The Brutal Truth About Your CMMC Gap Analysis (And Why -203 is a Real Score)

If you are a defense contractor, you probably think your company is “pretty secure.” You have a firewall. You run antivirus software. You have passwords on everything. Maybe your MFA solution is in place.

So, when you hear about the Cybersecurity Maturity Model Certification (CMMC) and its 110 controls, you might figure, “We’ll probably score fairly decently. Maybe a 70 to 80% compliant.”

Wrong.

In the world of CMMC and NIST 800-171, you don’t start at zero and earn points for good behavior. You start at a perfect score of 110… and then the Department of Defense starts subtracting.

And the math is brutal.

The -203 Reality Check

Most people are shocked to learn that the lowest possible score for a CMMC assessment isn’t zero. It’s -203.

How is that possible?

The DoD’s scoring methodology weights controls by importance.

• Basic hygiene controls cost you 1 point if missed.

• Moderate impact controls cost you 3 points.

• Critical controls (the “heavy hitters”) cost you 5 points.

Here is the kicker: If you miss a 5-point control, like CA.L2-3.12.1 - SECURITY CONTROL ASSESSMENT, you don’t just get a zero for that question. You lose those 5 points from your total score.

If you have absolutely no security program in place, you technically start at -203. Most contractors doing their first honest self-assessment land somewhere between -50 and +20. If that’s you, don’t panic. That is normal for a first run. But you need to know that number so you can fix it.

The “Pencil Whipping” Trap

The single biggest mistake contractors make during a gap analysis is “Pencil Whipping.”

This happens when you mark a control as “Met” because you kind of do it.

• Example: Control 3.1.1 requires you to limit system access to authorized users.

• The Trap: You think, “We have passwords, so check!”

• The Reality: The assessment objective really asks: Have you identified the authorized users? What about those processes acting on behalf of those users? What about those devices? (oh, by the way, is this written in a policy/procedure anywhere to show you have proof of doing so?)

If you miss one part of that objective (Check out the CMMC L2 Assessment Guide Here), the score for the entire control is zero. There is no partial credit in CMMC (with the sole exception of MFA, but don’t bank on that saving you)… Furthermore, you can get a conditional certification with less than 110 but you need 110 for the final certification!).

The Two Documents You Can’t Live Without

A gap analysis isn’t just a test; it’s a to-do list. Once you have your brutal, honest score, you have the raw material for the two most important documents you will ever own:

1. The System Security Plan (SSP): This is your compliance blueprint. It details every system, every policy, and every tool you use to protect Controlled Unclassified Information (CUI).

2. The Plan of Action & Milestones (POA&M): This is your remediation roadmap. It lists every failure, who is going to fix it, and when it will be done.

Stop Guessing. Start Calculating.

If you are serious about keeping your DoD contracts, you need to stop assuming you are secure and start proving it.

Visit my SPRS Calculator . Go through the 110 controls. Be honest. If your score is negative, that’s fine. But you can’t fix what you don’t measure.

Get your number, Identify your gaps, then get to work.