Welcome to The GovCon Compliance Brief — short, plain-English notes for small defense contractors working through CMMC and NIST 800-171. No jargon, no fear-mongering. Two minutes, one useful idea, every other week.
Let's start with the single most important number you may not know: your SPRS score.
The number that matters
If your contracts touch Controlled Unclassified Information (CUI), the government scores how well you meet the 110 NIST SP 800-171 requirements — and that score lives in the Supplier Performance Risk System (SPRS). It runs from a perfect +110 down to −203.
Here's what trips people up: the score isn't a simple count. Each requirement carries a weight of 5, 3, or 1 points, and you subtract the weight of every requirement you don't meet. Miss a few heavy ones and you're underwater fast — which is why two companies that have each "done about half" can have wildly different scores.
The practical takeaway: don't fix requirements in order — fix them by weight. A single 5-point control is worth five 1-point controls. There are 42 five-point controls; start there. The usual fastest wins:
Multifactor authentication everywhere (3.5.3)
FIPS-validated encryption (3.13.11) — the single most-failed control in real assessments
Unique identities; kill shared logins like "frontdesk" (3.5.1 / 3.5.2)
You can't prioritize what you haven't measured, though — so step one is simply finding your number.
This fortnight in CMMC
CMMC enforcement is live, and Phase 2 (beginning November 10, 2026) makes third-party certification mandatory for the large majority of CUI contracts. Even then, the first move is the same: assess yourself. A third-party assessor verifies your work — it doesn't do it for you.
Find your score — FREE
All 110 requirements, about 10 minutes, no account, no cost.
That's it for #1. Reply anytime with a question — we read them, and they shape what we build next.
— Objective320 Free CMMC & NIST 800-171 tools for small contractors. A Red Diamond Strategic, LLC project.