CMMC Self-Assessment Audit: What It Is, How It’s Scored, and What It Really Risks (2026)
If a prime contractor or a new solicitation just told you to complete a CMMC self-assessment audit, start here: that phrase quietly blends two things the rule keeps carefully apart. A self-assessment is one you run and sign yourself. An audit— in plain terms — is an assessment someone else runs on you. As of July 13, 2026, the self-assessment is what the Department is leaning on while it reviews the program: it paused the third-party certification step, but your safeguarding obligations under DFARS 252.204-7012 didn’t move. And doing the self-assessment badly is the part that gets expensive.
The bottom line, before you scroll
A “CMMC self-assessment audit” is not an official status name. The rule (32 CFR Part 170) recognizes a Level 1 self-assessment (for Federal Contract Information, or FCI), a Level 2 self-assessment (for Controlled Unclassified Information, or CUI), and separate third-party or government assessments. Level 1 is annual and pass/fail across 15 safeguarding requirements. Level 2 evaluates 110 NIST SP 800-171 Revision 2 requirements, scored from −203 to 110, every three years with an annual affirmation. Phase 1 began November 10, 2025; on July 13, 2026, the Department paused the November 2026 transition to third-party certification, but Phase 1 self-assessments remain in force and DFARS 252.204-7012 is unchanged.
This guide is for you if:
| This guide is for you if… | Read a different page if… |
|---|---|
| FOR YOU Your requirement says Level 1 (Self) or Level 2 (Self) | You’re still deciding between self-assessment and a C3PAO |
| FOR YOU You need to gather evidence that holds up | You want a control-by-control remediation manual |
| FOR YOU You need to calculate or sanity-check your score | You want ongoing Phase 2 policy news |
| FOR YOU You need to submit to SPRS and get the affirmation right | You want a named-provider profile |
| FOR YOU You’re unsure whether an old SPRS score already covers you | You need contract-specific legal interpretation |
Here’s the whole self-assessment at a glance. Everything after this table is detail.
| Level 1 (Self) | Level 2 (Self) | |
|---|---|---|
| Protects | FCI | CUI |
| Requirements | 15 (FAR 52.204-21) | 110 (NIST SP 800-171 Rev. 2) |
| Assessment cadence | Annual | Every 3 years |
| Affirmation | Annual | Annual |
| Score | Pass/fail (all MET) | −203 to 110 |
| POA&M allowed | No | Limited |
| Submitted in SPRS | Required | Required |
Here’s the open loop we’ll close by the end. One defense contractor self-reported a perfect security score of 110. A later government assessment put the same work at negative 170 — and the company paid $507,144to settle. The reporting on the case describes it as triggered by a government assessment, not a whistleblower. We’ll show you exactly how a gap like that opens up, and how to make sure yours can withstand the same scrutiny.
What does “CMMC self-assessment audit” actually mean?
The CMMC rule does not use “audit” as a formal assessment category. It distinguishes Level 1 and Level 2 self-assessments performed by your own organization, Level 2 certification assessments performed by a Certified Third-Party Assessment Organization (C3PAO), and Level 3 certification assessments performed by the government’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). The word “self” changes who runs the assessment. It does not change the standard, the evidence, or the scoring.
People call it an “audit” for an understandable reason: even a self-assessment behaves like an internal audit. You define scope, evaluate every applicable requirement and objective, examine evidence, interview the people responsible, test technical controls where appropriate, record findings, preserve proof, submit the result, and have a senior official attest to it. The rule uses distinct names for each path in 32 CFR 170.4 — “self-assessment” and “certification assessment,” not “audit.” Here’s how the informal words map to the official ones.
| What people say | What it usually means officially |
|---|---|
| “CMMC self-audit” | Level 1 or Level 2 self-assessment |
| “CMMC audit” | Could be a Self, C3PAO, or DIBCAC assessment |
| “SPRS self-assessment” | Could be a current CMMC Self status or a legacy NIST SP 800-171 DoD Basic Assessment |
| “CMMC certified” | Should not be used for a Level 1 or Level 2 Self result |
| “CMMC attestation” | Usually means the required affirmation |
Do you still have to do this after the July 2026 Phase 2 suspension?
Yes, where the operative requirement calls for Level 1 (Self) or Level 2 (Self). On July 13, 2026, the Department of War suspended the November 2026 transition to CMMC Phase 2 — including the planned expansion of third-party (C3PAO) certification for Level 2 contracts — along with the later Phase 3 and Phase 4 milestones. But it explicitly kept Phase 1 self-assessments in place. During the pause, the Department said it will enforce cybersecurity through NIST SP 800-171 Revision 2 self-assessments and select government-led assessments, and that safeguarding obligations under DFARS 252.204-7012 remain in force.
