The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base
July 13, 2026 update: The Department of War suspended the CMMC Phase II transition. Level 1 and Level 2 self-assessments remain in force. DFARS 252.204-7012 safeguarding duties and False Claims Act exposure are unchanged.

Self-Reported vs. DIBCAC Assessed Score: What Actually Differs — and Why the Gap Is Dangerous

By The Defense Compliance Report Editorial Team — an independent trade publication on CMMC 2.0 and DIB compliance

· Evaluation depth: primary-source regulatory synthesis, current clause verification, and public DOJ settlement analysis

Evaluation depth: primary-source regulatory synthesis, current clause verification, and public DOJ settlement analysis

The Defense Compliance Report is not affiliated with the Cyber AB, the Department of Defense or Department of War, DCMA DIBCAC, NIST, or any U.S. government agency. This is editorial research, not legal, contractual, or compliance advice. Your contract clause and how you handle Controlled Unclassified Information set your CMMC level — not a checklist. Confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney.

A self-reported vs DIBCAC assessed scoreruns on the same NIST SP 800-171 scoring methodology — but the two are not simply one assessment graded twice. A self-reported score is the number you calculate and submit yourself. A DIBCAC assessed score is a government-led assessment of the same requirements. What changes between them is who assesses, how deeply they verify, the confidence the government places in the result, which record takes precedence, and what happens next.

That last stretch is where a routine paperwork item quietly turns into a legal problem. Here’s the fast version, then the part almost every other page gets wrong.

Bottom line up front. If you posted a score to the Supplier Performance Risk System (SPRS) — the Department of Defense database where contractors report cybersecurity assessment scores — that number is a self-assessment. It’s a formal representation the government can hold you to, but it’s your own math. When the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assesses you, DoD posts the result and that number takes precedence. You have 14 business daysto respond. The difference between those two numbers has already produced a $507,144 DOJ settlement — for a gap of 280 points.

Current status — verified July 16, 2026. Effective February 1, 2026, class deviation 2026-O0025 directs contracting officers to use new DFARS Part 240 — including DFARS 252.240-7997— for covered procurements. Separately, on July 13, 2026, the Department of War suspended the CMMC Phase II transition. Self-assessments remain in force. DIBCAC continues to operate. False Claims Act exposure is unchanged. Most competing pages haven’t caught up to either development.

Which record is which — the 15-second version

Source: DFARS 252.240-7997 (formerly 252.204-7020); 32 CFR Part 170; DoD Assessment Methodology v1.2.1.
QuestionSelf-reported scoreDIBCAC assessed score
Who produced it?You (your team or your consultant)Government personnel — in practice, DCMA’s DIBCAC
Government confidence levelLow — a legacy Basic score is labeled “Low” because it is self-generatedMedium or High
Who posts it to SPRS?YouDoD posts the government result
Can it override the other?NoYes — when DCMA conducts it, it takes precedence
Is a deadline running?Not from submitting it — though a Conditional Level 2 status carries a 180-day POA&M clockYes — 14 business days to rebut a government result
First moveConfirm the clause, record type, scope, date, and evidence behind itPreserve the notice and calendar the deadline

A quick word on picking help — and a safety line

The right CMMC provider isn’t the same for every contractor. The category you need — a C3PAO, an RPO/RP, an MSSP, a GRC platform, or a CUI enclave— depends on your level, scope, IT environment, and exactly which type of score problem you have. The categories are explained under What kind of help fits a score gap? below. The fastest way to map your situation to the right one is our routing tool.

Know there\u2019s a score gap but not sure what kind of help you need? Tell us your level, scope, and environment \u2014 never CUI \u2014 and we\u2019ll match you with source-checked provider options.

Map my CMMC path \u2192

One honest admission, up front.We can’t tell you whether yourspecific score is safe. No article can, and no online tool can — including ours. A reported 110 can be perfectly defensible, or it can be a low-confidence number that collapses under a government evidence review. What we cando is show you exactly which record you’re holding, why the two numbers diverge, what the government can do about it, and what to do next without making your situation worse.

