Can DoD Audit My CMMC Self-Assessment?
Yes — DoD can audit your CMMC self-assessment. For a Level 2 (Self) status, 32 CFR § 170.16 reserves the government’s right to run a DCMA DIBCAC assessment, and a later DIBCAC result showing you didn’t meet the requirements takes precedenceover your existing CMMC Status. A contracting officer checking your CMMC Unique Identifier in SPRS is verification — not the same event.
That’s the answer. Here’s the part that changes how you should react: most of what contractors panic-call an “audit” isn’t one thing. It’s at least six different events, each with its own authority, evidence demand, deadline, and consequence. Confuse them and you’ll either overreact to a routine UID check, or underreact to a live DIBCAC assessment with a 14-business-day rebuttal clock.
July 2026 update — read this before you conclude the pressure is off.
On July 13, 2026, the Department suspended the planned Phase II expansion (under which applicable solicitations could have required Level 2 C3PAO certification as a condition of award, originally set for November 10, 2026) and launched a 60-day program review. The same announcement keeps Phase I self-assessment requirements in place (Department of War release). DFARS 252.204-7012, the government’s assessment authority, and the False Claims Act are all unchanged.
The right CMMC provider isn’t the same for every contractor— the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. Because a general answer can’t resolve those for you, use The Defense Compliance Report’s Find My CMMC Path tool when you need a source-checked category match. For now, read on to classify your situation first.
Can DoD audit my CMMC self-assessment?
Yes. For a CMMC Level 2 (Self) status, 32 CFR § 170.16 expressly reserves DoD’s right to conduct a DCMA DIBCAC assessment, and if that later assessment shows you didn’t achieve or maintain the requirements, its result takes precedence over your pre-existing CMMC Status. “Self-assessment” means you performed the assessment — it does not mean the government validated it or waived its right to check.
Let’s be precise about the word, because the imprecision is where contractors get hurt. “Audit” is the term you typed into the search bar. The governing documents don’t use it as one thing. They describe several distinct actions:
- CMMC status verification in SPRS— a contracting officer confirming your recorded status and UID.
- A NIST SP 800-171 DoD Assessment— Basic (your own self-assessment, “Low” confidence) or a government-conducted Medium or High Assessment.
- A CMMC status investigation— the CMMC Program Management Office (PMO) process under § 170.6 that can lead to a DIBCAC assessment displacing a self-attested status.
- A C3PAO certification assessment— an independent third-party assessment, not a DoD assessment.
- A prime contractor request— supply-chain diligence, not a government action.
- A legal or investigative matter— DOJ civil enforcement, an Inspector General or NCIS investigation, a subpoena, or a civil investigative demand — outside the CMMC process entirely.
Treating all six as the same event is the most consequential classification mistake in this whole analysis. The rest of this page exists to tell them apart.
The honest part most compliance vendors skip
No one can tell you your odds of a government assessment — not us, not any vendor — because DoD has not published a contractor-specific probability or a DIBCAC selection formula. Anyone quoting you a precise audit percentage is guessing. By the government’s own count, cited as a reason for the July 2026 pause, the DIB has more than 100,000 companies against a fraction as much assessment capacity.
But the odds argument misses two things that change the analysis entirely.
First, the mechanism that catches false self-assessments often doesn’t require the government to pick you.Two of the most prominent public cybersecurity False Claims Act cases were brought by the contractors’ own people. MORSECORP’s case was filed by its own head of security. Georgia Tech’s, by two of its cybersecurity staff. A whistleblower can file under seal without the government ever having selected you — and the relator can collect a share of the recovery. Your annual affirmation is a personal signature on a government submission. The person who signs it is the one exposure catches up with.
Second, when the government does assess, the gap it finds can be enormous. In June 2026, DOJ announced that defense contractor LOGZONE agreed to pay $507,144 after a DCMA assessment of its NIST SP 800-171 implementation produced a score of −170, near the bottom of the −203-to-110 range (U.S. DOJ, Office of Public Affairs). DOJ’s public release attributes no relator — the government’s own assessment generated the case. LOGZONE had self-reported a perfect 110.
So the real question isn’t “will they audit me?” It’s “if my self-assessment were tested — by an assessor, a whistleblower, or an incident — would it hold?” That’s a question you can actually answer, and act on.
What kind of review is this — an SPRS check, a government assessment, or a status investigation?
