Who performs a CMMC gap assessment?

Usually the contractor itself, a readiness consultant, an RPO, an RP, a CMMC-focused MSP or MSSP, or a vCISO. It is not typically performed by a C3PAO, and a C3PAO that did significant preparation work generally could not then assess that same system.

Can my consultant, RPO, or MSP also be my C3PAO?

Generally no. A firm that consulted on, implemented, or manages your system cannot serve as the C3PAO for that same system, because 32 CFR 170.9(b)(2) and ISO/IEC 17020 require the assessor to be independent. Preparation and assessment must be separate engagements.

Does every Level 2 contractor need a C3PAO assessment?

No. Level 2 can be Level 2 (Self) or Level 2 (C3PAO), depending on the solicitation or contract. If the contract requires Level 2 (C3PAO), a self-assessment alone does not satisfy it.

How much does a CMMC C3PAO assessment cost?

The DoD's cost analysis models the C3PAO engagement at roughly $31,234 for a small entity and $52,056 for a larger entity, within a broader Level 2 assessment-plus-affirmation estimate of about $101,752 for a small entity. Market quotes vary widely and none of these figures include remediation.

What happens if you cannot meet every requirement at the C3PAO assessment?

You may earn Conditional Level 2 status with a minimum score of 88 out of 110, but under 32 CFR 170.21 only 1-point requirements may be placed on a POA&M (with one narrow CUI-encryption exception), six 1-point requirements are excluded, and the System Security Plan must be complete at assessment time. You then have 180 days to close POA&M items and reach Final status or the Conditional status expires.

Does CMMC replace DFARS 252.204-7012?

No. DFARS 252.204-7012, which requires safeguarding covered defense information and reporting cyber incidents within 72 hours, remains in force. The CMMC clauses 252.204-7021 and 252.204-7025 sit on top of existing obligations rather than replacing them.

Can I prepare against NIST SP 800-171 Revision 3 for CMMC Level 2?

CMMC Level 2 currently maps to NIST SP 800-171 Revision 2 unless the DoD amends the rule. You can plan ahead for future changes, but you should build to Revision 2 today.

Find your CMMC pathFind my CMMC path →

CMMC Gap Assessment vs C3PAO Assessment: What’s the Difference, and Which Do You Need First?

By The Defense Compliance Report Editorial Team · Last verified: June 15, 2026 · Corrections policy · How we verify

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. This is editorial research, not legal, contractual, or compliance advice. We are not affiliated with the Department of Defense, the Cyber AB, NIST, or DCMA DIBCAC.

If you’re weighing a CMMC gap assessment vs a C3PAO assessment, here’s the bottom line: they are not two ways to do the same thing. They are two different steps, at two different stages, with two different price tags — and confusing them is one of the most expensive mistakes a defense contractor can make right now. A gap assessment is an informal readiness check you run early to find where you fall short of NIST SP 800-171 Revision 2 and to build your fix-it plan. A C3PAO assessment is the official certification exam — the formal process a Cyber AB-authorized assessor runs to determine whether you pass Level 2.

Here’s the part most pages bury, and a few get backwards: the firm that runs your gap assessment and fixes your gaps generally cannot be the C3PAO that certifies you.That’s not a vendor preference. It’s built into the federal accreditation rules. We read them so we could show you exactly where — and we’ll put a hard number on what skipping the readiness step can cost, because the DoD already published one.

The short version: if you don’t yet know your CUI scope, your System Security Plan is thin, or you can’t show evidence for all 110 requirements, you need a gap assessment first. If you’ve remediated, your scope is locked, and your contract requires Level 2 (C3PAO), you’re ready to shortlist assessors. If you don’t even know which CMMC level or assessment type your contract calls for — stop, and read the clause before you spend a dollar on either.

If this is you…	Start here	Not yet
Unsure of your CUI scope, SSP, or evidence	Gap assessment (readiness diagnostic — no official status)	A C3PAO quote
Remediated, scope locked, contract requires Level 2 (C3PAO)	C3PAO assessment (official exam — can yield Conditional/Final status)	Another generic gap assessment
You don't know which level or assessment type the contract requires	Read the clause / confirm the requirement	Buying either

For most contractors that aren’t already assessment-ready, the gap assessment comes first. The C3PAO assessment comes later — only when your contract requires it and your evidence can survive review.

CMMC gap assessment vs C3PAO assessment: what’s the difference?

Answer capsule:A CMMC gap assessment (also called a gap analysis or readiness assessment) is an unofficial, internal-use evaluation that measures your environment against NIST SP 800-171 Revision 2 to identify deficiencies and produce a remediation roadmap. A C3PAO assessment is the official CMMC Level 2 certification assessment, conducted by a Cyber AB-authorized C3PAO under 32 CFR § 170.17 and NIST SP 800-171A, which can yield Conditional or Final Level 2 (C3PAO) status and is submitted to CMMC eMASS.