Self-reported vs DIBCAC assessed score: what’s the difference?

The difference is who grades the assessment and how much the government trusts the result. A self-reported score is produced by the contractor using the DoD Assessment Methodology, its own System Security Plan, and its own read of its environment — a self-generated number that, under the legacy framework, carries “Low” confidence. A DIBCAC assessed score is a government-led Medium or High assessment. When both records exist for the same contractor, the government-conducted result takes precedence.

Under the codified NIST SP 800-171 DoD Assessment Methodology, there are three assessment types, and their entire purpose is to signal how much verification stands behind the number.

Sources: DFARS 252.204-7020 (now 252.240-7997 for covered procurements); DoD Assessment Methodology v1.2.1.
Self-reported (Basic)DIBCAC MediumDIBCAC High
Who conducts itThe contractor grades itselfGovernment personnel (DCMA’s DIBCAC)Government personnel (DCMA’s DIBCAC)
HowYou review your own SSP against the 110 requirements and score itReview of prior assessment information, thorough document review, and discussions with the contractorMedium-review elements plus government verification, examination, and demonstration that requirements are implemented as described in the SSP
Confidence levelLow — self-generatedMediumHigh
Scale (Level 2 scope)110 to −203110 to −203110 to −203
Who posts to SPRS?YouDoDDoD
Takes precedence?NoYes, when conducted by DCMAYes, when conducted by DCMA
Rebuttal windown/a14 business days14 business days
One distinction to lock in: DIBCAC is not a C3PAO. They get blurred constantly, and the mix-up sends people to the wrong provider. DIBCAC is a governmentbody (part of DCMA). It runs the Medium and High NIST assessments above, and — separately — it is the only entity authorized to conduct CMMC Level 3 assessments under 32 CFR 170.18. A C3PAO is a private-sector firm authorized to conduct Level 2 certification assessments under 32 CFR 170.17. The two roles have different authorities, different outputs, and different rebuttal paths.

A version note: NIST has superseded SP 800-171 Rev. 2 with Rev. 3 for its general publication series, but CMMC Level 2 continues to incorporate Rev. 2unless DoD changes the governing rule or clause. Everything on this page uses Rev. 2 for that reason.

Score gap self-check

Would Your Score Survive a DIBCAC Assessment?

This tool can’t predict a DIBCAC result. It flags record-type, clause, scope, evidence, and deadline gaps that could stop another assessor from reproducing your score. No email required.

Check your score gaps ↓

Which “self-reported score” do you actually have in 2026?

“Self-reported” now points to more than one record, and the difference matters. It can mean a legacy Basic NIST assessment under the former DFARS 252.204-7019/7020 framework, or a current CMMC Level 2 (Self) assessment under 32 CFR Part 170 and DFARS 252.204-7021. These are different objects with different obligations.

Effective February 1, 2026, class deviation 2026-O0025 directs contracting officers to use DFARS Part 240 — including DFARS 252.240-7997— for covered procurements. For covered procurements, this effectively drops the standalone 252.204-7019 provision, and the assessment mechanics from 252.204-7020 move into 252.240-7997. The codified text still exists in the eCFR and can remain relevant to historical records and existing contracts.

When a contract or solicitation includes DFARS 252.204-7021 and requires CMMC Level 2 (Self), 32 CFR 170.16 requires you to conduct the Level 2 self-assessment, submit the results to SPRS, and complete the annual affirmation of continuous compliance. Those obligations didn’t change.

