Help Center / Scoring, conditional status & POA&M eligibility

Scoring, conditional status & POA&M eligibility

How your DoD SPRS score is calculated, when you're eligible for conditional CMMC status, and exactly which gaps you can (and can't) put on a POA&M.

On this page

The SPRS score math
Point weights: 5, 3, 1
Why "Partial" earns no credit
Negative scores and the −203 floor
Conditional status: the 80% threshold
POA&M eligibility & the ineligible controls
The 180-day POA&M closeout clock
The remediation planner (what-if)
Reporting your score to SPRS

1. The SPRS score math

Bastion mirrors the DoD Assessment Methodology (Basic Assessment) for NIST SP 800-171 Rev 2. The math is simple and deliberate:

Start at 110. For every requirement that is not satisfied, subtract its point weight (5, 3, or 1). The result is your SPRS score.

A perfect posture (all 110 met/N-A/inherited) scores 110.
Only Partially Met and Not Met deduct points. Met, N/A, and Inherited are all treated as satisfied and deduct nothing.
While controls are still Not assessed, your score is provisional — the Dashboard labels it as such and counts how many remain.

Worked example: if you have one 5-point gap, two 3-point gaps, and four 1-point gaps, your score is 110 − 5 − (2×3) − (4×1) = 110 − 15 = 95.

Note on the score base. The SPRS score is always computed against the full 110-requirement NIST 800-171 set (the official SPRS basis). The "implemented" and family-progress counts on the Dashboard are computed against your in-scope controls. At Level 1 there is no SPRS score at all — L1 is a pass/fail self-assessment of the 17 FCI requirements, shown as "X / 17 FCI met."

2. Point weights: 5, 3, 1

Each requirement carries a risk weight reflecting how much it matters to protecting CUI. You can see each control's weight as a badge on its card.

Weight	Meaning	Effect when unmet
5 pts	Highest-impact requirements — failing them most undermines CUI protection.	−5 each
3 pts	Significant requirements.	−3 each
1 pt	Lower-impact requirements.	−1 each

Weight also drives POA&M eligibility (only 1-point requirements may be deferred — see below) and the remediation planner (it sorts gaps by weight so you target the biggest score wins first).

3. Why "Partial" earns no credit

This surprises people, so it's worth stating plainly: under the DoD methodology, a Partially Met requirement is scored the same as Not Met — it deducts the full weight. There is no half credit. A control is either fully implemented (Met) or it isn't.

The practical takeaway: marking something "Partial" doesn't soften your score. Use Partial honestly to track work-in-progress, but don't expect points until it's fully Met. This is also why closing a single high-weight gap can jump your score noticeably.

4. Negative scores and the −203 floor

Because there are 110 requirements but the maximum deduction across all of them sums to more than 110 (many are weighted 3 or 5), an organization missing most controls can score below zero. The DoD methodology floors the score at −203, which is the worst possible result. Bastion clamps the score to the −203…110 range.

A low or negative score on day one is completely normal and is not a problem to hide — it's the starting point the remediation planner and score history exist to improve. The goal is a documented upward trajectory.

5. Conditional status: the 80% threshold

Under 32 CFR 170.21, an organization can receive a Conditional CMMC status (a time-limited pass while it finishes remediation) only if it meets a score threshold and has no blocking gaps. Bastion computes this for you on the Handoff tab.

Rule	Value in Bastion
Conditional-status threshold	Score ÷ 110 ≥ 0.80 (80%)
Minimum qualifying score	88 (⌈0.80 × 110⌉)
Blocking gaps allowed	Zero — no non-POA&M-eligible gap may be open

Bastion reports one of three states:

Final — every assessed gap is closed (no open POA&M items). The strongest position.
Conditional CMMC status eligible — your score is ≥ 88 and there are no blocking (non-POA&M-eligible) open gaps. You can pursue conditional status and ride remaining 1-point gaps on a POA&M.
Not yet eligible for conditional status — either your score is below 88, or you have one or more open gaps that are not POA&M-eligible and must be fully met first.

The Handoff readiness strip shows your score, the conditional-status state, and the count of gaps that must be fully met (not POA&M-eligible) before any award. Drive that count to zero.

6. POA&M eligibility & the ineligible controls

Not every open gap can be deferred onto a Plan of Action & Milestones. Per 32 CFR 170.21(a)(1), Bastion applies these rules to each gap:

Condition	POA&M-eligible?
1-point requirement, not on the ineligible list	Yes — may ride on a POA&M.
3-point or 5-point requirement	No — only 1-point requirements may be on a POA&M; must be fully met.
On the explicit ineligible list (below)	No — must be fully met regardless of weight.
`3.13.11` (FIPS-validated cryptography)	Special case — POA&M-eligible only if encryption is employed but not yet FIPS-validated (worth 3 pts). Confirm with your assessor.

The explicitly ineligible controls

These requirements can never be placed on a POA&M — they must be fully met before award, even though they may be only 1 point:

Control	Family	Why it's blocking
3.1.20	Access Control	Verify/control/limit connections to external systems.
3.1.22	Access Control	Control CUI posted/processed on publicly accessible systems.
3.12.4	Security Assessment	Develop and maintain the System Security Plan (SSP).
3.10.3	Physical Protection	Escort visitors and monitor visitor activity.
3.10.4	Physical Protection	Maintain audit logs of physical access.
3.10.5	Physical Protection	Control and manage physical access devices.

If any of these six (or any 3-/5-point requirement) is a gap, Bastion lists it under "Must be fully met before award" in the conditional-status summary and in the handoff bundle. These block conditional status until closed. The POA&M Markdown export marks each gap's eligibility ("Yes" or "No — must fully meet") so an assessor sees it too.

7. The 180-day POA&M closeout clock

When you achieve conditional status with open (POA&M-eligible) gaps, you have 180 days from the conditional-status date to close them out and re-affirm. Bastion computes the plan-of-action completion date as assessment date + 180 days and shows it on the SPRS worksheet and the handoff bundle. If you have no open gaps, this is "N/A — no open POA&M items."

8. The remediation planner (what-if)

The Remediation tab turns scoring into a plan. It lists your open gaps sorted by point weight (biggest wins first). Check the gaps you intend to close and Bastion shows a projected SPRS score — your current score plus the points you'd recover.

Open Remediation. You'll see Current → Projected scores and a "points recovered" tally.

Check the gaps you plan to fix (or use Select all). The projected score updates instantly.

Fill in owner / target / milestone on each gap (these sync from/to the POA&M).

Export the remediation roadmap (Markdown) — a prioritized table with points, owners, targets, and milestones for your team.

Use the planner to answer "what's the fastest path to 88?" — it makes the trade-offs between high-weight and low-effort fixes visible before you commit work.

9. Reporting your score to SPRS

Bastion does not connect to any DoD system. To report a self-assessment, you transcribe the values from your SPRS worksheet into SPRS via PIEE yourself: company/OSA, CAGE code, system/scope name, assessment date, score, requirements implemented, open requirements, and the plan-of-action completion date. The worksheet lays these out in the exact fields you'll need.

Next: SSP & POA&M Back to Help Center