The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base
July 13, 2026 update: The Department of War suspended the planned Phase 2 C3PAO expansion. Level 1 and Level 2 self-assessments remain required where contracts call for them. DFARS 252.204-7012 and False Claims Act exposure are unchanged.

CMMC Self-Assessment Audit: What It Is, How It’s Scored, and What It Really Risks (2026)

By The Defense Compliance Report Editorial Team — an independent trade publication on CMMC 2.0 and DIB compliance

The Defense Compliance Report is not affiliated with the Cyber AB, the Department of Defense or Department of War, DCMA DIBCAC, NIST, or any U.S. government agency. This is editorial research, not legal, contractual, or compliance advice. Your contract clause and how you handle Controlled Unclassified Information set your CMMC level — not a checklist. Confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney.

If a prime contractor or a new solicitation just told you to complete a CMMC self-assessment audit, start here: that phrase quietly blends two things the rule keeps carefully apart. A self-assessment is one you run and sign yourself. An audit— in plain terms — is an assessment someone else runs on you. As of July 13, 2026, the self-assessment is what the Department is leaning on while it reviews the program: it paused the third-party certification step, but your safeguarding obligations under DFARS 252.204-7012 didn’t move. And doing the self-assessment badly is the part that gets expensive.

The bottom line, before you scroll

A “CMMC self-assessment audit” is not an official status name. The rule (32 CFR Part 170) recognizes a Level 1 self-assessment (for Federal Contract Information, or FCI), a Level 2 self-assessment (for Controlled Unclassified Information, or CUI), and separate third-party or government assessments. Level 1 is annual and pass/fail across 15 safeguarding requirements. Level 2 evaluates 110 NIST SP 800-171 Revision 2 requirements, scored from −203 to 110, every three years with an annual affirmation. Phase 1 began November 10, 2025; on July 13, 2026, the Department paused the November 2026 transition to third-party certification, but Phase 1 self-assessments remain in force and DFARS 252.204-7012 is unchanged.

This guide is for you if:

Guide applicability: who this page is and is not for
This guide is for you if…Read a different page if…
FOR YOU Your requirement says Level 1 (Self) or Level 2 (Self)You’re still deciding between self-assessment and a C3PAO
FOR YOU You need to gather evidence that holds upYou want a control-by-control remediation manual
FOR YOU You need to calculate or sanity-check your scoreYou want ongoing Phase 2 policy news
FOR YOU You need to submit to SPRS and get the affirmation rightYou want a named-provider profile
FOR YOU You’re unsure whether an old SPRS score already covers youYou need contract-specific legal interpretation

Here’s the whole self-assessment at a glance. Everything after this table is detail.

CMMC self-assessment comparison: Level 1 vs Level 2
Level 1 (Self)Level 2 (Self)
ProtectsFCICUI
Requirements15 (FAR 52.204-21)110 (NIST SP 800-171 Rev. 2)
Assessment cadenceAnnualEvery 3 years
AffirmationAnnualAnnual
ScorePass/fail (all MET)−203 to 110
POA&M allowedNoLimited
Submitted in SPRSRequiredRequired

Sources: 32 CFR 170.15 (Level 1), 170.16 (Level 2), and 170.24 (scoring). Pulled from eCFR on July 15, 2026; Title 32 current as of July 14, last amended July 9.GOV-SOURCED

Here’s the open loop we’ll close by the end. One defense contractor self-reported a perfect security score of 110. A later government assessment put the same work at negative 170 — and the company paid $507,144to settle. The reporting on the case describes it as triggered by a government assessment, not a whistleblower. We’ll show you exactly how a gap like that opens up, and how to make sure yours can withstand the same scrutiny.

The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.


What does “CMMC self-assessment audit” actually mean?

The CMMC rule does not use “audit” as a formal assessment category. It distinguishes Level 1 and Level 2 self-assessments performed by your own organization, Level 2 certification assessments performed by a Certified Third-Party Assessment Organization (C3PAO), and Level 3 certification assessments performed by the government’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). The word “self” changes who runs the assessment. It does not change the standard, the evidence, or the scoring.