Before you compare “your score” to “the DIBCAC score,” figure out which of these six records you’re actually looking at:

Sources: 32 CFR 170.16–170.18; DFARS 252.204-7019, 252.204-7020, 252.204-7021, 252.240-7997; class deviation 2026-O0025.
RecordGoverning authorityWho produces itEvidence depthResult & who postsCMMC status?
Legacy Basic NIST assessmentCodified DFARS 252.204-7019/7020 (still in the eCFR; relevant to historical records and contracts that contain it)ContractorReview of your own SSP using the DoD MethodologyNumerical score, Low confidence; contractor submits to SPRSNo
CMMC Level 2 (Self)32 CFR 170.16 + DFARS 252.204-7021Your organizationCMMC scope assessed against NIST SP 800-171 Rev. 2Score + Conditional or Final Level 2 (Self) status; you submit to SPRSYes
Government Medium NIST assessmentDFARS 252.240-7997 (formerly 252.204-7020)Government personnel (DCMA DIBCAC)Prior-assessment review, document review, and discussionsNumerical score, Medium confidence; DoD posts to SPRSNo — not automatically
Government High NIST assessmentDFARS 252.240-7997 (formerly 252.204-7020)Government personnel (DCMA DIBCAC)Adds verification, examination, and demonstration of implementationNumerical score, High confidence; DoD posts to SPRSNo — not automatically
CMMC Level 2 (C3PAO)32 CFR 170.17 + DFARS 252.204-7021An authorized C3PAO (private)Formal third-party CMMC assessmentConditional or Final Level 2 (C3PAO) status; C3PAO submits via CMMC eMASS, reflected in SPRSYes
CMMC Level 332 CFR 170.18 + DFARS 252.204-7021DCMA DIBCACFinal Level 2 (C3PAO) prerequisite, plus 24 selected requirements from NIST SP 800-172Conditional or Final Level 3 status; DIBCAC submits via CMMC eMASS, reflected in SPRSYes

If you can’t say with certainty which row you’re in, that’s the first thing to fix. Read the actual procurement documents:

  1. The solicitation provision— what does it require, and in which clause?
  2. The awarded contract clause— 252.204-7012? 252.204-7021? 252.240-7997?
  3. Any modification or deviation identifier— is this a Revolutionary FAR Overhaul contract?
  4. The SPRS or CMMC record itself— what type, what date, whose name is on it?

For the broader contractual picture — how the 2026 deviation and CMMC clauses fit together — see our companion explainer on how current 252.240-7997 assessments differ from the older 7019/7020 framework.

Does a DIBCAC assessed score mean CMMC Level 3?

No. DIBCAC performs government Medium and High NIST SP 800-171 assessments andis the government assessor for CMMC Level 3 — but those are two separate jobs with different authorities, prerequisites, and outputs. A numerical Medium or High score does not become a CMMC Level 3 status just because DIBCAC produced it. Conflating the two is the single most common misconception on this topic.

DIBCAC wears two hats. Read the label to know which one you’re looking at:

Sources: DFARS 252.240-7997 (formerly 252.204-7020); 32 CFR 170.18.
DIBCAC roleWhat it produces
Government Medium or High NIST SP 800-171 assessment (DFARS 252.240-7997)A numerical scoreand a confidence level — Medium or High
CMMC Level 3 assessment (32 CFR 170.18)A CMMC status— Conditional or Final Level 3 — built on a Final Level 2 (C3PAO) foundation and 24 selected NIST SP 800-172 requirements

The tell is in the words on the record. A government NIST assessment gives you a number and a confidence level. CMMC gives you a status— Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 — and Levels 2 and 3 can be labeled Conditional or Final. Level 3 can’t even begin until a Final Level 2 (C3PAO) status is in place. So if your paperwork says “Medium Assessment, score of 62,” that is a government NIST assessment. It is not a certification, and it is not Level 3. Precision here isn’t pedantry — it changes who you call and what you’re actually obligated to do.

Can DIBCAC override your self-reported SPRS score — and is a clock running?

Yes on both counts. Under current DFARS 252.240-7997, when DCMA conducts a Medium or High assessment, that result takes precedence over other assessment results, and DoD posts it to SPRS. Before it’s posted, you get an opportunity to respond: a contractor has 14 business daysto provide additional information demonstrating a requirement the team didn’t observe, or to rebut findings in question. Follow the assessment notice for the operative dates and submission steps.

The precedence rule and the rebuttal window both come from the assessment clause and carry forward into the current deviation. DFARS 252.204-7020(e) — now relocated to 252.240-7997 — states that DoD offers “rebuttal and adjudication of assessment summary level scores prior to posting,” and that “upon completion of each assessment, the contractor has 14 business days to provide additional information… or to rebut the findings.” This is real, current, and time-sensitive — the rare deadline on this topic that isn’t manufactured.

Two precision points, because loose phrasing here causes real mistakes:

What does DoD post to SPRS after a Medium or High assessment?

The record is more than a number — it’s a small dossier. For a government Medium or High assessment, DFARS 252.240-7997 (carrying forward the 252.204-7020 posting fields) identifies the standard assessed, the organization that conducted it, the associated CAGE codes, the assessment date and level, the summary-level score, and the date all requirements are expected to be fully implemented based on the associated plan of action. Knowing exactly what’s in that record tells you what to reconstruct and defend.

If a government result just landed, don’t start rewriting your environment. Preserve the record and protect your rights first: the government notice, the resulting assessment report, your SPRS record, the solicitation and contract, your prior score submission, and the SSP and scoring workbook you originally used. A technical fix completed afterthe assessment date doesn’t answer whether the original finding was correct — and it can look worse, not better. For a full breakdown of the six distinct DoD review types and how to identify which one you’re in, see Can DoD audit my CMMC self-assessment?

Before you treat this as a shopping problem, screen for a legal one. If the government has issued a finding, subpoena, investigative demand, or inquiry — or if the concern involves a prior bid, claim, invoice, certification, or affirmation — preserve the record and talk to qualified federal-contracts counsel before anything else. For an ordinary scope, evidence, or readiness gap, the next step is simpler: use The Defense Compliance Report’s Find My CMMC Path tool to map your level, scope, environment, and timeline to the right provider category before you request quotes. Do not submit CUI, drawings, or sensitive contract details.

Not sure whether you need readiness support, evidence workflow, enclave architecture, or assessment prep? Map your level, scope, and timeline to the right provider category.

Find My CMMC Path \u2192

Why do DIBCAC-assessed scores come back lower? (Where the points leak)

A lower government score does not automatically prove fraud. Verified scoring gaps usually come from requirements marked “met” without complete objective evidence, an incorrect scope, an SSP that doesn’t match the assessed environment, controls that were planned rather than implemented, or misapplication of the 1-, 3-, and 5-point methodology.

Start with the math. Under the DoD Assessment Methodology, you begin at 110 and subtract 5, 3, or 1 pointfor each of the 110 requirements you haven’t fully met. The weights track security impact — the most critical controls carry five points. Because the weights sum to more than 110, a handful of five-point gaps can push you negative. The floor is −203. That’s by design: you can’t game the score by knocking out cheap one-pointers while ignoring the controls that actually protect CUI.

The following are verified scoring mechanisms and defensible evidence-risk categories — not a claim about which findings are most common across the DIB:

Editorial self-check tool

Would Your Score Survive a DIBCAC Assessment?

This tool cannot predict a DIBCAC result, calculate an official SPRS score, determine CMMC status, or provide legal advice. It flags record-type, clause, scope, evidence, and deadline gaps. No email required. Do not enter CUI. Provider-category output is editorial.

Step 1 of 7 — Which record do you have?

Which best describes the record you submitted to SPRS?

A useful way to audit yourself before anyone else does

Editorial framework based on the verified assessment-role and scoping rules above. Not a regulatory classification or compliance determination.
Where points leakWhat the contractor believedWhat a government assessor testsFirst document to pull
Scope"That system is outside CUI"Data flows, connections, users, external service providersYour CUI data-flow diagram
SSP"It's documented"Whether the document matches current operationsThe dated SSP version
Scoring method"We calculated 110"Weighting and how partial implementation was treatedThe original scoring workbook
Evidence"We have a policy"Whether artifacts show the control actually operatingA control-to-evidence index
Implementation"The tool is installed"Whether it’s configured and enforced across the scopeThe configuration export
Timing"We fixed that later"What existed on the assessment dateChange and deployment records

How big is the typical gap? We found no authoritative public dataset establishing a “typical” self-reported-to-government score gap as of July 16, 2026 — so we won’t hand you an invented average. The two public enforcement cases below are documented examples, not a benchmark.