A C3PAO is a CMMC Third-Party Assessment Organization — a company the Cyber AB has authorized to perform official CMMC Level 2 assessments. NIST SP 800-171 Revision 2 is the catalog of 110 security requirements, organized into 14 control families, that Level 2 maps to. (NIST published a Revision 3 in May 2024. It is not the controlling version for CMMC Level 2 today — the rule still points to Rev. 2. We confirmed this against 32 CFR Part 170.)

A gap assessment is the diagnostic. It tells you how far you have to go. A C3PAO assessment is the exam. It decides whether you pass. One is a flashlight; the other is a verdict.

CMMC gap assessment vs C3PAO assessment — the full head-to-head

Dimension	CMMC gap assessment	C3PAO assessment
What it is	Informal, internal-use readiness diagnostic. Off the record by nature.	The official Level 2 certification assessment that sets your CMMC status.
Primary job	Find gaps, prioritize remediation, build the roadmap and draft POA&M.	Verify and certify; determine your CMMC status of record.
Who performs it	You, or a readiness provider — an RPO, CMMC-focused MSP/MSSP, vCISO, or consultant. Not an official role in the rule.	A Cyber AB-authorized C3PAO, using a team of at least one Lead CCA, an additional CCA, and a separate non-participating CCA for quality assurance.
Regulatory standing	None. Not a CMMC requirement on its own; not submitted to the government.	Official. Recognized under 32 CFR Part 170; results submitted to CMMC eMASS, status reflected in SPRS.
Governing authority	Internal best practice. Often modeled on 800-171A, but not bound by it.	32 CFR § 170.17, NIST SP 800-171A, the CMMC Assessment Process (CAP), and ISO/IEC 17020:2012. Scoring per 32 CFR § 170.24.
Measured against	The 110 requirements — informally, at whatever depth you choose.	All 110 requirements / 320 assessment objectives, formally, via Examine / Interview / Test methods.
Deliverable	Gap report, prioritized remediation roadmap, draft POA&M, SSP support. For your use.	A determination of Final, Conditional, or no issuance of Level 2 (C3PAO) status.
Where results go	Nowhere official — internal only.	CMMC eMASS, then reflected via SPRS. (Self-assessments post to SPRS; C3PAO results route through CMMC eMASS.)
Scored?	No. It's a snapshot to act on.	Yes — subtractive from 110 (requirements weighted 1, 3, or 5 points), range −203 to 110. 88 (80%) minimum for Conditional.
POA&M role	It typically creates your first POA&M.	Limited: only 1-point requirements qualify (one narrow encryption exception), six 1-point requirements are excluded, and the SSP must be complete at assessment time. 180-day closeout to convert Conditional to Final.
Independence rule	None. Your readiness partner can also remediate, write your SSP, and run your security.	Strict. A firm that consulted on, implemented, or manages the system cannot be its C3PAO. (32 CFR § 170.9(b)(2); ISO/IEC 17020; Cyber AB R2002.)
Typical cost	~$3,500–$20,000+ in provider-published ranges, scaling with size and depth.	DoD models the assessment + initial affirmation at ~$101,752 for a small entity; C3PAO engagement itself ~$31,234 (~$52,056 for larger entities). Market assessor fees run ~$30K–$150K. Excludes remediation.
Timeline	Days to a few weeks (often ~1–2 months with reporting).	The formal assessment runs ~2–4 weeks; full readiness-to-certified is commonly 6–18 months.
Cadence	As needed; many run one at least annually and before any C3PAO engagement.	Once per 3-year cycle, plus annual affirmations by the affirming official.
When you need it	Early — before remediation, before scheduling a C3PAO. Optional but high-leverage.	When you're assessment-ready and your contract requires Level 2 (C3PAO).

Last verified June 15, 2026. Regulatory rows are sourced to the Federal Register / eCFR, NIST CSRC, and Cyber AB publications. DoD dollar figures come from the cost analysis in the CMMC program rule; market ranges are compiled from provider-published pricing and vary widely. Treat all dollar figures as planning estimates, not quotes.

A common error on competing pages:several articles state that a gap assessment is “typically performed by a C3PAO.” It isn’t — and structurally, you usually wouldn’t want it to be, because of the independence rule covered in the next section. That single misunderstanding can cost you a five-figure assessment you can’t cheaply retake.

Which one do you need first?

Answer capsule:You need a gap assessment first if you cannot confidently prove your CUI scope, SSP completeness, control implementation, and evidence quality. You’re ready for a C3PAO assessment when you’ve remediated, your scope is stable, you can map every requirement to evidence, and your contract specifies Level 2 (C3PAO). If you don’t yet know which CMMC level or assessment type your contract requires, resolve that before spending on either.

Start with a gap assessment if: you're unsure about your CUI boundary, your SSP is a template with placeholders, your controls exist on paper but not in evidence, or a prime just told you CMMC is coming and you don't know where to begin.

Go straight to a C3PAO assessment if: your contract requires Level 2 (C3PAO), your SSP is current, you can demonstrate every requirement with artifacts, your POA&M is small and closeable, and your readiness work was done by a different firm than the assessor.

