validated crypto module needs a patch, and the patched version hasn’t completed FIPS validation yet. That’s a temporary deficiency. “We haven’t deployed MFA yet” is not a temporary deficiency — it’s an unimplemented requirement.

NOT MET — One or more assessment objectives for the requirement are not satisfied. A single failed objective fails the entire requirement. If a requirement has six objectives and five pass but one fails, the whole requirement is NOT MET.

NOT APPLICABLE — The requirement doesn’t apply to your environment. No wireless means wireless requirements are N/A. No public-facing systems means 3.13.5 is N/A. Must be documented and justified in the SSP with approval from the designated authority. Scored the same as MET.

The Single-Objective Rule

One failed objective fails the entire requirement. There is no partial credit within a requirement. The scoring methodology credits partial implementation “only in limited cases” — the regulation specifically names MFA (3.5.3) as one such case, but the general rule is all-or-nothing.

---

How Points Work

Each of the 110 Level 2 requirements has a point value: 5, 3, or 1. The maximum score is 110. For every requirement scored NOT MET, its point value is subtracted from 110 — and the score can go negative.

5-point requirements — basic and derived requirements whose failure “could lead to significant exploitation of the network, or exfiltration of CUI.” These are your highest-risk controls. There are 44 of them (23 basic + 19 derived + 2 special). Two additional requirements (3.5.3 MFA and 3.13.11 FIPS encryption) have variable scoring — 5 points if not implemented at all, 3 points if partially implemented.

3-point requirements — basic and derived requirements whose failure has “a specific and confined effect on the security of the network and its data.” There are 14 of them (7 basic + 7 derived).

1-point requirements — all remaining derived requirements whose failure has “a limited or indirect effect.” There are 52 of them.

The point values come from the DoD Assessment Methodology and are tied to whether the requirement is a “basic” security requirement (from FIPS 200) or a “derived” requirement (from NIST 800-53), and the assessed severity of the control’s absence.

Score Math

A company with three NOT MET findings — one 5-point, one 3-point, one 1-point — scores 110 - 5 - 3 - 1 = 101. A company with every 5-point requirement NOT MET scores 110 - 230 = -120. Yes, the score can be deeply negative.

---

Certification Outcomes

Your assessment result determines your CMMC status:

Final Level 2 (C3PAO) — All 110 requirements scored MET or N/A. Maximum score of 110. This is the target. Certification is valid for three years with annual affirmations.

Conditional Level 2 (C3PAO) — Some requirements NOT MET, but the NOT MET items are all POA&M-eligible and the overall assessment meets the minimum score threshold. You have 180 days to close every POA&M item and pass a closeout assessment by the C3PAO. If you don’t close within 180 days, certification is revoked.

Final Level 2 (Self) — Self-assessment equivalent of Final. All requirements MET. Score of 110 submitted to SPRS with senior official affirmation.

Conditional Level 2 (Self) — Self-assessment with NOT MET items on POA&M. Valid for 180 days to reach Final status. Score submitted to SPRS.

No certification — NOT MET requirements include items that are not POA&M-eligible, or the score is below the minimum threshold, or the assessment team determines the gaps are too fundamental to support even conditional status.

---

POA&M Eligibility

The POA&M rules are stricter than most people realize. Per 32 CFR § 170.21(a)(2):

Only 1-point requirements can go on a POA&M. No 3-point or 5-point requirement can be on a POA&M — period. If any 3-point or 5-point requirement is NOT MET, you cannot receive even conditional certification (with one narrow exception below).

The one exception: SC.L2-3.13.11 (CUI Encryption). If encryption is employed but isn’t FIPS-validated, this 5-point requirement is scored as a 3-point deduction and CAN be placed on the POA&M. If encryption isn’t employed at all, it’s a 5-point deduction and CANNOT be on the POA&M.

The 80% threshold. Your assessment score divided by 110 must be ≥ 0.8 (at least 88 points) to qualify for conditional certification. Fall below 88 and no POA&M can save you.

Additionally, 32 CFR § 170.21(a)(2)(iii) explicitly excludes specific requirements from POA&M eligibility regardless of point value — including 3.5.3 (MFA).

The practical implication: all 5-point and 3-point requirements must be MET on assessment day. Your remediation priority should be these requirements first. The 52 one-point requirements are your only margin for conditional certification — and even then, only if you stay above 88 points.

Plan for the Big Controls First

If your readiness assessment shows any 5-point or 3-point requirement NOT MET, that’s a showstopper. You cannot pass — even conditionally — until every 3-point and 5-point control is MET. Build your remediation plan around these first. The 1-point items are the only ones where conditional certification gives you a 180-day runway.

---

The Operational Plan of Action vs. the CMMC POA&M

These are two different documents that people constantly confuse.

Operational plan of action (your internal document) — required by CA.L2-3.12.2. This is your living tracker of temporary deficiencies — issues you’ve discovered and are actively fixing. Items on an operational plan of action can still be scored MET because they represent temporary deficiencies that arose after implementation, not initial implementation gaps. The format is yours to define: spreadsheet, GRC tool, database.

CMMC POA&M (assessment output) — created by the C3PAO when NOT MET findings exist after the assessment. This triggers conditional certification with the 180-day clock. The CMMC POA&M is governed by 32 CFR § 170.16 and has specific rules: each item needs a finding description, severity, owner, target date, resources, and status. Items must be closed within 180 days and verified by a closeout assessment.

The distinction matters: a temporary deficiency documented in your operational plan of action is scored MET. An unimplemented requirement that appears in the CMMC POA&M is scored NOT MET.

---

Key CMMC Terms the Assessor Uses

Enduring exception — A permanent situation where full compliance isn’t feasible. Examples from 32 CFR § 170.4: systems replicating fielded configurations, medical devices, test equipment, OT, IoT, GFE. Documented in the SSP with mitigations. No remediation plan required. Assessed as MET. Specialized Assets and GFE may qualify.

Temporary deficiency — A discovered issue where remediation is feasible and a fix is available or in progress. Must arise after implementation, not during initial rollout — unless a limited subset of equipment has a specific issue discovered during deployment. Documented in the operational plan of action. No standard maximum duration. Example: a FIPS-validated crypto module needs a patch, and the patched version hasn’t been re-validated. Assessed as MET.

Periodically — At a regular interval you define, not exceeding one year. When a requirement says “periodically review” something, you set the frequency (quarterly, semiannually, annually) and document it. The assessor checks that a value is defined, reasonable, and followed.

Organization-defined — You set the specific value: timeout period, password length, scan frequency. The assessor checks three things: is a value defined? Is it reasonable? Is it enforced?

Evidence in final form — Approved, operational documents. Not drafts, not working papers, not policies pending signature. If it’s not signed and in effect, it’s not evidence.

---

SPRS Reporting

Your score — whether from a self-assessment or a C3PAO assessment — is reported in the Supplier Performance Risk System (SPRS). Contracting officers check SPRS before making award decisions. A score below 110 with no active POA&M, or a missing SPRS entry entirely, can disqualify you from contract award.

The SPRS score represents a point-in-time assessment. Annual affirmations are required to maintain your CMMC status, confirming that you still meet the requirements. Significant changes to your assessment boundary (network expansions, mergers, acquisitions) may require a new assessment rather than just an affirmation.