What the LOGZONE and MORSECORP records show — and what they don’t prove

A large gap between a self-reported score and a later independent or government assessment can become part of a False Claims Act investigation when it’s paired with alleged or admitted contractual noncompliance and claims for payment. In June 2026, defense contractor LOGZONE agreed to pay $507,144 after DIBCAC assessed it at −170 against its self-reported 110. It followed MORSECORP’s $4.6 million settlement, where a self-reported 104 turned out to be −142. Neither record establishes that a numerical score gap alone creates liability.

We pulled both from the primary source — the DOJ press releases and settlement agreements — rather than law-firm summaries, and one column is doing real work here. Notice who found the gap, because it’s not the same story twice:

Sources: DOJ — LOGZONE and DOJ — MORSECORP.
ContractorSelf-reportedAssessedGapWho found itResolutionHow it surfacedDOJ posture
LOGZONE Inc. (Huntsville, AL)110 (Oct. 13, 2021)−170 (Feb. 2, 2024)280 ptsDIBCAC (a government assessment)$507,144 (incl. $253,572 restitution), June 18, 2026Government-initiated DIBCAC assessmentAllegations resolved; no determination of liability
MORSECORP Inc. (Cambridge, MA)104 (Jan. 2021)−142 (July 2022)246 ptsA third-party consultant (not DIBCAC)$4.6M, March 26, 2025; relator share $851,000Qui tam by a former employeeAdmitted facts on multiple points

LOGZONEis the cleanest illustration of this exact query. The company posted a perfect 110 in October 2021. In an assessment dated February 2, 2024, DIBCAC scored its actual implementation at −170 — near the very bottom of the range. The settlement record identifies that 280-point difference and also describes broader alleged failures to implement required NIST SP 800-171 controls while submitting claims for payment on two Navy contracts. DOJ stated the settlement resolved allegations without a determination of liability. Notably, the published DOJ materials do not identify a relator or qui tam action — the government’s own assessment triggered the case, which is what makes it a warning even to contractors no whistleblower is watching.

A note on the numbers, labeled as ours.The Defense Compliance Report calculations from the public settlement figures: $507,144 ÷ $682,193.37 ≈ 74.34%; $253,572 ÷ $682,193.37 ≈ 37.17%; the difference between 110 and −170 is 280 points; the interval between October 13, 2021 and February 2, 2024 is 842 days. These ratios describe the public figures only. They do not establish how DOJ calculated damages or a typical outcome — and the settlement amount ($507,144) is exactly double the restitution figure ($253,572), which should not be read as a standard multiplier: the False Claims Act generally provides for treble damages plus civil penalties.

MORSECORPadds the twist that should keep affirming officials up at night. MORSE self-reported 104 in January 2021. A third-party consultant told the company in July 2022 that the real number was −142. MORSE didn’t correct its SPRS entry until June 2023 — three months after the government served a subpoena. DOJ included that delayed update among the facts MORSE admitted. A former employee filed the qui tam complaint and received an $851,000 relator share.

Be clear-eyed about what these cases do — and don’t — establish. They show that dramatic, documented gaps between self-reported and independently assessed scores can anchor an expensive False Claims Act resolution when combined with alleged or admitted noncompliance. They do notprove that every 110 is inflated, that DIBCAC reduces scores by some predictable amount, or that a score gap alone caused either settlement. We say “the settlement record states,” not “the company was convicted.”

If your real worry is what your company represented— in a proposal, an award, an invoice, or an annual affirmation — that’s a legal question, not just a technical one. Read our companion piece on the difference between a contractor-entered and DIBCAC-assessed score, and what inaccurate SPRS representations can mean, and involve qualified counsel.

What did the July 13, 2026 CMMC Phase II suspension change?