Don't schedule either yet if: you can't say whether your contract requires Level 1, Level 2 (Self), Level 2 (C3PAO), or Level 3. Confirm the required CMMC status in writing first.

Map yourself to a starting move

Your situation	Start with	Don’t start with	Why
You're not sure your files are CUI	CUI scoping / readiness review	A C3PAO quote	Your assessment boundary isn't stable yet
You handle CUI but have no complete SSP	Gap assessment	A formal C3PAO assessment	Documentation and evidence aren't ready
Controls exist, proof is thin	Mock / readiness assessment	A new tooling purchase	The blocker is evidence, not technology
Contract says Level 2 (Self)	Self-assessment readiness	A C3PAO by default	The clause sets the assessment type
Contract says Level 2 (C3PAO)	Gap → remediate → C3PAO	Self-assessment alone	Level 2 (Self) does not satisfy Level 2 (C3PAO)
You're FCI-only	Level 1 self-assessment	A C3PAO (none required)	Level 1 is always self-assessed
You hold Final Level 2 (C3PAO), facing Level 3	Level 3 / DIBCAC planning	Another generic gap assessment	Level 3 is government-assessed, on top of Level 2

CMMC Assessment Path Finder

Answer two questions to find your concrete next step.

1. What data type does your contract involve?

FCI only (Federal Contract Information, no CUI)CUI (Controlled Unclassified Information)Not sure / need to confirm

If FCI only (no CUI): Level 1 self-assessment

Annual self-assessment + affirmation. No C3PAO required. Covers 15 requirements from FAR 52.204-21. A gap assessment can confirm readiness but isn't mandated.

Level 1 vs Level 2 guide →

If CUI: Read your contract clause first

If the clause says Level 2 (Self): run a gap assessment, then self-assess. If it says Level 2 (C3PAO): gap → remediate → C3PAO. The clause sets the path — not your preference.

RPO vs C3PAO: which do you need? →

If unsure: Confirm the required level in writing

Ask your prime or contracting officer for the required CMMC level and assessment type in writing. Do not spend on a gap assessment or C3PAO until you know the clause.

Flow-down requirements guide →

Not sure which step you’re actually ready for?

Tell us your CMMC level, your CUI scope, and your timeline, and we’ll match you with source-checked CMMC provider options — readiness, MSP/MSSP, enclave, GRC, or C3PAO — for your specific next step. Please don’t submit CUI or sensitive contract documents.

Get matched with source-checked provider options →

Can the same firm do your gap assessment and your C3PAO assessment?

Answer capsule:Generally no. A firm that provided consulting, remediation, implementation, or managed services for a given system cannot serve as the C3PAO that certifies that same system. This independence requirement is built into the federal accreditation structure: 32 CFR § 170.9(b)(2) requires every C3PAO to follow the Cyber AB’s conflict-of-interest rules and to achieve and maintain ISO/IEC 17020:2012 compliance, and ISO/IEC 17020’s independence rules bar a body from assessing work it helped build.

Readiness providers prepare you. That’s the RPO (Registered Provider Organization), the RP (Registered Practitioner), CMMC-focused MSPs and MSSPs, vCISOs, and independent consultants. The Cyber AB is explicit that these organizations provide advisory services and do notconduct certified CMMC assessments. They can run your gap assessment, write your SSP, close your gaps, and stand up your environment — provided they’re acting only as your readiness or remediation provider and won’t sit on the team that formally assesses that same system.

C3PAOs assess you.And they are required to be independent of the work they’re judging.

The independence rule — traced to the source

32 CFR § 170.9(b)(2)

Requires every C3PAO to comply with the Accreditation Body's policies for Conflict of Interest, Code of Professional Conduct, and Ethics, and to achieve and maintain accreditation to ISO/IEC 17020:2012. C3PAOs are first "authorized" and then have up to 27 months from authorization to reach full ISO/IEC 17020 accreditation — so "authorized" and "accredited" aren't the same thing.

The CMMC Assessment Process (CAP)

States the C3PAO conducts the Level 2 assessment in accordance with 32 CFR § 170.17, NIST SP 800-171A, the CAP, and ISO/IEC 17020:2012 — and that the C3PAO must manage impartiality and identify conflicts of interest before assessment activities begin, a duty it cannot delegate.

Cyber AB R2002 C3PAO Accreditation Requirements

Spells out the inspection-body rules. A C3PAO offering consulting or managed services must operate as an ISO/IEC 17020 Type A body and cannot offer those services to a client it assesses; a C3PAO offering limited ancillary services falls under Type C and must still actively manage conflicts; and a body that would inspect its own system — a Type B arrangement — is not permitted in the CMMC scheme at all.

Translate that out of regulatory language: the company that builds your SSP, fixes your findings, or runs your security cannot grade the result for that same system. If a firm does significant prep or remediation for you, that firm is off the table as your assessor for that system. If you want consulting before your assessment, use a different firm — or work with an RPO or RP for the readiness side and a separate C3PAO for the exam.

The honest part

A gap assessment is not required by the CMMC rule. Nothing in 32 CFR Part 170 says you must buy one. You can, in theory, schedule a C3PAO assessment without ever running a formal gap assessment first.

