Security Posture: Definition and Measurement for Defense Contractors

Word count: ~1,870 Specificity markers hit: (1) NIST/CMMC control references — CA.L2-3.12.1, CA.L2-3.12.3, RA.L2-3.11.1, RA.L2-3.11.2, SPRS scoring (2) Cost/time estimates — SPRS score range -203 to +110; annual affirmation timeline (3) Tool/product names — SPRS (Supplier Performance Risk System), NIST 800-171A, Drata, Secureframe (4) Common mistake — treating SPRS score as a compliance checkbox rather than a managed metric (5) Decision point — what to measure and how often

---

Security Posture: Definition and Measurement for Defense Contractors

"Security posture" gets used constantly in CMMC conversations without anyone stopping to define it precisely. That vagueness creates real problems: organizations can't improve what they can't measure, and they can't measure what they haven't defined.

Here's a precise working definition: your security posture is the measurable state of your organization's ability to protect CUI against threats — assessed at a point in time, expressed quantitatively through your SPRS score, and tracked over time through your continuous monitoring program.

That definition has three components: it's measurable, it's specific to what you're protecting, and it changes over time. Each component matters for CMMC compliance.

What Security Posture Actually Means in Practice

Think of security posture as a snapshot. At any given moment, your organization has some controls in place, some gaps in those controls, and some level of residual risk from those gaps. The snapshot captures all of that.

For CMMC Level 2, the formal expression of your security posture is your NIST 800-171 self-assessment score — a number between -203 and +110 stored in the DoD's Supplier Performance Risk System (SPRS). The score reflects how many of the 110 required controls you've implemented. Full implementation earns 110 points. Each unimplemented control deducts points based on its weight in the DoD's scoring methodology (some controls are worth 1 point, others are worth 5). Partial implementation earns no credit — you either fully meet the practice or you don't.

A score of 110 means you've implemented all required controls. A score below that means you have gaps, documented in your POA&M, with a timeline to close them. Most contractors pursuing CMMC Level 2 for the first time have scores significantly below 110 when they start — scores in the 40–80 range are common before remediation work begins. Negative scores occur when many controls are unimplemented.

This isn't just an internal metric. Your SPRS score is visible to contracting officers. Primes can see it when evaluating subcontractors. DoD can see it when assessing contractor readiness. Your score is your public posture statement to the defense industrial base.

The Three Dimensions of Security Posture

Security posture breaks down into three dimensions. All three matter for CMMC; focusing on only one produces a distorted picture.

1. Technical Controls

These are the configurations, tools, and systems that enforce your security requirements. Firewalls, MFA, encryption, EDR, access control lists, patch levels, audit logging. Technical controls are the most visible part of posture and the most easily measured — you can check whether BitLocker is enabled or whether MFA is enforced.

The CMMC control domains most relevant to technical posture: Access Control (22 controls), System and Communications Protection (16 controls), System and Information Integrity (7 controls), and Audit and Accountability (9 controls). These four domains account for 54 of the 110 Level 2 controls, making them the largest contributors to your SPRS score.

Technical controls drift. A configuration that was compliant six months ago may be out of compliance today because of a software update, an admin change, or a new system added without going through your baseline hardening process. That's why CA.L2-3.12.3 requires ongoing monitoring — posture isn't a static thing you achieve once and maintain forever.

2. Procedural Controls

These are the policies, procedures, and documented processes that govern how people behave around CUI. Access control policies, incident response plans, change management procedures, training programs, media handling policies. You can have perfect technical controls and still fail a CMMC assessment because your procedures don't exist, aren't communicated to personnel, or don't match what your technical controls actually do.

Procedural controls are harder to measure than technical ones. The assessment methodology (NIST 800-171A) handles this through the interview method: assessors talk to your personnel — administrators, end users, managers — to verify they understand the procedures and can describe how they're followed. A policy that exists in a shared drive but nobody has read isn't an implemented control.

3. Governance

Governance is the oversight structure that keeps the other two dimensions aligned: management accountability for security decisions, regular review of security metrics, resource allocation for security improvements, and leadership engagement with the CMMC program.

For small defense contractors, governance often feels like a luxury. But it's what makes the other two dimensions sustainable. An organization where security improvements happen only when an external advisor pushes for them — where the IT manager has to fight for budget each year, where no one in leadership knows the current SPRS score — has poor governance posture regardless of its technical control state.