What the suspension paused
- The planned Phase 2 expansion of Level 2 (C3PAO) certification requirements in applicable solicitations and contracts (which would have started November 10, 2026)
- The Phase 3 Level 3 DIBCAC milestone (planned November 2027) and Phase 4 full implementation
- All pending and future CMMC implementation milestones, held until further notice
What the suspension did NOT touch
- Level 1 self-assessments and Level 2 self-assessments — still required where a contract calls for them
- Annual affirmations in SPRS
- Safeguarding obligations under DFARS 252.204-7012
- The government’s right to conduct its own assessments
- False Claims Act exposure for inaccurate representations (this part actually got bigger)
The Department also stood up a 60-day CMMC Reform Task Forceand published a Request for Information (RFI), directing the task force to report to the Department’s Chief Information Officer within 60 days. Comments on the RFI are due August 14, 2026, at noon Eastern, which puts the report at roughly mid-September. Two signals in that RFI are worth watching: the Department asked whether it should require compliance with fewer than all 110 NIST controls, and whether it could recognize commercial security tools and managed services in lieu of separate assessments. Officials also told reporters they had not ruled out canceling the CMMC program entirely at the end of the review.
So treat the future as genuinely open, and treat the present as settled: where your contract calls for a Self status, you still self-assess today.
We’re tracking the Reform Task Force, the RFI docket, and any successor rulemaking on our Phase 2 suspension page. Bookmark that for the moving parts. This page stays focused on the thing that isn’t moving: how to do the self-assessment correctly.
Which CMMC self-assessment applies to you — Level 1 or Level 2?
Your contract requirement sets the required status; the information you handle sets what you protect and scope. When the operative requirement says Level 1 (Self), assess the in-scope FCI systems against 15 safeguarding requirements, annually, pass/fail. When it says Level 2 (Self), assess the CUI environment against all 110 NIST SP 800-171 Rev. 2 requirements, scored −203 to 110 — unless your contract specifically requires a C3PAO.
Choose Level 1 (Self)
When the operative requirement says Level 1 (Self). That means FCI in scope, the 15 basic safeguarding requirements from FAR clause 52.204-21, an annual self-assessment, no Plans of Action and Milestones (POA&Ms) permitted, every requirement Met, and an annual affirmation. Details in 32 CFR 170.15. (Some older guides say “17 practices” for Level 1 — that’s leftover language from the retired CMMC 1.0 model. The Final Rule maps Level 1 to the 15 requirements in 48 CFR 52.204-21(b)(1).)
Choose Level 2 (Self)
When the operative requirement says Level 2 (Self). That means CUI in scope, all 110 NIST SP 800-171 Revision 2 requirements across 14 control families, an assessment every three years, a Conditional-versus-Final status distinction, restricted POA&M rules, and an annual affirmation. Details in 32 CFR 170.16. See our CMMC levels explainer if you need the full breakdown.
Do not choose based on a generic checklist or an online quiz.
The contract clause sets your required status. If a prime tells you only to “get CMMC compliant,” push back for specifics before you spend a dollar: (1) ask for the exact required CMMC status, (2) ask which systems and CAGE codes they expect to support the work, (3) ask whether the requirement lives in an incorporated contract clause or just a supplier questionnaire, (4) ask for the applicable compliance date, and (5) save the answer in writing.
The right CMMC provider isn\u2019t the same for every contractor \u2014 the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. Because a general answer can\u2019t resolve those for you, use The Defense Compliance Report\u2019s Find My CMMC Path tool to map your situation to the right provider category before you request quotes.
Map my CMMC self-assessment pathWhich DFARS clause controls each part of a CMMC self-assessment audit?
Four Defense Federal Acquisition Regulation Supplement (DFARS) clauses do the work, and they are not interchangeable. In short: 252.204-7012 is the safeguarding obligation, 252.204-7019 is the pre-award notice, 252.204-7020 is the assessment mechanics and the government’s assessment rights, and 252.204-7021 is the CMMC status requirement itself. Knowing which clause is in your contract tells you which record you owe.
| Clause | What it does | Why it matters to you |
|---|---|---|
| DFARS 252.204-7012 | Safeguarding covered defense information, cloud requirements, and 72-hour cyber-incident reporting | In effect since 2017; the Department confirmed it survives the Phase 2 pause. This is your baseline duty regardless of CMMC’s status. |
| DFARS 252.204-7019 | Pre-award notice: you must have a current NIST SP 800-171 DoD Assessment on record in SPRS | This is the older self-report path — the “Basic Assessment” many contractors already posted. |
| DFARS 252.204-7020 | NIST SP 800-171 DoD Assessment mechanics, SPRS access, government assessment rights, and flow-down | This is the clause that lets the government (DIBCAC) come assess you and post its own score. |
| DFARS 252.204-7021 | CMMC status, the CMMC unique identifier (UID), the annual affirmation, and flow-down | This is the clause that carries CMMC — as opposed to the legacy Basic Assessment — into your contract. |
If your solicitation cites 7021 with a Level 1 (Self) or Level 2 (Self) requirement, you owe a CMMC self-assessment record. If it only cites 7019/7020, you may be in the older NIST SP 800-171 DoD Assessment world. That difference is the whole next section.
Is your old SPRS score the same as a CMMC self-assessment?
Not automatically — and assuming it is can leave you ineligible without knowing it. A legacy NIST SP 800-171 DoD Basic Assessment (submitted under DFARS 252.204-7019 and −7020) and a current CMMC Level 2 (Self) status can evaluate the same 110 Revision 2 requirements, but they are different records, created under different authorities, carrying different status labels and fields. A Basic Assessment score sitting in SPRS from 2021 is not, by itself, a current CMMC Level 2 (Self) status.