These are different events with different stakes.A CMMC UID/status check verifies your eligibility to be awarded work. A DCMA DIBCAC Medium or High Assessment tests whether your NIST SP 800-171 implementation matches your claims. A CMMC status investigation — the PMO process under § 170.6 — can lead to a DIBCAC assessment that changes the CMMC Status recorded in SPRS and makes you ineligible for further awards at that level until you earn a new status. Identify which one you’re in before you do anything.
We built the table below by reconciling the primary sources named in each row — the CMMC Program rule (32 CFR Part 170), the DFARS assessment clauses, the February 2026 class deviation, the July 2026 suspension memos, and the DOJ enforcement releases — and cross-checking every cell against the issuer’s own text on July 16, 2026.
The CMMC Self-Assessment Review Matrix
| The event | Type | Who runs it | Governing authority | What they examine | Consequence / deadline | Your first move |
|---|---|---|---|---|---|---|
| CO asks for your CMMC UID or checks status | Verification | Contracting officer | DFARS 252.204-7021; CMMC rule | Your recorded status, UID, affirmation currency, and whether the UID’s scope matches the system doing the work | No rebuttal clock from the check itself; a missing or mismatched status can cost you the award or option | Confirm the UID, the system in scope, and affirmation currency before responding |
| Basic Assessment | Self-assessment method | You | Codified DFARS 252.204-7020 | Your SSP, your score calculation, your evidence | Posted in SPRS with a “Low” confidence level; not government validation | Preserve the calculation, scope, SSP version, and evidence index |
| DCMA DIBCAC Medium Assessment | Government assessment | Government personnel — DCMA DIBCAC | DFARS 252.204-7020 or its successor 252.240-7997 | Prior assessment, thorough document review, and discussions; facilities/systems/personnel if necessary | Government score posted to SPRS after a 14-business-day rebuttal window | Authenticate the notice; identify the clause, scope, and secure response channel; stand up a response team |
| DCMA DIBCAC High Assessment | Government assessment | Government personnel — DCMA DIBCAC | DFARS 252.204-7020 / 252.240-7997 | Everything in a Medium, plus verification, examination, and demonstration that controls operate as the SSP describes (per NIST SP 800-171A) | Government score posted to SPRS after the 14-business-day rebuttal window; High Assessment may generate additional CUI documentation | Prepare contemporaneous evidence, not retroactive documentation; confirm the secure channel |
| CMMC status investigation | Investigative process | CMMC PMO; may include DCMA DIBCAC | § 170.6(e)–(f)and § 170.16(a)(1)(iv) | Pertinent assessment information; and — if a DIBCAC assessment is exercised — the real implementation within your assessed scope | A subsequent DIBCAC result takes precedence over your status; SPRS updated to show non-compliance; ineligible for additional awards until new status earned | Treat as status-threatening; involve qualified counsel and readiness expertise; do not alter the environment |
| Level 2 C3PAO certification assessment | Third-party certification | An authorized/accredited C3PAO | § 170.17; Cyber AB CMMC Assessment Process (CAP) | Objective-level evidence, interviews, examination, demonstration, scope, SSP | Results flow through the CMMC process; conflict-of-interest and appeal rules apply | Keep readiness/remediation and formal assessment appropriately separated |
| Prime contractor asks for your score/status/proof | Private supply-chain request | Your prime (or a higher-tier sub) | Subcontract terms; DFARS 252.204-7021 flow-down where applicable | Usually your status, UID, affirmation, or a supplier questionnaire — a prime doesn’t get general access to your SPRS record | Losing the subaward; and a representation to a prime can carry consequences depending on the subcontract | See our explainer on what primes can actually require |
Before you produce anything, figure out which row you’re in. That single step protects your evidence, your status, and your time better than any document you could rush to assemble.
Free · no email · under two minutes
Check your likely DoD review path
Answer a handful of non-sensitive questions about your level, the clause in your contract, your status, and the wording of the message you received. The checker tells you the likely event, the evidence to preserve, whether a deadline is running, and the next step. Do not enter CUI, contract numbers, SSP content, system names, or credentials.
Start the review checker ↓DoD Self-Assessment Review Readiness Checker
Check your likely review path — free, no email, under two minutes
Does the July 2026 CMMC pause stop DoD from checking self-assessments?
No.The July 13, 2026 announcement suspended the planned Phase II third-party certification expansion and future CMMC milestones, while explicitly keeping Phase I self-assessment requirements in place. It did not touch DFARS 252.204-7012, the government’s Medium and High Assessment authority, the § 170.6 / § 170.16 status-investigation process, or the False Claims Act. The Department said it will continue relying on “self-assessments and select government-led assessments” during the review. Do not read the pause as protection from scrutiny.