So why does nearly everyone recommend it anyway? Because of the rule you just read. Your C3PAO can tell you a control is “Not Met” — but it can’t tell you what to buy or how to fix it, and it can’t fix it for you. Combine that with a scored exam (88-point minimum, with most gaps ineligible for a deferral), a three-year cycle, and a limited pool of assessors, and walking in blind is how contractors fail an expensive assessment they then have to wait and pay to redo. The gap assessment is optional the way a home inspection is optional before you buy the house. Technically, yes. Wise, almost always.

And if you genuinely don’t need a paid gap assessment — you have a mature in-house security team that knows NIST 800-171 cold — then don’t buy one. Pull our CMMC readiness checklist and run the gap internally.

Need readiness help without blurring the assessor line?

Compare readiness provider categories — RPO, MSP/MSSP, enclave, GRC — that can prepare you, kept cleanly separate from the C3PAO that will assess you.

Compare provider categories →

What does a CMMC gap assessment actually include?

Answer capsule:A useful CMMC gap assessment delivers a CUI scope review, control-by-control findings mapped to NIST SP 800-171 Revision 2, an evidence-readiness review, a documentation review of your SSP and POA&M, and a prioritized remediation roadmap. What it should never produce is a claim of certification — a gap assessment carries no official CMMC status.

A gap assessment worth paying for covers:

Scope. Where FCI and CUI actually live — across CUI assets, security protection assets, contractor risk-managed assets, and specialized assets.
Controls. A mapping of your current state against the 110 NIST SP 800-171 Revision 2 requirements, not a generic “cyber maturity” score.
Evidence. A look at what an assessor would actually need to see — and what you can’t yet show.
Documentation. An honest review of your SSP and POA&M, flagging missing or stale sections.
A roadmap. Prioritized remediation, sequenced, with a path toward either Level 2 (Self) or Level 2 (C3PAO) readiness.

How to tell a real gap assessment from a thin one

Deliverable	A useful gap assessment	A weak gap assessment	The gate it should clear
Scope	Maps your CUI, security protection, contractor risk-managed, and specialized assets	"Your whole company is in scope," no analysis	Boundary stable enough to assess
SSP	Identifies missing or stale sections by name	Just says "SSP incomplete"	SSP complete before any C3PAO
Controls	Findings mapped to specific 800-171 Rev. 2 requirements	A generic maturity rating	Each gap tied to a requirement
Evidence	Reviews actual artifacts an assessor would request	No artifact-level review	Evidence exists, not promised
POA&M	A prioritized, dated remediation plan	An unranked list of problems	Open items few and closeable
Next step	Gap → remediation → mock → assessment	"Call us for more"	A clear path forward

NIST SP 800-171A — the assessment-methodology companion to 800-171 — defines the Examine, Interview, and Test procedures that a serious gap assessment borrows from. The difference is standing: a gap assessment can use those methods informally; only a C3PAO assessment applies them officially. See our what to do after a CMMC gap assessment guide for next steps.

What does a C3PAO assessment actually include?

Answer capsule: A C3PAO assessment is the formal Level 2 certification process. It follows the CMMC Assessment Process, evaluates all 110 NIST SP 800-171 Revision 2 requirements and their 320 assessment objectives using Examine, Interview, and Test methods, and is conducted by a team that includes a Lead CCA and a separate quality-assurance assessor. Results are uploaded to CMMC eMASS, and a successful assessment yields Conditional or Final Level 2 (C3PAO) status. It is not a consulting engagement — the C3PAO will not remediate your environment.

The formal assessment runs in phases under the CAP. In practice it looks like this:

Plan and validate scope. The C3PAO confirms your assessment boundary, assets, and systems handling FCI or CUI. They also confirm there’s no conflict of interest before anything else happens.
Assess conformity. The team examines documentation and configurations, interviews your people, and tests controls against the 320 objectives. This is where thin evidence gets exposed.
Report results. Findings are scored and uploaded into CMMC eMASS (the DoD’s assessment system of record), with your status reflected in SPRS.
Issue status and handle POA&M closeout. If you qualify, you get Conditional or Final Level 2 (C3PAO) status; Conditional triggers the 180-day closeout clock.

Team composition — a quality control, not a formality. The CAP and 32 CFR § 170.11 call for at least a Lead CCA(Certified CMMC Assessor) plus an additional CCA, and a separate non-participating CCA acting as a quality-assurance reviewer. When you vet a C3PAO, ask who’s on your team and confirm their credentials are active in the Cyber AB Marketplace.

One thing the C3PAO will not do: tell you how to fix what they find. That’s the independence rule in action. If you discover a gap mid-assessment, you can’t have your assessor remediate it. You found out too late, and you’ll pay for it in time and a reassessment.

How much does each cost — and when does the spend actually hit?