People call it an “audit” for an understandable reason: even a self-assessment behaves like an internal audit. You define scope, evaluate every applicable requirement and objective, examine evidence, interview the people responsible, test technical controls where appropriate, record findings, preserve proof, submit the result, and have a senior official attest to it. The rule uses distinct names for each path in 32 CFR 170.4 — “self-assessment” and “certification assessment,” not “audit.” Here’s how the informal words map to the official ones.

Informal CMMC terminology mapped to official rule language
What people sayWhat it usually means officially
“CMMC self-audit”Level 1 or Level 2 self-assessment
“CMMC audit”Could be a Self, C3PAO, or DIBCAC assessment
“SPRS self-assessment”Could be a current CMMC Self status or a legacy NIST SP 800-171 DoD Basic Assessment
“CMMC certified”Should not be used for a Level 1 or Level 2 Self result
“CMMC attestation”Usually means the required affirmation
“Self” makes the process sound lighter than it is. It lets you run the assessment in-house. It does not let you skip scope, skip evidence, skip assessment objectives, skip scoring, or skip an executive affirmation made directly to the federal government. That distinction is where most of the risk on this page lives — and where the money is either saved or lost.

Do you still have to do this after the July 2026 Phase 2 suspension?

Yes, where the operative requirement calls for Level 1 (Self) or Level 2 (Self). On July 13, 2026, the Department of War suspended the November 2026 transition to CMMC Phase 2 — including the planned expansion of third-party (C3PAO) certification for Level 2 contracts — along with the later Phase 3 and Phase 4 milestones. But it explicitly kept Phase 1 self-assessments in place. During the pause, the Department said it will enforce cybersecurity through NIST SP 800-171 Revision 2 self-assessments and select government-led assessments, and that safeguarding obligations under DFARS 252.204-7012 remain in force.

A quick note on naming. In September 2025, Executive Order 14347 authorized the Department of Defense to use “Department of War” as an additional secondary title. Statutory references to the Department of Defense remain controlling until Congress changes them by law, which is why the regulations — 32 CFR Part 170 and the DFARS clauses — still read “DoD.” When we quote the rule, we use its words. When we describe the July 2026 action, we use the Department’s current name. Nothing about the naming changes what you owe.

What the suspension paused

  • The planned Phase 2 expansion of Level 2 (C3PAO) certification requirements in applicable solicitations and contracts (which would have started November 10, 2026)
  • The Phase 3 Level 3 DIBCAC milestone (planned November 2027) and Phase 4 full implementation
  • All pending and future CMMC implementation milestones, held until further notice

What the suspension did NOT touch

  • Level 1 self-assessments and Level 2 self-assessments — still required where a contract calls for them
  • Annual affirmations in SPRS
  • Safeguarding obligations under DFARS 252.204-7012
  • The government’s right to conduct its own assessments
  • False Claims Act exposure for inaccurate representations (this part actually got bigger)

The Department also stood up a 60-day CMMC Reform Task Forceand published a Request for Information (RFI), directing the task force to report to the Department’s Chief Information Officer within 60 days. Comments on the RFI are due August 14, 2026, at noon Eastern, which puts the report at roughly mid-September. Two signals in that RFI are worth watching: the Department asked whether it should require compliance with fewer than all 110 NIST controls, and whether it could recognize commercial security tools and managed services in lieu of separate assessments. Officials also told reporters they had not ruled out canceling the CMMC program entirely at the end of the review.

So treat the future as genuinely open, and treat the present as settled: where your contract calls for a Self status, you still self-assess today.

Wording note:Phase 1 began November 10, 2025. Under the original schedule, Phase 2 would have begun November 10, 2026. The July 13 suspension paused that transition, so Phase 1 does not now automatically end on that date. Accurate: “Phase 2 was originally scheduled to begin November 10, 2026.” No longer accurate: “Phase 2 begins November 10, 2026.”

We’re tracking the Reform Task Force, the RFI docket, and any successor rulemaking on our Phase 2 suspension page. Bookmark that for the moving parts. This page stays focused on the thing that isn’t moving: how to do the self-assessment correctly.


Which CMMC self-assessment applies to you — Level 1 or Level 2?