The suspension was implemented by two July 13 memos under publication case 26-P-1023. It is not rulemaking.No Federal Register document amended the rule. 32 CFR Part 170 is unchanged. DFARS 252.204-7021 is unchanged. What’s suspended is the Department’s exercise of its discretion to requirethe higher assessment tiers — not the regulations that authorize the government to assess you.
What changed
- The November 10, 2026 Phase II expansion (Level 2 C3PAO certification as a condition of award) is suspended
- Phase 3 (Level 3 DIBCAC assessments) and later milestones are suspended “until further notice”
- During the pause, contracting officers may designate only CMMC Level 1 (Self) or Level 2 (Self) on new requirements
- CMMC Reform Task Force to report to the CIO within 60 days; RFI responses due August 14, 2026
What did not change
- Phase I self-assessment obligations remain in force
- DFARS 252.204-7012 and any clauses not removed or modified remain in force
- The annual affirmation requirement (§ 170.22) remains in force
- The government’s Medium and High Assessment access rights remain in force
- The § 170.6 / § 170.16 status-investigation process remains in force
- DOJ’s Civil Cyber-Fraud Initiative remains active
The practical takeaway is almost the opposite of the headline. Removing the assessor doesn’t remove the requirement; it relocates the assurance onto your own signature. That’s why verifying your posture matters more right now, not less.
What happens to a contract that already has a C3PAO or Level 3 requirement?
If an active solicitation or existing contract already contains a Level 2 (C3PAO) or Level 3 (DIBCAC) requirement, the implementation memo directs the government to strip it. Program managers must provide amended requirements documents, and contracting officers must amend active solicitations “as soon as practicable” and modify existing contracts before the next option period or at the next scheduled administrative modification. Until that modification actually reaches your contract, the existing terms still apply. Don’t assume the relief has landed — confirm it in writing with your contracting officer.
Also check: the exact clauses incorporated in each solicitation you’re bidding (7012, 7021, or 252.240-7997), and your prime’s flow-down language — because the July memo binds government personnel, not your prime’s subcontract terms. A prime managing its own liability can keep a stricter requirement even while the government’s timeline is paused.
What can DCMA DIBCAC actually ask to see?
In a Medium or High Assessment, the applicable clause can require access to your facilities, systems, and personnel when necessary.A Medium Assessment centers on your prior assessment, a thorough document review, and discussions. A High Assessment adds verification, examination, and demonstration that your controls operate as your System Security Plan says — assessed against NIST SP 800-171A. The difference between the two is the difference between “show me your paperwork” and “prove it works.”
Here is how the two assessment types compare, straight from the clause definitions:
| Dimension | Medium Assessment | High Assessment |
|---|---|---|
| Conducted by | Government personnel (DCMA DIBCAC) | Government personnel (DCMA DIBCAC) |
| Review of prior assessment | Yes | Yes |
| Thorough document review | Yes | Yes |
| Interviews / discussions | Yes | Yes |
| Verification and examination | Not to the High standard | Yes |
| Demonstration that controls operate | Not to the High standard | Yes |
| Facility / system / personnel access | May be required if necessary | May be required if necessary |
| Confidence level of the result | Medium | High |
| Result posted to SPRS | Yes (government score) | Yes (government score) |
| Rebuttal window before posting | 14 business days | 14 business days |
| Separate appeal of the outcome | 21 days under § 170.7(b) | 21 days under § 170.7(b) |
What a High Assessment realistically reaches into:
- Your System Security Plan and boundary.Current SSP version, the systems and CAGE codes in scope, CUI data flows, your enclave or enterprise boundary, and cloud/external-service dependencies — and whether the documented boundary matches what actually happens in performance.
- Policies and procedures.These establish the documented requirement and intended process. They are necessary but not sufficient — policy language is not proof of operation.
- Technical and operational evidence.Configuration exports, access-control records, log samples, training records, incident-response exercises, change records, asset inventories, encryption validation, backup and recovery records, and vulnerability remediation history — as categories. DIBCAC decides what it needs; there’s no universal fixed list.
- Interviews. Expect the assessor to want the policy owner, the technical implementer, the operational user, the Affirming Official, and, where relevant, your MSP or MSSP.
- Demonstrations. In a High Assessment, the team may verify what your SSP claims. A screenshot created the night before is not the same as evidence a control operated over time.
- Cloud and external service providers. Your Customer Responsibility Matrix, the shared-responsibility split, what you inherit from a FedRAMP-authorized provider, and what remains yours.