Answer capsule:A gap assessment commonly runs a few thousand to about $20,000 in provider-published ranges. For the formal assessment, the DoD’s cost analysis estimates roughly $101,752 for a small entity’s Level 2 (C3PAO) assessment plus initial affirmation, with the C3PAO engagement itself modeled at about $31,234 (~$52,056 for larger entities) and roughly $104,670 over a three-year cycle. Critically, those figures assume the requirements are already implemented — they exclude remediation.

Gap assessment

$3,500–$20,000+

Provider-published ranges

Scales with company size and depth of review. Your early, cheap flashlight — the diagnostic that protects the expensive exam.

C3PAO assessment (small entity)

~$101,752

DoD estimate: assessment + initial affirmation

C3PAO engagement line: ~$31,234. Three-year cycle estimate: ~$104,670. Market quotes: ~$30K–$150K for the assessor fee alone.

C3PAO assessment (larger entity)

~$52,056

DoD estimate: C3PAO engagement only

The assessor-fee line for other-than-small entities. The broader cycle cost scales further with scope and team size.

The trap inside the DoD’s estimate: the DoD’s $101,752 figure assumes you’ve already implemented the 110 requirements. It excludes remediation, tooling, CUI enclave, and documentation work — which for most contractors is the largest line item by far. Industry cost analyses commonly put the assessor fee at only 20–30% of what reaching Level 2 actually costs. In a survey by enclave provider PreVeil of more than 2,000 contractors, roughly 70% had budgeted less. See the full CMMC certification cost breakdown.

There’s also a scarcity reality worth knowing. In the same rule, the DoD projected a steep ramp in assessment demand: roughly 135 C3PAO-led assessments in year one, 673 in year two, 2,252 in year three, and 4,452 in year four. A limited pool of authorized assessors against a rising wall of demand means scheduling can take months — and waiting until Phase 2 (November 10, 2026), when Level 2 (C3PAO) becomes broadly required, puts you in line behind everyone who waited too. See our CMMC deadlines 2026 and how long certification takes guides.

Want real numbers for your environment, not a national average?

Get matched with provider categories that can scope a quote to your level, your CUI footprint, and your timeline — readiness first, assessment when you’re ready. Please don’t submit CUI or sensitive contract documents.

Get scoped quotes from matched provider categories →

Do you even need a C3PAO assessment?

Answer capsule:Not every contractor needs a C3PAO assessment. Level 1 (FCI only) is always an annual self-assessment. Level 2 splits into Level 2 (Self) and Level 2 (C3PAO), set by the contract. Level 3 is assessed by the government’s DIBCAC, not a C3PAO. Your solicitation provision (DFARS 252.204-7025) and contract clause (DFARS 252.204-7021) tell you which path applies.

Level 1 — FCI only, 15 basic safeguarding requirements from FAR 52.204-21. Annual self-assessment with affirmation. No C3PAO required, ever.
Level 2 — CUI, 110 requirements from NIST SP 800-171 Revision 2. Two flavors: Level 2 (Self) for non-prioritized work, and Level 2 (C3PAO) for prioritized acquisitions. The contract decides which.
Level 3 — Adds selected enhanced requirements from NIST SP 800-172 on top of Level 2. Assessed by DIBCAC — the government, not a C3PAO. See CMMC levels.

The DFARS clauses that make it real

The DFARS final rule took effect November 10, 2025. Two clauses matter by name:

DFARS 252.204-7021 — The contract clause.

Imposes the obligations: maintain current CMMC status, flow requirements down to subcontractors, submit CMMC unique identifiers, file annual affirmations, and close out POA&Ms.

DFARS 252.204-7025 — The solicitation provision.

When it's in a solicitation with a required CMMC level, a contractor is not eligible for award unless the required CMMC status and a current affirmation are reflected in SPRS for every system handling FCI or CUI. Conditional status is enough to win the award; Final must still follow.

The phased rollout — and why Phase 2 is the planning date

Phase	Begins	What it adds (32 CFR § 170.3(e))
Phase 1	Nov 10, 2025	Level 1 and Level 2 self-assessments appear; DoD may include Level 2 (C3PAO) at discretion.
Phase 2 ▲	Nov 10, 2026	Level 2 (C3PAO) as a condition of award for applicable contracts. This is the date most CUI contractors plan backward from.
Phase 3	Nov 10, 2027	Broader C3PAO requirements; Level 3 (DIBCAC) introduced as condition of award.
Phase 4	Nov 10, 2028	Full implementation — CMMC in all applicable solicitations and contracts, including option periods.

So: read your clause. If it names Level 2 (C3PAO), the gap-then-certify path is yours. If it names Level 2 (Self), a self-assessment satisfies it — and a gap assessment still helps you get the score right. If the clause is unclear or you’re working from a prime’s flow-down, see CMMC flow-down requirements and get the required level and assessment type in writing before you commit budget to anything.

Already remediated, scope locked, contract requires Level 2 (C3PAO)?

See what an authorized C3PAO assessment involves and how to check a C3PAO’s current status in the Cyber AB Marketplace before you sign.

Find an authorized C3PAO →

How do DFARS 252.204-7012, -7019, -7020, -7021, and -7025 fit together?

