CMMC Self-Assessment: When Does it Apply to Level 2?
Executive Brief
The Cybersecurity Maturity Model Certification (CMMC) is nearing full enforcement, and defense contractors are asking a critical question: Can we self-assess for CMMC Level 2?
- The answer depends on your contract. While third-party assessments are the default for CMMC Level 2, a small number of programs may permit self-assessments under specific conditions.
- The Department of Defense (DoD) clarified in the final rule that Level 2 self-assessment is only available for “non-prioritized acquisitions,” meaning those that do not involve sensitive or high-risk Controlled Unclassified Information (CUI).
- Eligibility must be explicitly authorized by the DoD in the contract language itself. Without that, a Certified Third-Party Assessment Organization (C3PAO) is required.
- Understanding this distinction is essential to avoid compliance missteps, bid disqualification, or gaps in your System Security Plan (SSP).
Dig deeper below to learn when self-assessment applies and when it doesn’t.
What the Final Rule Says About Self-Assessment
A Level 2 self-assessment may apply if:
- The acquisition is considered “non-prioritized,”
- The contract does not require enhanced protection of CUI, meaning the information involved is not associated with the Defense Index Grouping or any identified Defense Industrial Base Critical Technologies,
- And the DoD explicitly authorizes self-assessment in the solicitation or contract.
In all other cases, defense contractors must go through a third-party assessment performed by a C3PAO.
How to Know if You Qualify
Here’s how to determine whether a self-assessment is a valid path for your organization:
- Check the contract language. If your solicitation includes DFARS clause 252.204-7021 and specifically states that a self-assessment is permitted, then you may be eligible.
- Confirm the type of CUI you handle. Most contractors that store or process export-controlled data, engineering drawings, or technical specifications will fall under the “prioritized” category, which requires third-party certification.
- Ask your prime contractor. If you are a subcontractor, request clarification and written confirmation regarding the expected assessment path.
Only the DoD, or your prime contractor when authorized, can confirm your assessment level. If the contract is silent or unclear, your safest course is to prepare for a third-party assessment.
Why Most Contractors Still Need Third-Party Certification
The main reason most defense contractors will require a third-party assessment at CMMC Level 2 comes down to the type of CUI they handle. The majority of CUI in defense contracting environments is considered sensitive or high-risk, which places it in the “prioritized” category that requires a C3PAO certification.
This includes common categories such as:
- Personally Identifiable Information of military personnel or government staff
- Controlled Technical Information, such as engineering drawings or design files
- DoD Critical Infrastructure Security Information, tied to defense operations or national security systems
If your organization handles any of this information, you will likely need to:
- Undergo a formal assessment by a C3PAO
- Maintain an SSP aligned with NIST SP 800-171
- Provide documented evidence of control implementation and continuous monitoring
Assuming you can just self-assess without explicit DoD or prime contractor authorization creates risk. This not only affects your contracts, but your compliance posture overall. When in doubt, prepare for the third-party path.
What to Do If You Qualify for Self-Assessment
If you are confirmed eligible for Level 2 self-assessment:
- You must still implement all 110 NIST SP 800-171 controls,
- Complete the assessment using the official DoD self-assessment guide,
- And submit results and scoring to the Supplier Performance Risk System.
Keep in mind, self-assessment does not mean shortcut. It still requires complete technical implementation and thorough documentation.
When in Doubt, Prepare for the Standard Path
Even if your current contracts do not demand third-party certification, you should begin preparing for it now. According to the DoD’s phased rollout of 48 CFR, C3PAO assessments for Level 2 will become mandatory for prioritized acquisitions starting in Phase II, which begins 12 months after the rollout starts (likely in late 2026).
However, many prime contractors are expected to flow down third-party assessment requirements earlier as part of their own risk management programs. Even if not contractually required by the DoD yet, your eligibility as a subcontractor could be influenced by your readiness to undergo a formal certification.
The safest course of action is to plan for and achieve Level 2 (C3PAO) certification. This allows your company to be eligible for all Level 2 contract opportunities.
FAQs
Is self-assessment the same as a Plan of Action and Milestones (POA&M)?
No. A POA&M outlines how you will remediate gaps. A self-assessment is a formal review of control implementation and must reflect actual performance, not intention.
Can a subcontractor rely on their prime contractor’s certification?
No. Each entity that handles CUI is responsible for meeting CMMC requirements independently unless they are operating within the prime’s controlled environment under documented agreements.
If I qualify for self-assessment now, will I need a third-party assessment later?
Yes, most likely. The self-assessment path is limited. Future contracts, renewals, or task orders may trigger a third-party requirement.