The 14-business-day window is your short response clock
Under DFARS 252.204-7020(e), DoD provides Medium and High Assessment summary scores to the contractor and offers rebuttal and adjudication before posting to SPRS. Upon completion of each assessment, the contractor has 14 business daysto provide additional information showing it met requirements the team didn’t observe, or to rebut findings in question. That’s not a marketing “act now.” It’s a fixed, short, contract-defined window. If you’re in it, calendar it immediately, and confirm exactly how the assessment team defines the completion date.
Note that this is separate from the appeal right. Section 170.7(b) permits an appeal of a DCMA DIBCAC assessment outcome within 21 daysby submitting a written basis for appeal for DIBCAC’s consideration. Two different authorities, two different stages — don’t combine them into one deadline.
What triggers a DIBCAC assessment or status investigation?
There is no public, exhaustive formula for how DIBCAC selects contractors — so be skeptical of anyone who claims to know your odds precisely.What the rule does establish: under § 170.6(e), the CMMC PMO investigates when an active status is called into question, and the listed indications include reports from the Accreditation Body, a C3PAO, or anyone knowledgeable of the organization’s security processes. An investigative evaluation can include reviewing pertinent assessment information and exercising the right to conduct a DCMA DIBCAC assessment.
What we can state from the primary source (§ 170.6):
- The CMMC PMO is responsible for investigating and acting on indications that an active CMMC Status has been called into question.
- Those indications include, but aren’t limited to, reports from the Cyber AB, a C3PAO, or anyone knowledgeable of the security processes and activities of the organization.
- Investigative evaluations include reviewing pertinent assessment information and exercising the right to conduct a DCMA DIBCAC assessment under 48 CFR 252.204-7020.
Editorial risk indicators — DCR analysis, not an official trigger list. These are patterns that, in our reading of the enforcement record and the rule, correlate with trouble. Label them as ours:
- A score unsupported by objective-level evidence
- A claimed 110 (or near-110) while known gaps remain unresolved
- A major environment change with no reassessment analysis
- An annual affirmation that doesn’t match current operations
- A system used in performance that sits outside the UID scope you posted
- Material inconsistency among your SSP, policies, diagrams, and actual practice
- A prime, employee, or agency report questioning your compliance
- Incident evidence suggesting a control you claimed wasn’t operating
When your environment changes: who decides whether you reassess
The official CMMC FAQ puts this decision — and the risk — on one person. A requirement or objective that was previously assessed as “not applicable” and later becomes applicable requires reassessment. Routine, like-for-like security patching or upgrades generally are not a significant change. A major change to functionality, architecture, design, or support triggers additional evaluation. And the Affirming Official— the senior official defined in § 170.4, whose affirmation requirements are in § 170.22 — owns the determination and bears the associated risk. See our detailed look at Affirming Official personal liability.
What the message you received probably means
| The language you got | Likely classification | 14-day rebuttal? | 21-day appeal? | First response |
|---|---|---|---|---|
| "Provide the CMMC UID(s) used for this proposal" | Routine SPRS status/scope verification | No | No | Confirm the UID matches the system that will handle FCI/CUI |
| "Confirm your current CMMC status and annual affirmation" | Eligibility/maintenance verification | No | No | Check your status date, affirmation currency, CAGE association, and scope |
| "Provide your prior assessment, SSP, policies, and supporting records" | Medium/High Assessment prep or status investigation | Possibly | Possibly | Ask for the cited clause, assessment level, authority, secure transmission method, and schedule |
| "Provide access to facilities, systems, and personnel" | A formal Medium or High government assessment is likely implicated | Likely | Likely | Authenticate immediately; stand up an internal response lead and evidence protocol |
| "Here is your assessment summary score; you have 14 business days…" | Medium/High Assessment rebuttal and adjudication | Yes | Yes, after the outcome | Calendar the deadline; separate evidence that existed at assessment time from later remediation |
| "A subsequent DIBCAC result will take precedence over your status" | § 170.6 status investigation / § 170.16 precedence | If a Medium/High is run | Yes | Treat as status-threatening; involve qualified counsel and readiness expertise |
| "Your prime needs your SPRS score before onboarding" | Supplier diligence — not automatically a government audit | No | No | Review the subcontract; disclose only what’s contractually appropriate |
| "Subpoena," "civil investigative demand," "DOJ," "Inspector General," "NCIS," or "false statement" | Legal or investigative matter — not ordinary readiness support | N/A | N/A | Preserve documents and contact qualified federal-contracts/FCA counsel before a substantive response |
| Unsolicited request to upload SSP, contract, drawings, credentials, or CUI to an unfamiliar portal | Possible phishing or unsafe handling | N/A | N/A | Do not upload. Authenticate independently through known contract or government channels |
What happens if DIBCAC disagrees with my SPRS score or status?