Answer capsule:CMMC’s contract clauses do not erase your earlier cybersecurity obligations — they sit on top of them. DFARS 252.204-7012 still requires safeguarding covered defense information and reporting cyber incidents within 72 hours. DFARS 252.204-7021 is the CMMC contract clause and 252.204-7025 is the CMMC solicitation provision. The older NIST SP 800-171 DoD Assessment clauses, 252.204-7019 and 252.204-7020, are being reorganized into the CMMC framework.

DFARS 252.204-7012

Safeguarding and cyber-incident reporting. Requires contractors handling covered defense information to implement NIST SP 800-171 and report cyber incidents within 72 hours. CMMC does not replace it.

DFARS 252.204-7019 / 252.204-7020

The NIST SP 800-171 DoD Assessment clauses introduced in 2020, requiring contractors to post a NIST SP 800-171 DoD Assessment score to SPRS. As of early 2026, these requirements are being reorganized and absorbed into the CMMC framework, though legacy clause numbers may still appear in active contracts.

DFARS 252.204-7021

The CMMC contract clause: maintain your current CMMC status, flow requirements down to subcontractors handling FCI or CUI, submit CMMC unique identifiers, file annual affirmations, and close out POA&Ms.

DFARS 252.204-7025

The CMMC solicitation provision: when it's in a solicitation with a required CMMC level, your current CMMC status and affirmation must be in SPRS before you can be awarded.

The practical takeaway: CMMC unifies howthe DoD verifies your cybersecurity, but it doesn’t let you off the hook for the safeguarding and incident-reporting duties you already had under 7012. Don’t assume a CMMC certificate erases your SPRS history or your 7012 obligations.

What if you can’t meet every requirement at the C3PAO assessment?

Answer capsule: You may still earn a Conditional Level 2 status — within limits. Scoring runs subtractively from 110, with requirements weighted 1, 3, or 5 points; you need at least 88 (80%) for Conditional. Under 32 CFR § 170.21, only 1-point requirements are eligible for a POA&M, with one narrow CUI-encryption exception, and six specific 1-point requirements are excluded entirely. You then have 180 days to close POA&M items and reach Final status.

Scoring works like a deduction. You start at 110 and lose points for each unmet requirement, weighted by severity (1, 3, or 5 points), with a floor of −203. To qualify for Conditional Level 2 status, your score divided by the total Level 2 requirements must be at least 0.8 — that’s 88 out of 110.

Fine print in 32 CFR § 170.21 that trips people up:

Only 1-point requirements can go on a POA&M. Each one you defer costs you a point, eating into that 22-point margin.
One narrow exception: CUI encryption (SC.L2-3.13.11) is normally a 5-point requirement, but if encryption is in use and simply not yet FIPS-validated, it can sit on a POA&M at a 3-point cost.
Six specific 1-point requirements are excluded from POA&M eligibility entirely — they must be met at assessment time.
Your System Security Plan (CA.L2-3.12.4) must exist and be current at the time of assessment. Without it, the assessment can’t be completed — the rule treats a missing SSP as noncompliance with DFARS 252.204-7012.

If you land a Conditional status, you have 180 days to close every open POA&M item and pass a closeout assessment to convert to Final. Miss the window and the Conditional status expires, taking your eligibility for Level 2 (C3PAO) awards with it. This is the whole argument for the readiness step in one paragraph: the gap assessment is where you find the excluded requirements and the un-deferrable gaps before they cost you the exam.

How do you verify a C3PAO is actually legitimate?

Answer capsule:Verify a C3PAO’s status directly in the Cyber AB Marketplace, the official registry of authorized and accredited assessment organizations. A firm not listed as authorized or accredited has no legal authority to conduct your assessment. A 2025 DoD Inspector General audit found the DoD had not fully verified every authorization requirement for the C3PAOs it reviewed — meaning the burden of confirming an assessor’s qualifications partly falls on you.

Don’t take a logo on a website as proof. The official source of truth is the Cyber AB Marketplace, which lists every organization currently authorized or accredited to assess. If a prospective assessor isn’t on it, they cannot legally certify you — full stop.

DoD OIG Audit Finding — January 2025

In January 2025, the DoD Office of Inspector General published Report No. DODIG-2025-056. Auditors reviewed 11 C3PAOs and found documented compliance with only 10 of the 12 required prerequisites. Specifically: two C3PAOs were authorized without a signed C3PAO Agreement and Code of Professional Conduct on file; four without verifying their quality-control leads’ certification; and all of them without adequately confirming that both a certified assessor and a certified quality-control lead were on the assessment team. The IG issued nine recommendations.

The practical takeaway: before you hand a C3PAO your evidence and your fee, confirm their current standing in the Marketplace yourself, ask who’s on your assessment team, and verify those individuals’ credentials. Treat assessor selection as a procurement-risk decision, not a quote comparison. See how to find an authorized C3PAO.

How we check a C3PAO before we’d ever route you to one:confirm the organization name in the Cyber AB Marketplace on a specific date, record the listed status (authorized vs accredited), confirm the assessment role, archive the listing with the date, and check any compensation relationship separately. If we can’t verify status, we don’t route you there.

