What is this tool?
This tool walks you through all 110 NIST SP 800-171 Rev 2 security controls required for CMMC 2.0 Level 2 compliance. For each control you mark your implementation status — the tool calculates your live SPRS score automatically.
CMMC 2.0 Level 2 Overview
- 110 controls across 14 domains from NIST SP 800-171 Rev 2
- Protects Controlled Unclassified Information (CUI) on DoD contracts
- Required for any contractor handling CUI under DFARS 252.204-7012
- Self-assessment score submitted to SPRS (Supplier Performance Risk System)
- Phase 1 (Nov 2025–Nov 2026): self-assessments required as condition of contract award
- Phase 2 (Nov 2026+): C3PAO third-party assessments begin rolling into contracts
SPRS Score Thresholds
| Score | Status | Validity | Action Required |
| 110 | ✅ Final Self-Assessment | 3 years + annual affirmation | Submit to SPRS. Affirm annually in PIEE. |
| 88–109 | ⚠️ Conditional | 180 days only | Submit to SPRS with POA&M. Close gaps within 180 days. |
| Below 88 | ❌ No CMMC Status | Not eligible | Do NOT submit. Remediate gaps first. |
Status Options
- Met — Control is fully implemented and evidenced. No SPRS deduction.
- Partial — Control is partially implemented. SPRS deducts full weight (same as Not Met in DoD methodology).
- Not Met — Control is not implemented. SPRS deducts the full control weight.
- N/A — Control does not apply to your environment (document justification). No deduction.
How to use
- Fill in your organization details in the header fields
- For each control: select a status, add implementation notes and evidence location
- Click 💾 Save to save to browser localStorage
- Use 📥 Export JSON to download your assessment for backup or sharing
- Use 📤 Import JSON to restore a previous assessment
- Use the filter buttons to focus on gaps (Not Met / Partial)
Data Storage
All data is stored locally in your browser (localStorage). Nothing is sent to TRA servers. Use Export JSON to back up your assessment regularly. Clearing browser data will erase saved assessments.
Next Steps After Assessment
- Generate your System Security Plan (SSP) using the TRA Document Generator
- Create a POA&M for all Not Met and Partial controls
- Submit your SPRS score via the PIEE portal (piee.eb.mil) — select SPRS Cyber Vendor User role
- Schedule annual affirmation in SPRS within 12 months of submission
TRA Consulting, Inc. · traconsulting.mx · service@traconsulting.com · 562-551-8872
CMMC 2.0 Level 2 Readiness Tool — NIST SP 800-171 Rev 2 · 110 Controls · DoD SPRS Weighted Scoring