Two things, and they’re different.During a Medium or High Assessment, you get a rebuttal-and-adjudication opportunity and 14 business days to respond before the government score posts to SPRS, plus a separate 21-day right to appeal the outcome under § 170.7(b). If a status investigation’s DIBCAC assessment shows you didn’t achieve or maintain a Level 2 status, § 170.16 says that result takes precedence: SPRS is updated to show you out of compliance, standard contractual remedies apply, and you become ineligible for additional awards at that level for that system until you earn a new status.
The rebuttal, done right
A useful rebuttal is surgical. For each finding: the requirement number, the exact conclusion you dispute, the evidence that existed at the time of assessment, the SSP section and scope relationship, the artifact’s date and origin, and an explanation from the correct control owner. Then a clear ask for the correction.
What torpedoes a rebuttal, or worse: recreating or backdating evidence, altering logs or historical records, sending CUI over an unapproved channel, arguing from policy language when the question is implementation, or presenting remediation you completed after the assessment as proof the requirement was met duringit. A later fix reduces future risk. It does not prove past compliance — and blurring the two in a government submission is how a compliance problem becomes a legal one.
Who can see the result
Government summary scores in SPRS are visible to DoD personnel under DoD Instruction 5000.79, and your own authorized representatives can view your scores. A High Assessment can generate additional documentation, which DoD retains and protects as CUI and shields under FOIA Exemption 4 (trade secrets and confidential commercial information). Note the asymmetry: a prime does not receive general independent access to your SPRS record — which is why primes ask you for representations instead, and why those representations carry their own weight. For the supply-chain angle, see our explainer on prime requests for SPRS scores and SSPs.
The enforcement record — what a bad outcome has actually cost
These are the real-world answer to “what’s the worst case.” They share a feature DOJ itself emphasizes: these are misrepresentation cases, not breach cases — none required proof of an actual data breach.
| Case | Settled | Alleged claim vs. reality | Amount | How it surfaced | Source |
|---|---|---|---|---|---|
| LOGZONE Inc. (Huntsville, AL) | Jun 18, 2026 | Alleged failure to implement certain NIST SP 800-171 controls on two Navy contracts; DCMA assessment scored implementation at -170 (range -203 to 110); self-reported score: 110 | $507,144 | DCMA government assessment; no relator named | DOJ OPA |
| Georgia Tech Research Corp. | Sep 30, 2025 | Alleged submission of a score of 98 for a “fictitious” campus-wide environment matching no actual covered system; a lab allegedly lacked required antivirus and an SSP | $875,000 | Qui tam by two cybersecurity staff (relators shared $201,250) | DOJ OPA |
| MORSECORP Inc. (Cambridge, MA) | Mar 26, 2025 | Posted 104; a gap analysis allegedly found ~22% of controls implemented — score -142; left uncorrected until ~3 months after a DOJ subpoena | $4.6M | Qui tam by its own head of security (~$851K relator share) | DOJ OPA |
| Penn State | Oct 2024 | Alleged failure to safeguard DoD data / misrepresented NIST SP 800-171 compliance | $1.25M | Qui tam | DOJ OPA |
The through-line: DOJ’s Civil Cyber-Fraud Initiative uses the False Claims Act (31 U.S.C. §§ 3729–3733). Its knowledge standard includes actual knowledge, deliberate ignorance, and reckless disregard — without requiring specific intent to defraud. A qui tam relator generally receives 15–25% of the recovery when the government proceeds, and 25–30% when it does not. LOGZONE is the case to sit with, because it shows the chain this whole page is about: a DCMA assessment produced a score, and that assessment was central to allegations the contractor resolved by settlement. For more on FCA exposure, see False Claims Act risk from CMMC misrepresentation and what happens if you lie on your SPRS score.
What should I do if my posted SPRS score might be wrong?
Preserve the existing record first. Then reassess honestly against the DoD Assessment Methodology, determine whether the corrected result even supports a CMMC status, and correct inaccurate submissions through the authorized process. When a known overstatement, a government inquiry, a claim for payment, or a possible False Claims Act issue is in the picture, involve qualified federal-contracts/FCA counsel before you alter a government record.
The lesson of MORSECORP’s $4.6 million settlement was never the low score. It was posting a high one and leaving it there for two years after learning the truth.