Gap assessment vs self-assessment vs C3PAO assessment — clearing up the three-way confusion

Answer capsule: A gap assessment is unofficial readiness work with no government standing. A self-assessment is an official CMMC status path — with results posted to SPRS and an annual affirmation. A C3PAO assessment is the official third-party certification for prioritized Level 2 work. If your contract requires Level 2 (C3PAO), a self-assessment alone does not satisfy it.

	Gap assessment	Self-assessment	C3PAO assessment
Official?	No	Yes (where the contract allows)	Yes
Who performs it	You / RPO / MSP / consultant	You (the contractor)	Authorized C3PAO
Applies to	Any stage, any level	Level 1, and non-prioritized Level 2	Prioritized Level 2
Results post to	Nowhere official	SPRS	CMMC eMASS, reflected in SPRS
Affirmation	None	Annual, by the affirming official	Annual, by the affirming official
What it is	A diagnostic	An attested status	Independent verification

Traps to avoid: A gap assessment is not a self-assessment — one is informal homework, the other is an official attestation you sign and post. A self-assessment is nota substitute for a C3PAO assessment — if your contract requires Level 2 (C3PAO), self-attesting won’t make you eligible. And Level 3 is not a C3PAO matter at all — that’s DIBCAC.

If your real question is which assessment type your contract requires — Level 2 (Self) versus Level 2 (C3PAO) — see our RPO vs C3PAO guide.

What does the full sequence look like, start to finish?

Answer capsule:Scope → gap assessment → remediate → optional mock assessment → C3PAO assessment → annual affirmations → reassessment every three years. The gap assessment sits near the front; the C3PAO assessment is the milestone, not the starting line.

Scope (~1–2 months). Map where FCI and CUI live. Decide enclave versus enterprise boundary.
Gap assessment (days to weeks). Find the deltas against 800-171 Rev. 2. Build the roadmap and draft POA&M.
Remediate (~4–10 months). Close the gaps — controls, evidence, documentation. This is the long pole.
Mock / readiness assessment, optional (~1–2 months). Pressure-test your evidence and interviews before the real thing. Especially worth it if your scope changed late or your evidence has never been tested by an outside eye.
C3PAO assessment (~2–4 weeks). The formal exam, when the contract requires Level 2 (C3PAO). Performed by a firm different from the one that prepared you.
Maintain. Annual affirmations by the affirming official; reassessment every three years.

Notice where the money and time actually go: remediation, not the assessment. And notice where the readiness work and the formal assessment sit — adjacent, but performed by different firms. See how long CMMC certification takes for full timelines by level.

What should you ask before buying a gap assessment or hiring a C3PAO?

Answer capsule:Before buying a gap assessment, confirm it maps to NIST SP 800-171 Revision 2, reviews your SSP and evidence at the artifact level, and ends in a prioritized remediation roadmap. Before hiring a C3PAO, verify their authorized or accredited status in the Cyber AB Marketplace, confirm there’s no conflict of interest from prior consulting, and get the scope, team, fees, and POA&M-closeout terms in writing.

Before you buy a gap assessment, ask:

Are you mapping to NIST SP 800-171 Revision 2, specifically?
Will you review my SSP and POA&M, and identify evidence gaps by requirement?
Will you help remediate, or only identify gaps?
What’s your role — RPO, MSP/MSSP, vCISO, software vendor?
Could that role create a conflict if I later need a C3PAO?
What’s included, and what’s explicitly excluded?

Before you hire a C3PAO, ask:

Are you currently authorized or accredited in the Cyber AB Marketplace? (Then verify it yourself.)
Who’s my Lead CCA, and who performs the independent quality-assurance review?
How do you screen for conflicts of interest before the assessment starts?
What happens if we’re not ready at pre-assessment — do we reschedule, and at what cost?
What’s in the fee, and what’s billed separately (travel, reassessment, POA&M closeout)?
How do you handle a finding we dispute?

Not sure you’re ready to buy either yet?

Run the readiness checklist first — it’s free, and it tells you whether you even need paid help before you spend.

Run the free CMMC readiness checklist →

How we verified this guide

We’re a publication, not a vendor, so the standard here is the source, not the sales angle. For this page we read and cross-checked:

Source	What we checked	Status
32 CFR Part 170 (eCFR / Federal Register)	§ 170.9 (C3PAO independence/ISO 17020), § 170.17 (Level 2 assessment), § 170.21 (POA&Ms), § 170.24 (scoring), § 170.3(e) (phase rollout)	Verified — primary
DFARS final rule (Federal Register / Acquisition.gov)	Effective date Nov 10, 2025; clauses 252.204-7012, -7019, -7020, -7021, -7025	Verified — primary
NIST SP 800-171 Revision 2 and NIST SP 800-171A (NIST CSRC)	110 requirements, 320 assessment objectives, Examine/Interview/Test methods	Verified — primary
Cyber AB CMMC Assessment Process and R2002 (cyberab.org)	Independence requirements, ISO/IEC 17020 types A/B/C, 27-month accreditation timeline, team composition, ecosystem roles	Verified — primary
DoD Regulatory Impact Analysis (Federal Register)	Assessment/affirmation cost estimates, assessment-volume projections	Verified — authoritative estimate, not a quote
DoD OIG Report DODIG-2025-056 (January 10, 2025)	C3PAO authorization-gap findings, 12 prerequisites, 9 recommendations	Verified — primary (federal audit)
Controlling NIST revision	Rev. 2 (not Rev. 3) confirmed as the current CMMC Level 2 baseline	Verified — primary