This is the quiet trap that catches good companies. Many contractors have posted a NIST SP 800-171 score in the Supplier Performance Risk System (SPRS) since 2020 under DFARS 252.204-7020. That score ranges from −203 to 110 and is characterized as a “Basic” (Low-confidence) self-report. It is real, and it may still be contractually relevant. But when a solicitation requires a CMMCLevel 2 (Self) status, the government is looking for a specific CMMC record — level, status, scope, associated CAGE codes, CMMC status date, score, POA&M status, and affirmation — not the older Basic score.
The CMMC Self-Assessment Decision Matrix
| Official path or record | Status as of July 16, 2026 | Who performs it | Result / record | Cadence | POA&M | What it does not prove |
|---|---|---|---|---|---|---|
| CMMC Level 1 (Self) | In force Phase 1 | Your organization (OSA) | Final Level 1 (Self) in SPRS | Annual assessment + affirmation | Not permitted | Doesn’t cover CUI; isn’t Level 2; isn’t third-party certification (170.15) |
| CMMC Level 2 (Self) | In force Phase 1 | Your organization (OSA) | Conditional or Final Level 2 (Self) in SPRS | Assessment every 3 years; affirmation annually | Limited≥88, 1-pt items, 180-day closeout | Isn’t C3PAO certification; a later DIBCAC result can supersede it (170.16) |
| NIST SP 800-171 DoD Basic Assessment | Context-dependent May remain relevant in legacy or contract-specific contexts | Your organization | Numerical SPRS score (Basic/Low confidence) | Set by the applicable clause | Governed by that methodology, not CMMC Conditional rules | Isn’t automatically a current CMMC Level 2 (Self) status (DFARS 252.204-7020) |
| NIST SP 800-171 DoD Medium/High Assessment | May continue when selected; the July direction keeps “select government-led assessments” during the pause | Government (incl. DCMA DIBCAC) | Government-assessed score + confidence level | Government- and contract-driven | Not a contractor-created CMMC POA&M | Isn’t a self-assessment; doesn’t arise just because you posted a Self score |
| CMMC Level 2 (C3PAO) | Path in rule New Phase 2 designations paused | Authorized or accredited C3PAO | Conditional or Final Level 2 (C3PAO) | 3 years + annual affirmation | Limited; C3PAO closeout within 180 days | Can’t substitute a Self result when operative contract language still requires C3PAO — get a written amendment (170.17) |
Don\u2019t build evidence for the wrong record. If you\u2019re unsure whether your contract points to a legacy Basic score or a current CMMC Self status, our matcher will help you name it. No CUI or contract uploads.
See which record and provider category fit my situationHow do you actually perform a CMMC self-assessment, step by step?
Start from the operative contract requirement, then define your scope before you evaluate anything. Assess every applicable objective, preserve the evidence and your reasoning, calculate the result, clear the POA&M gate, run an internal quality check, enter the correct record in SPRS, and get the affirmation. The overall workflow is similar at both levels, but the scope, requirement set, assessment cadence, scoring model, status rules, POA&M treatment, and SPRS fields differ.
Find the operative requirement
Capture the solicitation provision or contract clause, the exact status label, the required date, the covered systems, the CAGE codes, and whether an amendment is pending after the suspension.
Classify the record
Level 1 (Self), Level 2 (Self), a legacy Basic score, a government Medium/High assessment, or a C3PAO requirement that needs written clarification during the pause. Use the Decision Matrix above.
Define and approve scope
This is where cost and defensibility are won or lost. For Level 1, the CMMC Assessment Scope consists of the OSA information systems that process, store, or transmit FCI; when you define it, also account for the people, technology, facilities, and External Service Providers involved. For Level 2, the rule (32 CFR 170.19) requires you to classify and document your assets by category:
Level 2 asset categories for scope classification Asset category Why it’s in or out Common mistake CUI Asset Processes, stores, or transmits CUI Missing physical or operational CUI flows (printers, shop-floor drawings, scanned records) Security Protection Asset Provides security functions for the CUI environment Assuming security tools are automatically out of scope Contractor Risk Managed Asset Could handle CUI but isn’t intended to Claiming “intent” with no technical or procedural enforcement Specialized Asset Can handle CUI but can’t be fully secured (e.g., OT, test equipment) Omitting operational technology or government-furnished equipment Out-of-Scope Asset Cannot process, store, or transmit CUI; provides no security protection for CUI Assets; and is separated as required Labeling merely “unused” assets as out of scope, or assuming separation alone removes an in-scope asset Freeze the assessment baseline
Record the assessment date, the System Security Plan (SSP) name/version/date, the inventory and diagram versions, the requirement set version, the assessment guide version, the evidence repository, and the assessment team. “Freeze” means preserve the exact baseline behind your conclusion — not stop improving security.
Evaluate every applicable objective
The 110 Level 2 requirements break down into roughly 320 individual assessment objectives in NIST SP 800-171A. For each one, pick your method — Examine (documents, configurations, logs, policies), Interview (the people who run the control), or Test (demonstrate the mechanism works) — identify the evidence, and record the conclusion, the reasoning, the scope element, and the reviewer.
Assign findings
Each requirement is Met, Not Met, or Not Applicable (N/A). Do not mark a requirement Met while a single applicable objective is unsupported.