Two points that keep this from becoming a trap:
Correct — but preserve and get advice first if there’s exposure.If your honest number is lower than what’s posted, the danger isn’t the low number; it’s a stale high one sitting in SPRS while you know better. But don’t purge or “clean up” records on the way to correcting, and don’t quietly rewrite a government submission if a known overstatement or an inquiry already exists — preserve the record and talk to counsel first. Recalculate using the DoD Assessment Methodology (start at 110, subtract weighted deductions of 1, 3, or 5 points per unmet requirement). For the scoring mechanics and PIEE submission, see our SPRS score guide; for POA&M rules, see our Conditional Level 2 POA&M closeout guide.
Know the status thresholds before you assume a corrected score fixes eligibility.A defensible 47 beats an indefensible 104 — but 47 out of 110 does not produce a CMMC Level 2 status and cannot support award eligibility where Level 2 (Self) is required. Under § 170.21, a Conditional Level 2 status is available only when the score is high enough (commonly cited as at least 88 of 110) and every unmet requirement is eligible for a POA&M, with closeout within 180 daysof the Conditional Status Date. Honesty and contractual eligibility are two different things — plan for both.
Which kind of help you need turns on what you just read. If your evidence would survive a document review and you’re only fixing a number, that’s paperwork. If it wouldn’t — undated artifacts, out-of-scope systems, an SSP that doesn’t match reality — that’s an implementation project, and it needs a different provider than a certification assessor. And if your score is accurate and your evidence is solid? Calendar your next annual affirmation, keep your evidence current, and get back to work.
Map your situation to the right provider category \u2014 RPO, MSSP, GRC platform, or CUI enclave \u2014 before you request quotes. Do not submit CUI, drawings, or sensitive contract details.
Find My CMMC Path \u2192Does any of this apply if we only handle FCI (Level 1)?
Mostly no, with one sharp exception.The § 170.16 DIBCAC status-investigation and precedence language lives in the Level 2 rule; the Level 1 rule at § 170.15 does not contain that same sentence. But Level 1 self-assessments and annual affirmations still go into SPRS, artifacts still must be retained for six years, and a false Level 1 affirmation can still support False Claims Act exposure when the statutory elements are met. Don’t read “no explicit override for Level 1” as “nobody can ever hold me to my Level 1 attestation.”
Level 1 covers Federal Contract Information (FCI) rather than Controlled Unclassified Information (CUI). It’s the 15 basic safeguards drawn from FAR 52.204-21 (which revised FAR Part 40 renumbers to FAR 52.240-93 in covered actions under the overhaul, though codified 52.204-21 remains published and is still the safeguard reference in the CMMC rule), assessed annually by you, with no POA&Ms permitted. What still binds you at Level 1 is the honesty of what you put in SPRS and the affirmation you sign under § 170.22. See our Level 1 self-assessment checklist.
Can my prime contractor audit my self-assessment?
A prime doesn’t get general independent access to your SPRS record,but where DFARS 252.204-7021 applies and is flowed down to a subcontract involving FCI or CUI, the higher-tier contractor must ensure you hold the required current CMMC status before award — so it will ask for representations, questionnaires, and flow-down attestations. And the July 2026 memo binds government personnel, not your prime’s subcontract terms: a prime managing its own liability may keep stricter requirements even while the government’s timeline is paused.
Two things to keep straight.First, a representation you give a prime can carry contractual or legal consequences depending on the subcontract, the statement, reliance, and materiality — treat a supplier questionnaire with the same care as an SPRS entry. Second, you can voluntarily share your status, score, or certificate, but don’t send your full SSP or any CUI unless the subcontract requires it through a secure channel; a status confirmation is frequently all that’s actually required. If your prime relaxes a requirement because of the suspension, get it in writing before you change your assessment plans. See our full guide: what to do when a prime asks for your SPRS score or SSP.
What to do if DIBCAC or a contracting officer has already contacted you
Authenticate the sender, preserve your existing records, identify the cited authority and any deadline, and classify the contact — before you change your environment or hand over documents. Never rewrite historical evidence, and never send sensitive material through an unapproved channel. If the language is legal or investigative, escalate to qualified counsel before you respond substantively. Calm and methodical beats fast and sloppy here.
- Authenticate independently.Use known agency or contracting-office contacts — not the phone number or link inside an unexpected message. Confirm the sender’s role, the contract or solicitation, whether DCMA/DIBCAC is truly involved, and the secure response channel.
- Preserve what exists.Ask counsel about a litigation/investigation hold where appropriate. Preserve email, SPRS submissions, assessment files, logs, SSP versions, POA&Ms, affirmations, and change records. Do not purge or “clean up” records because they’re embarrassing — that instinct turns a compliance problem into an obstruction problem.
