CMMC Self-Attestation: What Defense Contractors Need to Know

Executive Brief

Many defense contractors are misreading Cybersecurity Maturity Model Certification (CMMC) self-attestation as a simple checkbox exercise. That misunderstanding creates serious risk.

With 48 Code of Federal Regulations (CFR) now live and CMMC requirements appearing in active Department of Defense (DoD) (also known as the Department of War) solicitations, the stakes are real. Self-attestation is a formal, evidence-based process with legal consequences for getting it wrong.

Dig deeper below to learn what your organization needs to understand before submitting anything.

Why This Matters Now

Phase 1 of CMMC enforcement runs from November 2025 through November 2026 and requires most contractors to complete a self-assessment and affirmation rather than a third-party assessment. That distinction is creating dangerous confusion.

Contractors are hearing "self-attestation" and assuming it means a streamlined, low-effort process. That assumption carries significant legal and financial risk.

Self-attestation carries the same compliance obligations as a third-party assessment. You are simply the one doing the validating, and if your validation is wrong, the legal consequences are the same.

What Self-Attestation Actually Requires

Level 1 — Federal Contract Information (FCI) only

If your organization handles only FCI, you must implement all 15 basic safeguarding requirements under Federal Acquisition Regulation (FAR) 52.204-21. Every control must be met. No Plans of Action and Milestones (POA&Ms) are permitted at Level 1.

Level 2 — Controlled Unclassified Information (CUI)

Most DoD contractors handle CUI, which means you must demonstrate compliance with all 110 security controls from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev. 2, spanning 320 assessment objectives. This is a rigorous self-evaluation against a defined methodology, not a survey.

What You Must Produce

Before submitting anything to the government, your organization must have built and maintained the following:

• System Security Plan (SSP): A comprehensive document mapping your actual environment, including users, systems, network architecture, and access controls, to each applicable NIST control. The SSP is the foundation of your entire assessment.
• Supplier Performance Risk System (SPRS) Score: Your numerical compliance score, ranging from -203 to 110, calculated using DoD Assessment Methodology. Each of the 110 controls is weighed at one, three, or five points. You must document your real score.
• POA&Ms: If controls are unmet, you need a documented remediation plan with timelines. For Level 2, Conditional status requires a score of at least 80% and full remediation within 180 days.
• Policies and Procedures: Written, implemented policies aligned to each of the 14 NIST 800-171 control families, including access control, incident response, and configuration management.
• Evidence and Artifacts: Screenshots, configuration exports, training records, and access logs proving controls are implemented. All artifacts must be retained for six years.

Building a compliant SSP and properly scoring against all 110 controls can take three to twelve or more months depending on your environment and current posture. This is not a weekend project.

What Gets Submitted and Where

All submissions flow through SPRS, the DoD's centralized platform for tracking contractor cybersecurity posture.

• Register in the Procurement Integrated Enterprise Environment (PIEE) and obtain the SPRS Cyber Vendor User role
• Enter your self-assessment results, including your numerical score, SSP name, assessment date, and applicable Commercial and Government Entity (CAGE) codes
• A senior executive, designated as the Affirming Official, must sign a formal affirmation in SPRS. This is not an IT delegation. It is an executive personally certifying compliance
• Affirmations must be renewed annually; self-assessments must be renewed every three years
• Contracting officers check SPRS before awarding contracts. Missing, expired, or questionable entries can disqualify your organization before a conversation even begins

The Legal Risk of Getting It Wrong

The Department of Justice's (DoJ) Civil Cyber-Fraud Initiative uses the False Claims Act (FCA) to pursue contractors who misrepresent cybersecurity compliance. In 2025 alone, the DoJ settled seven cybersecurity-related FCA cases.

FCA violations carry treble damages, meaning triple the government's losses, plus per-claim penalties. Willful ignorance is not a defense. The executive signing the SPRS affirmation is personally accountable. CMMC compliance is not just a cybersecurity issue, it is a business imperative.

Exposure can come from submitting an inflated SPRS score, signing affirmations without verifying controls, or allowing POA&M items to go unresolved while continuing to certify readiness.

What Phase 1 Does Not Protect You From

Phase 1 does not guarantee you will avoid a third-party assessment. DoD Program Managers have discretion to require Certified Third-Party Assessment Organization (C3PAO) certification even during Phase 1. Primes are already flowing that requirement down to subcontractors ahead of the formal timeline. Know what your contracts and partners require.

What Leaders Need to Do Now

Self-attestation is not a shortcut. It is the same compliance work, executed internally, with the same legal accountability attached.

Build your SSP. Score honestly. Remediate your gaps. Document everything. And make sure the executive signing that affirmation knows exactly what they are certifying.

FAQs

Is CMMC self-attestation just a formality?

No. Self-attestation is a formal, evidence-based process. It requires a complete SSP, an accurate SPRS score, and an executive affirmation with legal accountability under the False Claims Act.

Who signs the CMMC self-attestation?

A senior company executive, designated as the Affirming Official, must sign the affirmation in SPRS. This cannot be delegated to IT and carries personal legal accountability.

Does Phase 1 mean I do not need a C3PAO assessment?

Not necessarily. DoD program managers can require a third-party C3PAO assessment even during Phase 1. Prime contractors are also validating subcontractor compliance ahead of the formal timeline.

How long does it take to prepare for self-attestation?

Depending on your environment and current posture, building a compliant SSP and scoring against all 110 controls can take three to 12 months. Starting early is critical.

Helpful ISI Links

• What Should Be in Your System Security Plan (SSP) for CMMC Level 2?
• CMMC Is Not a Cyber Problem. It's a Business Risk Issue
• CMMC POA&Ms Explained: What You Can and Cannot Defer
• The Three-Year Myth: The Real CMMC Timeline for Defense Contractors