Calculate the result
Level 1: the assessment is Met only when all 15 requirements are Met. Level 2: start at 110 and subtract point values (next section). Flag any prohibited POA&M item before you treat the score as Conditional.
Remediate or apply the POA&M gate
Level 1: remediate before submission. Level 2 Final: remediate to 110. Level 2 Conditional: confirm you clear every threshold and restriction in the POA&M section below.
Run an independent internal quality review
A second person should challenge scope completeness, N/A rationales, evidence currency, draft artifacts, unsupported Met findings, the score math, POA&M eligibility, CAGE mapping, and SSP consistency.
Submit to SPRS
Prepare the full record before you open the portal — SPRS records your result; it does not perform the assessment. Use the correct Level 1 Self or Level 2 Self workflow the operative document requires. See the SPRS submission section below.
Affirm
A senior official internal to your organization must affirm. Affirmation is required at Conditional status, at Final status, after any POA&M closeout, and annually after Final status. See the affirmation section below.
Evidence Ledger download
Use the worksheet to track each objective, your evidence reference, assessment method, finding, and reviewer across all 110 requirements. No email gate.
Download CMMC Self-Assessment Evidence Ledger (.xlsx)What evidence actually counts in a CMMC self-assessment?
A requirement can be marked Met only when every applicable objective is satisfied by evidence, and the rule requires that evidence to be final — not draft. The assessment should record why the evidence supports Met, Not Met, or N/A, not just check a box. 32 CFR 170.24 states plainly that working papers, drafts, and unofficial or unapproved policies are not acceptable evidence.
The damaging admission, and why it’s actually an advantage:
The SPRS submission is the easy part. Contractors on the r/CMMC forum have described posting their Level 1 result and feeling like they must have missed something — the common refrain is that it “felt too easy.” They didn’t misread the portal. SPRS records the result — it does not performthe assessment for you. That’s precisely why the hard, defensible work is entirely within your control.
Strong evidence proves a control operates. Weak evidence describes what should happen.
| Stronger evidence | Weaker or unacceptable evidence |
|---|---|
| Approved policy with an owner and effective date | Draft policy awaiting approval |
| Current configuration export | A note that a setting “should be enabled” |
| Completed access review | A blank review template |
| Current log or report with dates and system context | A screenshot with no date or system |
| Closed change ticket tied to the implementation | An open ticket describing future work |
| A demonstration plus the retained result | A verbal assurance with nothing behind it |
| Current training completion records | A training deck with no attendance evidence |
| An approved SSP describing actual operation | A generic SSP template |
N/A is not a convenience label. When you mark something Not Applicable, record why it doesn’t apply, what scope fact supports that, who reviewed it, and whether that fact could change. During an assessment, an objective assessed N/A counts the same as Met — which is precisely why an unsupported N/A is a scoring problem waiting to surface.
How is a CMMC self-assessment scored?
Level 1 is all-or-nothing: every one of the 15 requirements must be Met, and there’s no numeric score. Level 2 starts at 110 and subtracts 1, 3, or 5 points for each Not Met requirement, based on security impact, with a floor of −203. A 110 earns Final Level 2 (Self); a score of at least 88 with a compliant POA&M earns Conditional. The methodology is set in 32 CFR 170.24, carried over from the long-standing DoD Assessment Methodology for NIST SP 800-171.
Level 1 scoringis binary. All 15 requirements Met (or N/A) means Final Level 1 (Self). One Not Met requirement means you don’t have it — and because no POA&M is allowed at Level 1, you fix it before you submit.
Level 2 scoring works like a countdown from a perfect score:
| Outcome | What it means |
|---|---|
| 110 | Final Level 2 (Self) at the initial assessment |
| 88–109, all POA&M conditions met | Conditional Level 2 (Self) |
| Below 88 | No Conditional or Final status (“No Status”) |
| Any of the six prohibited requirements Not Met | No Conditional status — those requirements cannot be placed on the POA&M, so a Not Met finding on any of them blocks Conditional regardless of the math |
| Conditional items closed within 180 days | Final Level 2 (Self) after closeout |
| Closeout missed | Conditional status expires |
Two things surprise people.
First, negative scores are common on a first honest assessment.The 5-point requirements are the critical ones — and missing several of them drags you below zero fast. Multi-factor authentication (MFA) (IA.L2-3.5.3) deducts five points when it isn’t implemented, or three points in the specific partial-implementation case where it covers remote and privileged users but not non-privileged network access; CUI encryption (SC.L2-3.13.11) deducts five points when encryption isn’t used, or three when it’s used but not FIPS-validated. Those are the only two requirements the rule lets you partially credit.
Second — outside those two exceptions — there is no partial credit.A requirement that’s 90 percent implemented deducts its full point value, exactly like one you never started. So don’t model your score as if every objective earns fractions; it doesn’t.
Estimate your score before the government does.
Level 2 Score Estimator
All 110 requirements Met — Final status on initial assessment.
Can you use a POA&M and still pass a CMMC self-assessment?
Level 1 never permits a POA&M. Level 2 allows Conditional status only when your score is at least 80% of 110 (that’s 88), the open items carry a point value of 1 (with one encryption exception), none of six specific requirements is on the POA&M, and you close everything within 180 days. These conditions are set in 32 CFR 170.21, which we read in full on July 16, 2026.