- Identify the authority. Capture the clause number, assessment type, CMMC level, system/CAGE/UID scope, contract number, notice date, assessment date, any rebuttal or appeal deadline, and the named government organization.
- Stand up a response team. At minimum: your executive/Affirming Official, a contracting lead, a security/compliance lead, the technical control owners, an evidence coordinator, your MSP/MSSP or cloud owner where relevant, and counsel when legal exposure exists.
- Build the finding-by-finding record. Sort every issue into four buckets: supported and undisputed; a factual dispute backed by contemporaneous evidence; a scope or applicability dispute; and a genuine gap that needs prospective remediation.
- Keep rebuttal and remediation separate. The rebuttal answers what was true and demonstrable at the time. Remediation answers what changes going forward. Never present the second as if it were the first.
How we verified this
The consequential claims on this page are linked to the primary sources we checked on July 16, 2026, rather than to secondary summaries. If a source changes, the “Last verified” date at the top tells you whether we’ve re-checked.
What we actually verified — July 16, 2026
- The Level 2 (Self) status-investigation language, the DIBCAC-takes-precedence rule, and the six-year artifact-retention requirement in 32 CFR § 170.16; the PMO investigation and SPRS-update provisions in § 170.6; and the 21-day appeal in § 170.7(b).
- That § 170.15 (Level 1) carries the six-year retention duty but not the § 170.16 precedence sentence.
- The Basic/Medium/High Assessment definitions, the facilities/systems/personnel access requirement, the rebuttal-and-adjudication procedure, and the 14-business-day window in DFARS 252.204-7020.
- The Conditional-status POA&M conditions and 180-day closeout in § 170.21, and the annual-affirmation requirement in § 170.22.
- The February 1, 2026 Class Deviation 2026-O0025 directing use of DFARS 252.240-7997 for the government Medium/High Assessment function in covered actions.
- The July 13, 2026 Phase II suspension and the continuation of Phase I self-assessments (Department of War release), plus the implementation memo’s instructions to amend active solicitations and modify existing contracts carrying C3PAO/Level 3 requirements.
- NIST SP 800-171 Revision 2 as the current Level 2 requirement set under the CMMC rule (110 requirements across 14 families) — not Revision 3.
- The June 18, 2026 DOJ LOGZONE settlement ($507,144; DCMA-assessed score of -170) and the Georgia Tech, MORSECORP, and Penn State settlements from DOJ releases.
Who made this, and why.The Defense Compliance Report Editorial Team assembled the review matrix by reconciling the CMMC Program rule, the current and codified acquisition clauses, the official CMMC FAQ, NIST publications, the Cyber AB CMMC Assessment Process, and primary-source enforcement reporting. This page exists so a DIB contractor can identify the next correct move — before disclosing evidence, hiring the wrong provider category, or misreading what a government request actually means.
Frequently asked questions
- Can DoD change my Level 2 (Self) CMMC status?
- Yes. Under 32 CFR § 170.16, a subsequent DCMA DIBCAC assessment that shows you didn't achieve or maintain the requirements takes precedence over your pre-existing status. SPRS is updated to reflect non-compliance, contractual remedies apply, and you're ineligible for additional awards at that level for the affected system until you earn a new status.
- Is a CMMC status investigation a separate assessment from a Medium or High Assessment?
- No. The status investigation is the broader CMMC PMO process under § 170.6 for looking into a status that's been called into question. It can include a DCMA DIBCAC assessment (a Medium or High Assessment), and it's that assessment result — not the investigation label — that changes your recorded status.
- Is a contracting officer checking my CMMC UID an audit?
- No. That's status and scope verification — confirming your recorded status and that your UID covers the system doing the work. A government Medium or High Assessment is a different, heavier event involving document review and potentially access, interviews, verification, and demonstrations.
- Can DIBCAC come on-site?
- The applicable clause (DFARS 252.204-7020, or 252.240-7997 in covered actions under the 2026 deviation) can require access to your facilities, systems, and personnel when necessary for a Medium or High Assessment. Whether a given assessment is on-site, remote, or hybrid depends on the assessment and the notice you receive.
- What's the difference between a Medium and a High Assessment?
- A Medium Assessment reviews your prior assessment, your documentation, and includes discussions. A High Assessment adds verification, examination, and demonstration that your controls are implemented as your SSP describes, assessed against NIST SP 800-171A. Both are conducted by government personnel and both carry a 14-business-day rebuttal window.
- Does the 14-business-day rebuttal apply to every DoD contact?