It suspended the Phase II transition — not your safeguarding duties. On July 13, 2026, the Department of War suspended the CMMC Phase II transition and the designation of Level 2 (C3PAO) and Level 3 assessment requirements in procurement documents during a review. But self-assessments still stand, select government-led assessments may continue, DFARS 252.204-7012 is unchanged, and the Justice Department is still bringing False Claims Act cases. The suspension paused the scheduled third-party expansion. It did not pause DIBCAC or your liability.

Here’s the practical map, matched to the implementation direction:

Source: Department of War suspension announcement (July 13, 2026); DoD CIO implementation direction. Verify the official program page before relying on it for a contract decision.
ItemStatus as of July 16, 2026
Phase I self-assessments (Level 1 Self, Level 2 Self)In effect — the current operating posture
New CMMC level designations in procurementsProgram Managers may designate only Level 1 (Self) or Level 2 (Self) during the suspension
Active solicitations / existing contracts with C3PAO or Level 3 requirementsDirected to be amended or modified to remove them — verify whether your document has actually been changed
Phase II third-party (C3PAO) transition, once expected Nov. 10, 2026Suspended — do not treat the old date as a settled deadline, and don’t invent a new one
DFARS 252.204-7012 safeguarding dutiesUnchanged
DIBCAC Medium/High assessmentsSelect government-led assessments may continue
False Claims Act exposureUnchanged — DOJ enforcement continues
CMMC Reform Task Force reviewUnderway; a Request for Information supports the review, with comments due August 14, 2026

The original schedule placed Phase I from November 10, 2025 through November 9, 2026 and Phase II at November 10, 2026; the July 13 action suspended that transition while keeping Phase I self-assessment requirements in place.

What the suspension does notmean: that NIST SP 800-171 stopped mattering, that the cyber clauses vanished, that an unsupported historical score is now safe, or that Phase II has a confirmed new start date. The review could lead to significant changes to the program, and officials have not committed to keeping it in its current form — but permanent amendments to codified 32 CFR or DFARS text require the applicable rulemaking process. Because this section is time-sensitive, verify the official program page before relying on it for a contract decision.

If anything, the suspension raises the stakes on the self-vs-DIBCAC question. With the third-party transition paused, contractor self-assessments and select government-led assessments remain directly relevant, and the suspension does not suspend the False Claims Act or erase the existing cybersecurity clauses.

What should you do if your self-reported score might not hold up?

Preserve the original record before you change anything, then figure out what kind of problem you actually have. Identify the exact clause, record type, date, CAGE scope, SSP version, and evidence behind the number. Then classify the mismatch — scope, documentation, scoring method, evidence, implementation, timing, or a legal representation issue — because that classification decides whether you need a readiness consultant, an implementation team, an evidence platform, or an attorney.

Work it in this order:

  1. Freeze and preserve. Save the submitted score, the submission date, who submitted it, the CAGE scope, the SSP (name, version, date), the scoring workbook, the evidence index, and the relevant contract clauses and approvals. Never conceal, destroy, rewrite, or backdate anything.
  2. Identify the record and authority. Use the six-record table above. A legacy Basic score and a CMMC Level 2 (Self) status are not the same object.
  3. Reconstruct the score as of the assessment date. Separate what existed then, what was merely planned then, what you remediated later, and what you simply can’t substantiate.
  4. Map every claimed requirement to evidence.For each control: who owns it, which system, the implementation statement, the test objective, the artifact that proves it, and the artifact’s date. A policy saying something should happen is not proof it did.
  5. Classify the mismatch before correcting it (see the triage table below).
  6. Separate remediation from legal response. A cybersecurity consultant can tell you whether controls and evidence support a score. That does not make them the right advisor on disclosure duties, privilege, or litigation risk tied to prior representations.
  7. Make only supportable, traceable corrections. “Lower the number immediately” is not automatically right — the correct action depends on the record, the contract, any government notice, and possible legal implications.

The table below is The Defense Compliance Report’s editorial decision framework, based on the verified assessment-role and scoping rules above. It is not a regulatory classification, a provider ranking, or a compliance determination.