- The 80% threshold.Your assessment score divided by 110 must be ≥ 0.8 — a score of 88 or higher.
- The point-value rule.Generally, only 1-point requirements may sit on a CMMC POA&M. The single exception: SC.L2-3.13.11 (CUI Encryption)may be on a POA&M if you employ encryption but it isn’t FIPS-validated — which the rule treats as a 3-point item in that case.
The six requirements that can neverbe on a POA&M:
| Requirement | Short name |
|---|---|
| AC.L2-3.1.20 | External Connections (CUI Data) |
| AC.L2-3.1.22 | Control Public Information (CUI Data) |
| CA.L2-3.12.4 | System Security PlanSSP \u2014 see note |
| PE.L2-3.10.3 | Escort Visitors (CUI Data) |
| PE.L2-3.10.4 | Physical Access Logs (CUI Data) |
| PE.L2-3.10.5 | Manage Physical Access (CUI Data) |
CA.L2-3.12.4 (System Security Plan) — cannot be deferred.
The rule goes further: without a current SSP at the time of assessment, the finding is that the assessment couldn’t be completed and that you’re noncompliant with DFARS 252.204-7012. A generic, draft, or materially inaccurate SSP is not harmless paperwork you’ll finish later — it can stop the assessment cold.
The 180-day closeout clockstarts on your Conditional CMMC Status Date. For a Level 2 self-assessment, you (the OSA) perform the closeout self-assessment the same way you did the initial one, reassess only the Not Met items from the original POA&M, and post the results to SPRS. Miss the window, and the Conditional status expires — with standard contractual remedies attached. Our deeper walkthrough is on the Conditional Level 2 POA&M closeout page.
How do you submit the self-assessment in SPRS, and who signs it?
You enter the applicable Self assessment through SPRS using the required Procurement Integrated Enterprise Environment (PIEE) role, complete the record, and route it for affirmation by a senior official. SPRS calculates your score and status from your entries — the user doesn’t simply choose “Conditional” or “Final” — and only a Conditional score of 88–109 or a Final 110 can be affirmed. The Affirming Official must be a senior representative from within your organization, responsible for CMMC compliance and authorized to affirm it, per 32 CFR 170.22.
Confirm access beforeyour deadline. You’ll need a PIEE account, the SPRS Cyber Vendor User role, the correct CAGE hierarchy, and a path for the Affirming Official to review and affirm — and role approvals take time.
| SPRS field | Internal source document | Owner | QA check | Common error |
|---|---|---|---|---|
| Assessment record/workflow | Contract-status determination memo | Contracts/compliance | Use the correct Level 1 Self or Level 2 Self workflow the operative document requires | Entering the result as a legacy Basic Assessment |
| Scope | Approved scope memo | Security lead | Matches SSP and diagram | A vague “enterprise” label |
| Employee Count | Current HR/finance headcount source | HR/finance | Uses the current SPRS field definition and date | Guessing or using a stale count |
| CAGE codes | CAGE-to-system map | Contracts | Full hierarchy included | Omitting a covered CAGE |
| Score | Approved scoring workbook | Assessment lead | Independent recalculation before entry | Counting objectives as separate points |
| POA&M status | Approved POA&M | Security lead | Eligibility verified | Including a prohibited control |
| Affirming Official | Authority memo | Leadership | Senior internal representative | Using an outside consultant as the AO |
| Status date | Assessment record | Assessment lead | Consistent across artifacts | Using the portal-entry date without checking |
Who qualifies as the Affirming Official?
Someone internal to your organization, senior, responsible for compliance, authorized to make the affirmation, and able to understand the scope and evidence behind the statement. A consultant can help you prepare — a consultant cannot be your Affirming Official.
What is the Affirming Official actually attesting?
That your organization has implemented, and will maintain, all applicable CMMC security requirements for every system in the relevant assessment scope. Affirmation is required at Conditional status, at Final status, after any POA&M closeout, and annuallyafter Final status. That annual cadence is a common miss — the Level 2 assessment runs every three years, but the affirmation is every year. See our CMMC annual affirmation page for the full treatment.
When the Affirming Official should not sign yet:
Scope is unresolved; the SSP doesn’t describe actual operation; material evidence is still draft; a prohibited requirement is Not Met; the score hasn’t been independently checked; CAGE mapping is unresolved; the record type doesn’t match the contract; or something material changed since the assessment.
We\u2019ll point you to the record and provider category that fit your level, scope, and timeline. No CUI or contract uploads.
Map my situation to the right next stepWhat does a self-assessment status prove — and what does it not prove?
A current Self status shows that your organization entered and affirmed the applicable assessment result for a defined scope in SPRS. It does not make you “CMMC certified,” does not guarantee a contract award, does not authorize every system to handle CUI, and does not prevent a later government assessment from reaching a different result. A DIBCAC assessment can supersede a Level 2 (Self) result, per 32 CFR 170.16.
