Scoring is framework-specific. For CMMC Level 2, SPRS starts at 110 and deducts practice weights for NOT MET practices under current 32 CFR 170.24. Technical findings drive the technical projection, and reviewer-accepted evidence supports readiness; final practice status still depends on the applicable assessment process.

What happens when a finding is detected?

When our system detects a security finding, it appears on the Findings & Fixes page with severity, affected resources, and recommended remediation steps. Critical findings trigger immediate notifications.

How do I upload evidence for manual controls?

Navigate to Evidence Collection, select the control requiring evidence, and upload your supporting documentation. Supported formats include PDF, DOCX, XLSX, and images. All uploads are scanned for malware and encrypted at rest.

What is a Remediation Plan?

A Remediation Plan documents security weaknesses, planned actions, and target dates. Depending on your compliance framework, this may also be called a POA&M (Plan of Action & Milestones), Risk Treatment Plan, or Corrective Action Plan. The portal uses the correct terminology for your framework.

How does the Risk Register work?

The Risk Register tracks real source-backed risks, owners, response strategy, review dates, and accepted-risk decisions in one place. It stays separate from remediation plans, and the active framework determines whether any risk affects readiness, remediation planning, or assessment packaging.