Last verified: June 15, 2026. We confirmed the regulatory framework, the assessment process and scoring rules, the DFARS clauses and their effective date, the controlling NIST revision, the independence requirements, the DoD’s published cost and volume estimates, and the DoD IG’s authorization-audit findings. We did notverify any named provider’s Cyber AB Marketplace status, services, or pricing in this article — when we route you to providers, we check role and status as of the date shown on that page.

Frequently asked questions

Is a CMMC gap assessment the same as a C3PAO assessment?: No. A gap assessment is an informal, internal-use readiness diagnostic with no official standing. A C3PAO assessment is the official Level 2 certification assessment, conducted by a Cyber AB-authorized assessor and submitted through CMMC eMASS.
Is a CMMC gap assessment required by 32 CFR Part 170?: No. A gap assessment is not itself a required CMMC event. It's preparation work contractors use to get ready for a required self-assessment or certification assessment.
Can a gap assessment certify my company?: No. A gap assessment can identify gaps and remediation priorities, but it cannot issue CMMC certification or any official Level 2 status.
Who performs a CMMC gap assessment?: Usually you, a readiness consultant, an RPO, an RP, a CMMC-focused MSP/MSSP, or a vCISO. Despite what some pages claim, it is not 'typically performed by a C3PAO' — and a C3PAO that did significant prep for you generally couldn't then assess you.
Can my consultant, RPO, or MSP also be my C3PAO?: Generally no. A firm that consulted on, implemented, or manages your system cannot serve as the C3PAO for that same system, because 32 CFR § 170.9(b)(2) and ISO/IEC 17020 require the assessor to be independent. Keep preparation and assessment as separate engagements.
Can my C3PAO tell me how to fix the gaps they find?: Not the way a readiness consultant can. The assessor must preserve independence, so they can identify a 'Not Met' finding but won't remediate your environment.
Should I get a mock assessment before the C3PAO?: Often, yes — especially if your controls are implemented but your evidence and interviews have never been tested by an outside reviewer.
Does every Level 2 contractor need a C3PAO?: No. Level 2 can be Level 2 (Self) or Level 2 (C3PAO), depending on the solicitation or contract. If the contract requires Level 2 (C3PAO), a self-assessment alone does not make you eligible.
Where do the results go?: A gap assessment goes nowhere official. A self-assessment posts to SPRS. A C3PAO assessment routes through CMMC eMASS, with your status reflected in SPRS.
How much does a C3PAO assessment cost?: The DoD's cost analysis models the C3PAO engagement at roughly $31,234 for a small entity and $52,056 for a larger entity, inside a broader Level 2 (C3PAO) assessment-plus-affirmation estimate of about $101,752 for a small entity. Market quotes vary widely, and none of these figures include remediation.
What happens if we don't meet every requirement?: You may still earn Conditional Level 2 status with a score of at least 88 out of 110, but only 1-point requirements can sit on a POA&M (with one narrow encryption exception), six 1-point requirements are excluded, and your SSP must be complete at assessment time. You then have 180 days to close POA&M items and reach Final status — or the Conditional status expires.
Can I prepare against NIST SP 800-171 Revision 3 for CMMC Level 2?: CMMC Level 2 currently maps to NIST SP 800-171 Revision 2 unless the DoD amends the rule. Build to Revision 2 today.
Does CMMC replace DFARS 252.204-7012?: No. DFARS 252.204-7012 — safeguarding covered defense information and reporting cyber incidents within 72 hours — remains in force. CMMC's clauses sit on top of your existing obligations; they don't cancel them.
What if my prime says I need CMMC but the clause is unclear?: Ask for the required CMMC level and assessment type in writing before buying any assessment. The clause, not a verbal heads-up, defines your obligation.
What about Level 3?: Level 3 builds on a Final Level 2 (C3PAO) foundation and adds selected NIST SP 800-172 requirements. It's assessed by the government's DIBCAC, not by a C3PAO.

Your next step

A gap assessment gets you ready. A C3PAO assessment certifies you. The two are separate, sequential, and — because of the independence rule — usually performed by different firms. If you’re still not sure which provider type fits your blocker — scope, IT operations, CUI sprawl, evidence, or formal status — that’s exactly what we help with, without the sales pressure.

Please do not submit CUI, export-controlled files, drawings, source code, sensitive contract attachments, or controlled technical information through this form.

Get matched with source-checked CMMC options →