Language matters — sloppy claims create real exposure:
| What people say | Accurate? | Better wording |
|---|---|---|
| “We are CMMC certified.” | No, for Self | “We hold Final Level 1 (Self)” or “Final Level 2 (Self),” if true |
| “We passed a CMMC audit.” | Potentially misleading | “We completed and affirmed a CMMC Level 2 self-assessment for the identified scope” |
| “Our whole company is CMMC compliant.” | Usually overbroad | Name the status, scope, systems, CAGE codes, and date |
| “We posted a 110, so the government can’t challenge it.” | No | DIBCAC can later assess and supersede a Self result |
| “Our old SPRS score gives us Level 2 (Self).” | No | Confirm a current CMMC Level 2 (Self) record and affirmation exist |
| “Phase 2 was paused, so 7012 disappeared.” | No | The Department says the safeguarding requirement remains |
What a wrong self-assessment actually costs
Your SPRS score and the affirmation behind it are representations submitted directly to the federal government — and the CMMC affirmation is an attestation your senior official signs. When a knowingly false record or statement is material to a false or fraudulent claim for payment, the False Claims Act (31 U.S.C. § 3729) can apply — and its “knowingly” standard covers actual knowledge, deliberate ignorance, and reckless disregard, with treble damages and civil penalties on the table. The Justice Department’s Civil Cyber-Fraud Initiative has made cybersecurity representations a standing enforcement target.
Here is the pattern, assembled from Justice Department announcements. We list these as allegedfacts resolved by settlement, with no determination of liability. Each row is drawn from the government’s own release, and a discrepancy between a self-reported score and a later assessed one can become evidence in a False Claims Act matter when the government alleges a knowing, material misrepresentation.
| Contractor | Self-reported score | Independently assessed score | Settlement | How it started |
|---|---|---|---|---|
| LOGZONE Inc. | 110 (perfect) | −170 (DIBCAC Medium Assessment) | $507,144 | Government DIBCAC assessment (not whistleblower-driven) |
| MORSE Corp | 104 | −142 | $4.6M | Whistleblower |
| Health Net / Centene | Compliance falsely certified | — | $11.25M | Whistleblower |
| Raytheon / RTX | Falsely certified across 29 contracts | — | $8.4M | Whistleblower |
| Georgia Tech Research Corp | 98 (on a “fictitious” environment) | — | $875K | Whistleblower |
| Penn State | Inflated scores across 15 contracts | — | $1.25M | Whistleblower |
The LOGZONE case — the one triggered without a whistleblower:
In October 2021 the company self-reported a perfect 110. In February 2024, DIBCAC assessed LOGZONE’s implementation of NIST SP 800-171 under the covered Navy contracts at −170. That 110-to-negative-170 gap is what the case was built on, alongside the government’s allegation that LOGZONE submitted claims for payment while noncompliant. The Phase 2 pause doesn’t lower this risk — it arguably sharpens it, because with the third-party checkpoint suspended, the self-assessment and its affirmation are the representation the government is relying on, and the safeguarding duty and government assessment authority both remain.
If you want a second set of eyes before your Affirming Official signs, a scoped gap assessment or a C3PAO mock assessment can pressure-test your score. One caution: a C3PAO mock assessment is a non-certification assessment conducted outside the CMMC Program. It produces no CMMC status, certificate, or eMASS result, and to stay within the Cyber AB’s rules the C3PAO may identify findings but generally may not provide advice, recommendations, or remediation for that same engagement. If what you actually need is help fixinggaps, that’s a readiness engagement, not a mock.
Can the government still audit your self-assessment?
Yes. Even when you’re eligible to self-assess, the government keeps the right to run its own assessment through DCMA DIBCAC, and during the current pause the Department will use “select government-led assessments.” If DIBCAC assesses you, its result takes precedence over your self-reported score in SPRS. That precedence is stated in 32 CFR 170.16; the government’s assessment authority sits in DFARS 252.204-7020.
Your self-assessment is not the last word. It’s a representation the government can test later — as LOGZONE learned. That’s not a reason to panic; it’s the reason to do the self-assessment defensibly, keep your evidence for six years, and make sure the number in SPRS is one you can stand behind if a government assessor ever recreates it.
What if your solicitation or contract still requires a C3PAO after the suspension?
Don’t silently substitute a Self status, and don’t assume the public announcement rewrote your contract. Obtain the solicitation amendment, contract modification, or written contracting-officer or prime direction contemplated by the July implementation guidance before you rely on a different path. The guidance directs contracting officers to amend affected solicitations and to remove requirements from active contracts by modification — but that paperwork has to actually issue.
Active solicitation:Ask about amendment status, the revised required status, the effect on your proposal, the updated clause, the new compliance date, and any effect on records you’ve already submitted.
Existing contract:Request written guidance from the contracting officer and the prime’s contracts team.
Subcontractor:Ask the prime whether it’s passing through an operative government requirement, imposing its own supplier-risk condition, or planning a subcontract modification — and whether a Self status satisfies the current condition.
Subject: Written confirmation of current CMMC status requirement
Our solicitation/contract currently identifies [exact status]. Following the July 13, 2026 suspension of Phase 2 requirements, please confirm whether that status remains operative for this procurement or whether an amendment or modification will replace it. Please also confirm the applicable compliance date and the systems/CAGE codes expected to support performance. We will continue to follow the current written requirement until a change is formally issued.
How much does a CMMC self-assessment audit cost?
There is no honest universal price for a CMMC self-assessment, because the total depends on your scope, your existing implementation, your evidence quality, your internal labor, the remediation you need, tooling, any outside help, and ongoing maintenance. Separate the cost of performing the assessment from the cost of becoming and staying able to support the result. Anyone quoting you a single tidy number is blending things that shouldn’t be blended.