Your contract requirement sets the required status; the information you handle sets what you protect and scope. When the operative requirement says Level 1 (Self), assess the in-scope FCI systems against 15 safeguarding requirements, annually, pass/fail. When it says Level 2 (Self), assess the CUI environment against all 110 NIST SP 800-171 Rev. 2 requirements, scored −203 to 110 — unless your contract specifically requires a C3PAO.

Choose Level 1 (Self)

When the operative requirement says Level 1 (Self). That means FCI in scope, the 15 basic safeguarding requirements from FAR clause 52.204-21, an annual self-assessment, no Plans of Action and Milestones (POA&Ms) permitted, every requirement Met, and an annual affirmation. Details in 32 CFR 170.15. (Some older guides say “17 practices” for Level 1 — that’s leftover language from the retired CMMC 1.0 model. The Final Rule maps Level 1 to the 15 requirements in 48 CFR 52.204-21(b)(1).)

Choose Level 2 (Self)

When the operative requirement says Level 2 (Self). That means CUI in scope, all 110 NIST SP 800-171 Revision 2 requirements across 14 control families, an assessment every three years, a Conditional-versus-Final status distinction, restricted POA&M rules, and an annual affirmation. Details in 32 CFR 170.16. See our CMMC levels explainer if you need the full breakdown.

Do not choose based on a generic checklist or an online quiz.

The contract clause sets your required status. If a prime tells you only to “get CMMC compliant,” push back for specifics before you spend a dollar: (1) ask for the exact required CMMC status, (2) ask which systems and CAGE codes they expect to support the work, (3) ask whether the requirement lives in an incorporated contract clause or just a supplier questionnaire, (4) ask for the applicable compliance date, and (5) save the answer in writing.

The right CMMC provider isn\u2019t the same for every contractor \u2014 the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. Because a general answer can\u2019t resolve those for you, use The Defense Compliance Report\u2019s Find My CMMC Path tool to map your situation to the right provider category before you request quotes.

Map my CMMC self-assessment path

Your first decision is the assessment path — not the provider.


Which DFARS clause controls each part of a CMMC self-assessment audit?

Four Defense Federal Acquisition Regulation Supplement (DFARS) clauses do the work, and they are not interchangeable. In short: 252.204-7012 is the safeguarding obligation, 252.204-7019 is the pre-award notice, 252.204-7020 is the assessment mechanics and the government’s assessment rights, and 252.204-7021 is the CMMC status requirement itself. Knowing which clause is in your contract tells you which record you owe.

DFARS clauses governing CMMC self-assessment obligations
ClauseWhat it doesWhy it matters to you
DFARS 252.204-7012Safeguarding covered defense information, cloud requirements, and 72-hour cyber-incident reportingIn effect since 2017; the Department confirmed it survives the Phase 2 pause. This is your baseline duty regardless of CMMC’s status.
DFARS 252.204-7019Pre-award notice: you must have a current NIST SP 800-171 DoD Assessment on record in SPRSThis is the older self-report path — the “Basic Assessment” many contractors already posted.
DFARS 252.204-7020NIST SP 800-171 DoD Assessment mechanics, SPRS access, government assessment rights, and flow-downThis is the clause that lets the government (DIBCAC) come assess you and post its own score.
DFARS 252.204-7021CMMC status, the CMMC unique identifier (UID), the annual affirmation, and flow-downThis is the clause that carries CMMC — as opposed to the legacy Basic Assessment — into your contract.

If your solicitation cites 7021 with a Level 1 (Self) or Level 2 (Self) requirement, you owe a CMMC self-assessment record. If it only cites 7019/7020, you may be in the older NIST SP 800-171 DoD Assessment world. That difference is the whole next section.


Is your old SPRS score the same as a CMMC self-assessment?

Not automatically — and assuming it is can leave you ineligible without knowing it. A legacy NIST SP 800-171 DoD Basic Assessment (submitted under DFARS 252.204-7019 and −7020) and a current CMMC Level 2 (Self) status can evaluate the same 110 Revision 2 requirements, but they are different records, created under different authorities, carrying different status labels and fields. A Basic Assessment score sitting in SPRS from 2021 is not, by itself, a current CMMC Level 2 (Self) status.