At minimum, governance posture requires: a designated Responsible Official who owns CMMC compliance, regular (at least quarterly) security reviews that produce documented decisions, and a process for escalating security gaps to management with clear ownership and timelines.

How to Measure Your Posture

Measuring security posture isn't an annual event — it's an ongoing cycle with scheduled touchpoints.

SPRS Score (Annual Minimum)

Run a structured self-assessment using NIST 800-171A at least annually, compute your score, and update SPRS. The score is your summary posture metric: it aggregates 110 control evaluations into a single number you can track over time.

More important than the score itself is the trajectory. A score that moves from 62 to 89 over 18 months reflects active remediation. A score that's been 62 for three years without change reflects a program that's documenting gaps but not closing them. Assessors and contracting officers understand both the number and the trend.

Compliance platforms like Drata and Secureframe automate SPRS score calculation from your control implementation records and integrate with your infrastructure to pull evidence automatically. They're worth evaluating if you have more than 50 systems or struggle with evidence collection.

Vulnerability Scan Results (Quarterly)

Your vulnerability scan results are a real-time indicator of technical posture. Track: total vulnerabilities identified, critical/high/medium/low breakdown, age of open findings, and remediation closure rate against your defined timelines.

A quarterly scan showing 12 critical vulnerabilities with an average age of 45 days is a different posture statement than one showing 12 critical vulnerabilities with an average age of 14 days. Both have open findings; one is being actively managed, one isn't.

Keep scan results for at least one year. Trend analysis — are you closing findings faster than new ones are being discovered? — is more useful than any point-in-time snapshot.

POA&M Health (Monthly)

Your POA&M is your posture improvement roadmap. Measure: total open items, items overdue against committed timelines, items closed in the past 30 days, and estimated completion dates for remaining items.

A POA&M with 15 items where 12 are on schedule and 3 have been escalated with documented reasons is healthy. A POA&M with 15 items where 10 are overdue and the dates have been pushed repeatedly is a governance problem, not a technical problem.

Access Reviews (Quarterly)

Access drift — people accumulating permissions beyond their current role — is one of the most persistent posture problems. Quarterly access reviews of CUI system accounts catch this before it becomes an assessment finding. Track: accounts reviewed, excessive access found and remediated, orphaned accounts (for departed employees/contractors) found and disabled.

Common Mistake: The Static Score Problem

The most common posture management failure is treating the SPRS score as a compliance checkbox rather than a managed metric.

Here's the typical pattern: organization does a gap assessment, submits an SPRS score of 74, creates a POA&M with a target completion date of 18 months from now, and then largely ignores the score until the 18-month deadline approaches. When the assessor arrives, they find a POA&M with most items still open and an SPRS score that was essentially frozen for 18 months.

The CMMC annual affirmation requirement — where you affirm that your SPRS score hasn't significantly declined since your last assessment or affirmation — only works as a compliance mechanism if you're actually monitoring the score. An organization that hasn't monitored its score all year is guessing when they submit their affirmation. That's False Claims Act territory if the score has actually declined and the affirmation was filed without knowledge of the decline.

Treat your SPRS score like a financial metric: review it quarterly, understand what moved it, and take action on declines immediately.

What Your Assessor Expects

Your assessor expects to see evidence of an active posture management program, not a static snapshot. For CA.L2-3.12.1 (security control assessment) and CA.L2-3.12.3 (ongoing monitoring), they'll look for:

• Self-assessment documentation from within the past 12 months with control-by-control findings
• A current POA&M with realistic timelines and evidence of ongoing work
• Monitoring records showing regular vulnerability scanning, log review, and access reviews
• SPRS score history — your current score and evidence that it reflects your current control state

They'll also evaluate posture indirectly: are your technical controls configured as your SSP claims? Can your personnel describe the security controls they're responsible for? Do your procedures match your actual practices?

The posture that passes CMMC assessment isn't the highest score — it's the one that reflects an honest evaluation of controls, an active remediation program for gaps, and evidence that the organization maintains its security over time.

---

CTA: Log into SPRS and check your current score. If it hasn't been updated in the past 12 months, you're overdue for a self-assessment and potentially out of compliance with your annual affirmation requirement.