Industry practitioners consistently report that the third-party assessment fee, when you get there, is typically only 20 to 30 percent of the total cost of getting certified; remediation and technology are the larger line items. The assessment is rarely the expensive part. Scoping and fixing gaps are.
| Cost driver | What moves it |
|---|---|
| Contract & applicability review | Number of contracts, primes, CAGE codes, and ambiguous flow-downs |
| Scoping | Number of CUI flows, facilities, endpoints, providers, and specialized assets |
| Evidence development | Quality of your existing documentation and operational records |
| Internal assessment | Number of objectives, interviewees, systems, and reviewers |
| Remediation | Control gaps, technical debt, and process changes |
| Technology | Identity, logging, endpoint, cloud, encryption, backup, enclave, and GRC needs |
| Outside readiness help | Scope complexity and your internal expertise |
| POA&M closeout | Number and difficulty of eligible open items |
| Ongoing maintenance | Evidence refresh, monitoring, change management, annual affirmation, reassessment |
A free spreadsheet can calculate a score. It can’t make a missing safeguard operational, turn a draft policy into final evidence, or make an inaccurate scope defensible. Those are the line items that drive a real budget. For a deeper build-up, see our CMMC Level 2 cost breakdown.
When should you get outside help — and what kind?
Your organization remains responsible for the self-assessment and the affirmation, but outside specialists can resolve scope, architecture, implementation, evidence, and workflow problems you can’t close in-house. Choose the category based on the obstacle in front of you — not based on whoever called you first. We map this with The CMMC Path Framework: the logic that maps your required CMMC level, FCI-versus-CUI handling, assessment type, IT and cloud environment, and contract timeline to the provider category that fits.
| Your obstacle | Category to consider | What it can help with | What to verify first |
|---|---|---|---|
| Unsure about level, scope, or readiness plan | RPO / RP (Registered Provider Organization / Registered Practitioner) | Applicability support, scoping, gap analysis, roadmap, documentation | Cyber AB status if represented, exact deliverables, conflicts, evidence method |
| Controls aren’t operating consistently | MSSP or CMMC-focused MSP | Security operations, tooling, monitoring, identity, evidence operations | CUI access, shared-responsibility matrix, personnel and locations |
| Evidence is scattered | GRC platform | Requirement mapping, evidence organization, workflows, POA&M tracking | Current CMMC mapping, exportability, access controls, data handling |
| Your enterprise is too broad to secure affordably | CUI enclave provider or architect | Scope reduction, controlled collaboration, isolated workloads | Actual data flows, endpoint and printing implications, shared responsibility |
| Contract language is ambiguous | Qualified federal-contracts attorney | Legal and contract interpretation | Relevant federal procurement and cybersecurity experience |
| A C3PAO requirement remains in your operative documents | C3PAO / assessment resources + contracting clarification | Assessment planning once the written requirement is confirmed | Current authorization status, independence, scope, and whether an amendment is coming |
Readiness help and formal assessment must stay separate.
Under 32 CFR 170.8(b)(17)(ii)(G) and the Cyber AB Code of Professional Conduct, a C3PAO and its assessment-team members may not perform a Level 2 certification assessment for an organization they served as a consultant — to prepare it for anyCMMC assessment — within the prior three years. Don’t hire a C3PAO to build your controls and then grade the same environment it built. Software alone doesn’t satisfy CMMC either; a GRC platform organizes evidence, it doesn’t implement your controls.
Tell us your level, scope, environment, obstacle, and timeline, and we\u2019ll identify the provider category and source-checked options that fit. Do not submit CUI, drawings, system diagrams, credentials, or sensitive contract details.
Get matched with source-checked CMMC provider optionsWhat are the most common CMMC self-assessment mistakes?
The costly errors almost all happen beforethe score is entered: choosing the wrong record, scoring before scope is defined, treating draft policies as evidence, skipping assessment objectives, misusing a POA&M, and asking an executive to affirm without a defensible packet. Fixing these is mostly discipline, not spend.
| Mistake | Why it happens | Consequence |
|---|---|---|
| Treating SPRS entry as the assessment | The portal is fast | Unsupported result |
| Using an old Basic score as current CMMC Self | Both use SPRS and Rev. 2 | Wrong record; no required CMMC status |
| Scoring before defining scope | Wanting a quick baseline | Score grades an unknown system |
| Marking a requirement Met while an objective is unsupported | Checkbox mindset | Inflated, indefensible score |
| Using draft policies as evidence | Documentation sprint | Met finding lacks acceptable proof |
| Treating N/A as a shortcut | Wanting less work | Unsupported exclusion |
| Putting a prohibited item on a POA&M | Looking only at 88 | No Conditional status |
| Missing or draft SSP | Underestimating CA.L2-3.12.4 | Assessment can’t be completed |
| Calling a self-assessment “certification” | Marketing shorthand | Misrepresentation |
| Missing the annual affirmation | Confusing the 3-year assessment with the annual affirmation | Status or eligibility problem |
| Scoring current Level 2 against Rev. 3 | NIST published a newer revision | Wrong baseline |
| Ignoring changes after the assessment | Treating status as static | Scope/evidence no longer matches reality |
| Letting a consultant own all the evidence | Outsourcing accountability | The AO can’t explain the result |
Working through it methodically is the fix. Our CMMC readiness checklist walks the same order this page does.
Frequently asked questions
- Is a CMMC self-assessment an audit?
- Not in the rule’s language. A self-assessment is one your own organization performs and affirms; the CMMC rule reserves “certification assessment” for the C3PAO and DIBCAC versions and doesn’t use “audit” as a formal category. They evaluate against the same standards, but only the third-party and government versions are external assessments.
- Can a consultant perform the self-assessment for us?
- A consultant can support the work — scoping, gap analysis, evidence organization — but your organization (the OSA) owns the result, the submission, and the affirmation. Outside support doesn’t transfer that responsibility, and your Affirming Official must be an internal senior representative.
- Does CMMC Level 1 require a C3PAO?
- No. Level 1 is a self-assessment with an annual assessment and an annual affirmation, per 32 CFR 170.15 — no C3PAO certification is required. Outside consultants may support the work, but the organization performs and affirms the Self assessment.
- Is CMMC Level 2 self-assessment still allowed after the July 2026 suspension?
- Yes. The Department’s current guidance keeps Level 1 (Self) and Level 2 (Self) in place during the Phase 1 pause. What was paused is the third-party certification step, not the self-assessment.
- Does an old SPRS Basic score satisfy CMMC Level 2 (Self)?
- Not automatically. A legacy NIST SP 800-171 DoD Basic Assessment and a current CMMC Level 2 (Self) status are different records. Confirm that the required current CMMC Self record, scope, status, and affirmation actually exist.
- What’s the passing score for Level 2 (Self)?
- Final status requires all requirements Met and a score of 110. Conditional status can begin at 88, but only when every POA&M condition in 32 CFR 170.21 is satisfied.
- Can CMMC Level 1 use a POA&M?
- No. POA&Ms are never permitted at Level 1 — you must close every gap before you submit.
- How long does a Level 2 (Self) status last?
- Final Level 2 (Self) runs on a three-year assessment cycle, but the affirmation is required annually, and a significant change to your environment can require reassessment sooner.
- Should I assess against NIST SP 800-171 Revision 2 or Revision 3?
- Revision 2. NIST withdrew SP 800-171 Revision 2 in its own publication catalog on May 14, 2024 and issued Revision 3, but the Department’s current guidance says CMMC Level 2 assessments remain based on Revision 2 until DoD amends the controlling rule. Re-check this before every page update.
- Does posting the assessment authorize us to handle CUI?
- No. You still have to meet the applicable contractual safeguarding requirements and keep CUI handling inside the protected environment and authorized processes.
- What if our CUI exists only on paper?
- Per the Department’s current CMMC FAQ, an organization that handles only hard-copy CUI isn’t required to complete a CMMC third-party assessment for that, though it may elect one — but the hard-copy CUI must still be safeguarded under DFARS 252.204-7012. The moment that information is scanned, entered, photographed, uploaded, printed from a system, or emailed, the system handling it is expected to meet the applicable CMMC assessment requirements. Confirm your specific facts before relying on a hard-copy-only interpretation.
- What change requires a reassessment?
- Per the Department’s current guidance, the Affirming Official determines whether a change is significant. Routine, like-for-like security updates generally aren’t significant, but reassessment is required when a requirement or objective you previously assessed as N/A becomes applicable — for example, when you begin handling CUI on a system that didn’t before.
- Is a self-assessment the same as the 110 controls in a C3PAO assessment?
- Level 2 Self and Level 2 C3PAO assessments use the same 110 Revision 2 requirements and the same Level 2 scoring methodology; the difference is who assesses. Level 1 uses the 15 FAR safeguarding requirements, and Level 3 adds 24 selected NIST SP 800-172 requirements on top of the 110.
What we actually verified for this guide
We checked the current Department CMMC announcement and program guidance, the controlling sections of 32 CFR Part 170, the relevant DFARS clause text, and the July 2026 suspension materials against their primary sources. Claims about contract applicability are deliberately qualified, because the controlling document differs by procurement, modification, and deviation.
Verified :
- The July 13, 2026 Phase 2 suspension announcement and the Department’s implementation guidance.
- Level 1 (Self) and Level 2 (Self) requirements — 32 CFR 170.15 and 170.16.
- Scope categories — 32 CFR 170.19.
- Scoring methodology, including the MFA and encryption partial-credit cases — 32 CFR 170.24 (pulled July 15, 2026; Title 32 current as of July 14, last amended July 9).
- POA&M limits, including the six prohibited requirements and the ≥0.8 threshold — 32 CFR 170.21 (read in full).
- Affirmation requirements — 32 CFR 170.22.
- The C3PAO three-year independence rule — 32 CFR 170.8(b)(17)(ii)(G) and the Cyber AB Code of Professional Conduct v2.0.
- The NIST SP 800-171 DoD Assessment authority — DFARS 252.204-7012, -7019, -7020, and the CMMC clause -7021.
- Executive Order 14347 (Department of War secondary title).
- The DOJ LOGZONE and Georgia Tech settlements and the broader Civil Cyber-Fraud Initiative record.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Find My CMMC Path