- No. It applies to the Medium or High Assessment process under the applicable clause — the window to respond before the government score posts to SPRS. A UID check, a status-currency question, or a prime's request has no such clock.
- Can I appeal a DCMA DIBCAC assessment?
- Yes — separately from the 14-business-day rebuttal. Section 170.7(b) of 32 CFR Part 170 permits an appeal of a DCMA DIBCAC assessment outcome within 21 days by submitting a written basis for appeal for DIBCAC's consideration.
- Does DFARS 252.204-7020 or 252.240-7997 apply to me?
- Read your actual contract. Codified DFARS 252.204-7020 remains published and the CMMC rule still references it, while solicitations issued under Class Deviation 2026-O0025 use DFARS 252.240-7997. Both carry government Medium/High Assessment mechanisms; the clause incorporated into your contract controls.
- Can I correct a wrong SPRS score and still have CMMC Level 2 status?
- Only if the corrected result satisfies the status conditions. Under § 170.21, a Conditional Level 2 status requires a high-enough score (commonly cited as at least 88 of 110) and that every remaining unmet requirement be POA&M-eligible, with closeout within 180 days. If the score is too low, an unmet requirement can't be on a POA&M, or your SSP condition prevents completing the assessment, there's no qualifying Level 2 status — an honest low score is still safer than an indefensible high one, but it isn't the same as eligibility.
- How long must I keep my CMMC self-assessment evidence?
- For Level 2 (Self), § 170.16 requires the artifacts used as evidence to be retained for six years from the CMMC Status Date. Level 1 carries the same six-year retention duty under § 170.15.
- Did the July 2026 Phase II suspension stop CMMC self-assessments?
- No. The announcement keeps Phase I self-assessment requirements in place and states the Department will continue relying on self-assessments and select government-led assessments during the review. The suspension paused the third-party certification expansion, not the self-assessment obligation or the government's assessment authority.
- What happens to my active Level 2 (C3PAO) or Level 3 solicitation during the pause?
- The implementation memo directs the government to strip those requirements — program managers provide amended requirements documents, contracting officers amend active solicitations "as soon as practicable," and existing contracts are modified before the next option period or at the next scheduled administrative modification. Until that modification reaches your specific contract, the existing terms apply, so confirm the change with your contracting officer in writing.
- Does the same DIBCAC override rule apply to Level 1?
- The explicit status-investigation and precedence sentence appears in § 170.16 for Level 2, not in the Level 1 rule at § 170.15. Don't read that as license to post inaccurate information at Level 1 — your annual affirmation and other contract, investigation, and enforcement authorities still apply.
- Our environment changed after the self-assessment. Do we reassess?
- The Affirming Official decides, and owns the risk. The official CMMC FAQ says a requirement or objective previously assessed "not applicable" that becomes applicable requires reassessment; routine like-for-like security maintenance generally does not; and a major functionality, architecture, or support change requires additional evaluation.
- Is an inaccurate SPRS score automatically a False Claims Act case?
- No. Liability is fact-specific — the government weighs falsity, knowledge (actual knowledge, deliberate ignorance, or reckless disregard), materiality, and a claim-or-payment nexus. A technical discrepancy alone is not automatic liability. That said, the enforcement record shows the risk is real when a score is knowingly or recklessly overstated.
- Who can see my assessment results?
- Government summary scores in SPRS are available to DoD personnel under DoD Instruction 5000.79, and your own authorized representatives can view your scores. High Assessment documentation the government generates is protected by DoD as CUI and under FOIA Exemption 4. A prime does not get general independent access to your SPRS record.
- Should I send my SSP to a prime contractor?
- Not automatically. Confirm what the subcontract actually requires, the purpose, the need to know, and the secure channel — and whether a status confirmation is enough. Your SSP contains sensitive security information.
- Can the same firm remediate us and then serve as our C3PAO?
- Don't assume it's permitted. Under the Cyber AB CMMC Assessment Process (CAP), a C3PAO must identify and manage conflicts of interest, document any mitigation, and decline the assessment if a conflict can't be sufficiently mitigated. Keep readiness/remediation and formal assessment appropriately separated, and verify the C3PAO's current Cyber AB Marketplace status.
- How do I verify that a "DIBCAC" contact is real?
- Authenticate it through known contracting-office, DCMA, or agency channels — not solely through links or phone numbers in the unexpected message. Don't send sensitive evidence until you've confirmed both the authority and the approved transmission method.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options — RP/RPO, MSSP, GRC platform, or CUI enclave.
Find My CMMC Path →