The Supplier Performance Risk System (SPRS) score reflects how complete the CMMC implementation is for an organization seeking assessment (OSA) or certification (OSC).

This website feature is still under development.

An organization seeking assessment (OSA) must meet all the listed practices or provide documentation for why they are not applicable.

ID Name Score Met Not N/A
AC.L1-3.1.1 Authorized Access Control 5
[a] authorized users are identified;
[b] processes acting on behalf of authorized users are identified;
[c] devices (and other systems) authorized to connect to the system are identified;
[d] system access is limited to authorized users;
[e] system access is limited to processes acting on behalf of authorized users; and
[f] system access is limited to authorized devices (including other systems).
AC.L1-3.1.2 Transaction & Function Control 5
[a] the types of transactions and functions that authorized users are permitted to execute are defined; and;
[b] system access is limited to the defined types of transactions and functions for authorized users.
AC.L1-3.1.20 External Connections 1
[a] connections to external systems are identified;
[b] the use of external systems is identified;
[c] connections to external systems are verified;
[d] the use of external systems is verified;
[e] connections to external systems are controlled/limited; and
[f] the use of external systems is controlled/limited.
AC.L1-3.1.22 Control Public Information 1
[a] individuals authorized to post or process information on publicly accessible systems are identified;
[b] procedures to ensure [FCI/CUI] is not posted or processed on publicly accessible systems are identified;
[c] a review process is in place prior to posting of any content to publicly accessible systems;
[d] content on publicly accessible systems is reviewed to ensure that it does not include [FCI/CUI]; and
[e] mechanisms are in place to remove and address improper posting of [FCI/CUI].
IA.L1-3.5.1 Identification 5
[a] system users are identified;
[b] processes acting on behalf of users are identified; and
[c] devices accessing the system are identified.
IA.L1-3.5.2 Authentication 5
[a] the identity of each user is authenticated or verified as a prerequisite to system access;
[b] the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access; and
[c] the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.
MP.L1-3.8.3 Media Disposal 5
[a] system media containing [FCI/CUI] is sanitized or destroyed before disposal; and
[b] system media containing [FCI/CUI] is sanitized before it is released for reuse.
PE.L1-3.10.1 Limit Physical Access 5
[a] authorized individuals allowed physical access are identified;
[b] physical access to organizational systems is limited to authorized individuals;
[c] physical access to equipment is limited to authorized individuals; and
[d] physical access to operating environments is limited to authorized individuals.
PE.L1-3.10.3 Escort Visitors 1
[a] visitors are escorted;
[b] visitor activity is monitored;
PE.L1-3.10.4 Physical Access Logs 1
[a] audit logs of physical access are maintained;
PE.L1-3.10.5 Manage Physical Access 1
[a] physical access devices are identified;
[b] physical access devices are controlled; and
[c] physical access devices are managed.
SC.L1-3.13.1 Boundary Protection 5
[a] the external system boundary is defined;
[b] key internal system boundaries are defined;
[c] communications are monitored at the external system boundary;
[d] communications are monitored at key internal boundaries;
[e] communications are controlled at the external system boundary;
[f] communications are controlled at key internal boundaries;
[g] communications are protected at the external system boundary; and
[h] communications are protected at key internal boundaries.
SC.L1-3.13.5 Public-Access System Separation 5
[a] publicly accessible system components are identified; and
[b] subnetworks for publicly accessible system components are physically or logically separated from internal networks.
SI.L1-3.14.1 Flaw Remediation 5
[a] the time within which to identify system flaws is specified;
[b] system flaws are identified within the specified time frame;
[c] the time within which to report system flaws is specified;
[d] system flaws are reported within the specified time frame;
[e] the time within which to correct system flaws is specified; and
[f] system flaws are corrected within the specified time frame.
SI.L1-3.14.2 Malicious Code Protection 5
[a] designated locations for malicious code protection are identified; and
[b] protection from malicious code at designated locations is provided.
SI.L1-3.14.4 Update Malicious Code Protection 5
[a] malicious code protection mechanisms are updated when new releases are available.
SI.L1-3.14.5 System & File Scanning 3
[a] the frequency for malicious code scans is defined;
[b] malicious code scans are performed with the defined frequency; and
[c] real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed.