CMMC Level 2 SPRS Score Guide For Microsoft 365 Shops

If you run Microsoft 365 for a small or mid-size defense contractor, your CMMC SPRS score can feel like a math test you never studied for. The good news is it’s predictable once you scope CUI correctly, map controls to M365 features, and collect clean evidence.

In this guide, I’ll show how I approach SPRS scoring in Microsoft 365 shops, including a worked example where missing requirements reduce the score. I’ll also share the M365 configuration areas that tend to move the score the most, without turning this into a 200-page manual.

What SPRS is, what it’s scoring, and the documents you must have

SPRS (Supplier Performance Risk System) is where DoD contractors report their NIST SP 800-171 assessment results. In practice, your CMMC SPRS score becomes a visible signal of risk tied to contract eligibility. For Level 2, the baseline is NIST SP 800-171’s 110 requirements across 14 families. The DoD’s current Level 2 assessment expectations and terminology live in the official assessment guide, which I keep bookmarked (see the CMMC Level 2 Assessment Guide PDF).

Here are the terms I use with clients, in plain language:

• NIST SP 800-171: The set of 110 security requirements for protecting CUI in non-federal systems.
• CUI (Controlled Unclassified Information): Sensitive information that is not classified, but still needs protection. In Microsoft 365, CUI often shows up in email, Teams chats, SharePoint, and synced folders.
• SPRS score: A numeric result based on which 800-171 requirements you fully meet (with weighted point values). Missing items reduce the score.
• SSP (System Security Plan): The narrative of your system boundary and how you meet each control (or why you don’t yet).
• POA&M (Plan of Action and Milestones): The dated, owned remediation plan for gaps you can’t close immediately (when allowed by program rules and contract language).

Program rules change, and contract language varies. I always verify the latest DoD guidance before submitting or affirming anything.

For additional background on how self-assessments and SPRS scoring fit into DFARS-era expectations, I also reference NIST SP 800-171 self-assessment context.

Before you score anything: scope where CUI lives in Microsoft 365

Most SPRS scoring pain comes from bad scope. If your boundary is fuzzy, you’ll waste weeks hardening systems that never touch CUI, or you’ll miss systems that do.

Here’s my “before you start” scoping checklist for Microsoft 365:

• Confirm CUI types you handle (drawings, ITAR-adjacent docs, test data, contract deliverables).
• List CUI entry points (email, Teams, SharePoint sites, OneDrive sync, guest uploads).
• Define the system boundary (which M365 tenant, which endpoints, which identities, which networks).
• Identify “CUI-capable” locations even if users “shouldn’t” store it there (personal OneDrive, local Downloads).
• Inventory identities (employees, shared accounts, break-glass, service accounts, guests).
• Inventory endpoints that access CUI (Windows, macOS, mobile, VDI, kiosks).
• Decide your cloud environment (commercial, GCC, GCC High). Data residency and eligibility matter, so I review Microsoft’s commercial vs government cloud compliance discussion when planning.
• Document third parties (backup, ticketing, e-sign, CAD, file transfer) that touch CUI.

Once scope is clear, I treat Microsoft 365 like a house with rooms. CUI only goes in certain rooms, the locks must match the room, and I need proof the locks stay on.

M365 control actions that raise your SPRS score (and the evidence to collect)

The fastest improvements usually land in identity, endpoints, audit logging, and data protection. Microsoft even publishes targeted guidance for identity controls, which aligns well with what assessors expect to see (see Microsoft Entra guidance for CMMC Level 2).

High-impact configuration areas (what I change, at a high level)

• Access Control (AC) and Identification and Authentication (IA): In the Microsoft Entra admin center, I set MFA and Conditional Access for all users in scope, then block legacy authentication and tighten guest access. I also control admin roles and require strong sign-in protection.
• Endpoint Security and Device Hardening (CM, SI): In the Intune admin center, I enforce device compliance, disk encryption, OS version baselines, and endpoint protection requirements. In Microsoft Defender, I turn on endpoint threat protection and make sure alerts route to an owned process.
• Audit and Accountability (AU): In Microsoft Purview, I enable unified audit logging, set retention that matches policy, and verify I can search audit events when needed.
• Media Protection and System and Communications Protection (MP, SC): In Purview Information Protection, I use sensitivity labels and DLP where CUI is likely to move (email, SharePoint, Teams). Encryption and access restrictions need to match your CUI workflow, not fight it.
• Business Continuity & Security (CP): I document how M365 retention, restore, and recovery work for CUI data, and how I test it.

To keep evidence collection consistent, I use a simple matrix like this.

Requirement area (800-171 family)	Microsoft 365 feature	Evidence to collect
Access Control (AC)	Entra ID Conditional Access	Policy screenshots or exports, user scope, sign-in report sample
Identification and Authentication (IA)	MFA methods and registration policy	MFA enforcement proof, registration report, break-glass account controls
Audit and Accountability (AU)	Purview Audit (Unified Audit Log)	Audit settings, sample audit search results, retention configuration
Configuration Management (CM)	Intune configuration profiles	Profile list, assignment scope, device compliance report
System and Information Integrity (SI)	Defender for Endpoint	Alert history sample, onboarding status, remediation workflow record
Media Protection (MP)	Purview sensitivity labels	Label policy settings, labeled file example, user guidance
System and Communications Protection (SC)	DLP for Exchange/SharePoint/Teams	DLP policies, test results, incident log for a policy hit
Incident Response (IR)	Defender incidents + ticketing	Incident record, response steps, lessons learned note

Step-by-step: calculate your CMMC SPRS score (worked example), then prepare to submit and maintain it

When I calculate a CMMC SPRS score, I keep it simple and disciplined:

1. Start with the 110 requirements list and mark each requirement as Met or Not Met, based on evidence, not opinions.
2. Apply the DoD assessment methodology point values (some are weighted higher than others).
3. Subtract the full value for every Not Met item (no partial credit).
4. Write the SSP entry for every requirement, even the ones you don’t meet yet.
5. Create a POA&M only where program rules allow it, and only with dates and owners.

Here’s a worked example that shows how gaps drag down the score. (Point values are illustrative of the weighted method, your actual list and weights must match the DoD methodology you’re using.)

Assume I start at 110 and then deduct for five Not Met requirements:

Gap (example)	Why it fails in M365 shops	Deduction
MFA not enforced for all CUI users	Exceptions, legacy protocols, weak guest controls	-5
No device compliance requirement	Unmanaged BYOD hits SharePoint and Teams	-5
Audit logging not retained per policy	Audit on, but retention too short	-3
DLP not applied to CUI locations	CUI can leave via email or Teams chat	-5
No tested incident response process	Tools exist, but no exercised workflow	-14
Example total		110 – 32 = 78

A 78 “feels close,” but it’s not close enough for Level 2 paths that require a higher score. More importantly, those gaps are the same ones attackers love.

Documenting compensating controls (without hand-waving)

Sometimes Microsoft 365 can’t be the whole answer. Physical protection, certain network controls, or specialized logging might sit outside the tenant. When I document compensating controls, I do three things in the SSP:

• State why the primary control approach doesn’t fit the environment.
• Describe the alternate control in plain language (who does what, with what tool, how often).
• Attach evidence that proves it runs (tickets, reports, photos, access logs, test results).

Readiness checklist for submitting and maintaining your SPRS score

Before I submit or affirm anything, I check:

• SSP is current, matches the real tenant and endpoint scope.
• Every Met control has evidence that I can reproduce quickly.
• POA&M items (if used) have owners, dates, and a 180-day plan when required.
• CUI locations are labeled, protected, and monitored.
• Monitoring and response are operational, not just “enabled.”
• A quarterly review cadence exists (policies, access, devices, audit, incidents).

This is also where a strong Business Technology Partner earns their keep. My teams often support clients across Small Business IT, Managed IT for Small Business, and Technology Consulting, so I see the same patterns whether the environment is a defense shop or a multi-location restaurant needing Restaurant POS Support and Kitchen Technology Solutions. The foundation is still Cloud Infrastructure, Secure Cloud Architecture, Cloud Management, and Infrastructure Optimization, backed by Cybersecurity Services that focus on Endpoint Security, Device Hardening, and Business Continuity & Security. That mix is what turns “we migrated” into real Digital Transformation, and it fits well into an IT Strategy for SMBs with Tailored Technology Services and Innovative IT Solutions, including Office 365 Migration and, when needed, on-prem validation tied to Data Center Technology.

Conclusion

A strong CMMC SPRS score doesn’t come from a single setting, it comes from tight scope, clean configuration, and evidence that matches reality. If you treat Microsoft 365 like your CUI control plane, your score becomes easier to predict and easier to defend. Next, pick one high-impact gap (identity, device control, logging, or DLP) and close it end-to-end. Then ask yourself, if an assessor walked in tomorrow, could I prove it in 15 minutes?