Editorial triage framework. Not a regulatory classification or compliance determination.
Mismatch typeTypical signalFirst safe actionCategory that usually fitsDon’t
Record-typeTeam calls a Medium result "Level 3"Identify the exact status or confidence labelRP/RPO or a knowledgeable compliance leadTreat every DIBCAC result as certification
ClauseContract cites 252.240-7997 but your process assumes 7019/7020Read the solicitation, award, modification, and deviationContracts professional; counsel where materialUse a generic checklist as the authority
ScopeCAGEs, CUI systems, users, or external providers differRebuild the CUI/data-flow and assessment boundaryRP/RPO; enclave specialistRecalculate before resolving the boundary
Scoring methodThe 110 can’t be reproducedRecalculate from the correct methodologyRP/RPO or assessment-readiness specialistPreserve a number you can’t explain
EvidencePolicies exist but artifacts don’t prove operationBuild a requirement-to-evidence mapGRC/evidence platform + readiness supportUpload sensitive evidence into an unvetted tool
ImplementationEvidence honestly shows a missing controlBuild a technical remediation planMSP/MSSP or implementation specialistHire a C3PAO to perform remediation
Timing/versionDifferent SSPs or environments were assessedReconstruct the state on each assessment dateRP/RPO + technical ownerCompare numbers without aligning dates/scope
Government findingA Medium/High result and response instructions arrivedCalendar the 14-business-day deadline; preserve the noticeResponse team; counsel where appropriateStart rewriting historical evidence
Representation riskAn unsupported score tied to a proposal, award, invoice, or affirmationPreserve records; get qualified legal adviceFederal-contracts / False Claims Act counselTreat it as only a technical ticket
Map the record before you hire. If you already know the number is unsupported by implementedcontrols, don’t shop for a vendor yet — rebuild it from evidence first. Our control-by-control guide to improving an SPRS score walks the sequence: reconstruct scope, fix the highest-point gaps, align the SSP, and resubmit a number you can defend. That work makes every later decision cheaper and safer.

What kind of help fits a score gap?

Match the provider category to the problem, not the panic. Use an RP/RPO for scope, methodology, and readiness; an MSP/MSSP for technical implementation and ongoing operations; a GRC platform for evidence workflow; and a CUI-enclave specialist when architecture and scope isolation are the core issue.

That routing logic has a name. The CMMC Path Frameworkmaps a contractor’s required CMMC level, FCI-versus-CUI handling, assessment type, IT and cloud environment, and contract timeline to the provider category most likely to fit. It routes to a category, not a named provider, and it is not a score, a ranking, or compliance advice. See the full explanation at CMMC provider categories.

Know there’s a gap but not whether it’s scope, implementation, evidence workflow, enclave architecture, or assessment readiness? Use The Defense Compliance Report’s Find My CMMC Path tool to identify the right provider category before requesting quotes. Tell us your level, scope, environment, and timeline — never CUI — and we’ll match you with source-checked provider options. (By “source-checked,” we mean options where we’ve checked the provider’s category, role, relevant status, compensation relationship, and our last-verified date; we may receive compensation for qualified introductions when disclosed.)

Map your CMMC level, scope, and timeline to the right provider category \u2014 RP/RPO, MSP/MSSP, GRC platform, CUI enclave, or C3PAO. Never enter CUI.

Find My CMMC Path \u2192

What we actually verified

We built this page from primary sources and dated our work, because on a topic this consequential, that’s the difference between an authority and an aggregator.

Verified directly (July 16, 2026):

Deliberately not claimed:a “typical” DIBCAC score reduction; that every 110 is unsupported; that a negative score is an automatic disqualification; that a government result visually deletes an earlier SPRS entry; that a score gap alone caused either settlement; that a Medium or High result is CMMC Level 3; that Phase II has a confirmed new start date; or that any provider can guarantee a score or a certification outcome.

Frequently asked questions

Is a self-reported SPRS score "official"?
A contractor-entered score can be an official submission in SPRS, but "officially submitted" and "independently government-assessed" are different things. A legacy Basic self-assessment carries Low confidence because it is contractor-generated; a CMMC Level 2 (Self) submission is a separate CMMC status record with its own scope, affirmation, and recurrence rules. Don't apply the legacy Low-confidence label to a Level 2 (Self) status.
Can DIBCAC enter a different SPRS score than the one I posted?
Yes. When DCMA completes a Medium or High assessment, that result takes precedence and DoD posts it to SPRS. We won't overstate whether your earlier entry is deleted or archived — the point is that the government's higher-confidence number becomes the score of record for contracting purposes.
Is a DIBCAC Medium assessment the same as CMMC Level 3?
No. A Medium assessment is a government NIST SP 800-171 assessment with Medium confidence. CMMC Level 3 is a separate status path with its own prerequisites (a Final Level 2 C3PAO status first) and 24 selected NIST SP 800-172 requirements under 32 CFR 170.18.
Is a government High assessment always on-site?
Don't reduce it to a location label. A High assessment adds government verification, examination, and demonstration that controls are implemented as described — the logistics come from the notice and current authority, not a rule of thumb.
How long do I have to challenge a DIBCAC result?
14 business days after the assessment to submit additional information or rebut findings, under DFARS 252.204-7020(e), carried into 252.240-7997. A dispute with a C3PAO's Level 2 assessment is different: a NOT MET requirement can be re-evaluated during the assessment and for a short window afterward (10 business days) under 32 CFR 170.17, before the Assessment Findings Report is delivered — with appeals to the Accreditation Body beyond that. Don't mix the two timelines.
Did DFARS 252.240-7997 replace 252.204-7020 everywhere?
For covered procurements, class deviation 2026-O0025 directs contracting officers to use 252.240-7997 in place of the codified framework as of February 1, 2026. The codified 252.204-7020 text still exists in the eCFR and can remain relevant to historical records and existing contracts — so check your actual procurement documents.
Does a negative SPRS score automatically make us ineligible?
There's no universal rule. The effect depends on the solicitation, the contract, the applicable clauses, the responsibility and award decisions, and any required assessment status. A negative score is a serious signal, but eligibility is contract-specific.
We can't support our score — should we just lower it right now?
Preserve the original record and identify the governing procedure first. A technical correction, a contractual notice, a legal disclosure, a government rebuttal, and a CMMC affirmation are different actions. Where prior representations may carry legal significance, involve qualified counsel before you act.
What's the minimum score for CMMC Level 2 (Self)?
To be eligible for Conditional status with a POA&M, the score divided by the 110 Level 2 requirements must be at least 0.8 — 88 points — and the POA&M must satisfy the point-value and requirement-specific exclusions in 32 CFR 170.21(a)(2). A Conditional Level 2 status must then be closed out within 180 days.
Did the Phase II suspension eliminate CMMC or NIST SP 800-171 obligations?
No. Phase I self-assessments remain, select government-led assessments continue, and DFARS 252.204-7012 safeguarding duties are unchanged. The suspension paused the third-party transition, not the underlying requirements.
Can a GRC platform validate our score for us?
It can organize requirements, evidence, SSP content, POA&Ms, ownership, and version history. It cannot independently turn an unsupported implementation claim into a verified control, and it cannot issue an official SPRS or CMMC result.

Need a next step?

Need help deciding what type of CMMC provider you need? Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options. Start with Find My CMMC Path.

Find My CMMC Path →

Do not submit CUI, drawings, technical data, SSP content, vulnerability details, credentials, or sensitive contract information into any form.

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

The Defense Compliance Report is not affiliated with the Cyber AB, the Department of Defense, the Department of War, DCMA DIBCAC, NIST, SPRS, or any U.S. government agency. This article is educational research, not legal, contractual, or compliance advice. The contract clause and your CUI handling set your obligations — not a checklist. Confirm scope and applicability with a qualified CMMC Registered Practitioner (RP/RPO) and, where legal rights or prior representations are involved, a qualified federal-contracts attorney.

Last verified: July 16, 2026. Regulatory facts on this page are time-sensitive; we re-verify the CMMC program status and clause posture on a rolling basis during the current reform review.