This is the quiet trap that catches good companies. Many contractors have posted a NIST SP 800-171 score in the Supplier Performance Risk System (SPRS) since 2020 under DFARS 252.204-7020. That score ranges from −203 to 110 and is characterized as a “Basic” (Low-confidence) self-report. It is real, and it may still be contractually relevant. But when a solicitation requires a CMMCLevel 2 (Self) status, the government is looking for a specific CMMC record — level, status, scope, associated CAGE codes, CMMC status date, score, POA&M status, and affirmation — not the older Basic score.

The CMMC Self-Assessment Decision Matrix (verified July 16, 2026)

Every row verified against its primary source on July 16, 2026.GOV-SOURCED
Official path or recordStatus as of July 16, 2026Who performs itResult / recordCadencePOA&MWhat it does not prove
CMMC Level 1 (Self)In force Phase 1Your organization (OSA)Final Level 1 (Self) in SPRSAnnual assessment + affirmationNot permittedDoesn’t cover CUI; isn’t Level 2; isn’t third-party certification (170.15)
CMMC Level 2 (Self)In force Phase 1Your organization (OSA)Conditional or Final Level 2 (Self) in SPRSAssessment every 3 years; affirmation annuallyLimited≥88, 1-pt items, 180-day closeoutIsn’t C3PAO certification; a later DIBCAC result can supersede it (170.16)
NIST SP 800-171 DoD Basic AssessmentContext-dependent May remain relevant in legacy or contract-specific contextsYour organizationNumerical SPRS score (Basic/Low confidence)Set by the applicable clauseGoverned by that methodology, not CMMC Conditional rulesIsn’t automatically a current CMMC Level 2 (Self) status (DFARS 252.204-7020)
NIST SP 800-171 DoD Medium/High AssessmentMay continue when selected; the July direction keeps “select government-led assessments” during the pauseGovernment (incl. DCMA DIBCAC)Government-assessed score + confidence levelGovernment- and contract-drivenNot a contractor-created CMMC POA&MIsn’t a self-assessment; doesn’t arise just because you posted a Self score
CMMC Level 2 (C3PAO)Path in rule New Phase 2 designations pausedAuthorized or accredited C3PAOConditional or Final Level 2 (C3PAO)3 years + annual affirmationLimited; C3PAO closeout within 180 daysCan’t substitute a Self result when operative contract language still requires C3PAO — get a written amendment (170.17)

The honest caveat that makes this table trustworthy: the rule text and the current implementation status are not the same thing. The C3PAO and Level 3 pathways still exist in 32 CFR Part 170; the July 2026 direction paused their expansion. Your operative solicitation, contract, amendment, class deviation, and written contracting-officer direction determine what you must do today.

Don\u2019t build evidence for the wrong record. If you\u2019re unsure whether your contract points to a legacy Basic score or a current CMMC Self status, our matcher will help you name it. No CUI or contract uploads.

See which record and provider category fit my situation

How do you actually perform a CMMC self-assessment, step by step?

Start from the operative contract requirement, then define your scope before you evaluate anything. Assess every applicable objective, preserve the evidence and your reasoning, calculate the result, clear the POA&M gate, run an internal quality check, enter the correct record in SPRS, and get the affirmation. The overall workflow is similar at both levels, but the scope, requirement set, assessment cadence, scoring model, status rules, POA&M treatment, and SPRS fields differ.

  1. Find the operative requirement

    Capture the solicitation provision or contract clause, the exact status label, the required date, the covered systems, the CAGE codes, and whether an amendment is pending after the suspension.

  2. Classify the record

    Level 1 (Self), Level 2 (Self), a legacy Basic score, a government Medium/High assessment, or a C3PAO requirement that needs written clarification during the pause. Use the Decision Matrix above.

  3. Define and approve scope

    This is where cost and defensibility are won or lost. For Level 1, the CMMC Assessment Scope consists of the OSA information systems that process, store, or transmit FCI; when you define it, also account for the people, technology, facilities, and External Service Providers involved. For Level 2, the rule (32 CFR 170.19) requires you to classify and document your assets by category:

    Level 2 asset categories for scope classification
    Asset categoryWhy it’s in or outCommon mistake
    CUI AssetProcesses, stores, or transmits CUIMissing physical or operational CUI flows (printers, shop-floor drawings, scanned records)
    Security Protection AssetProvides security functions for the CUI environmentAssuming security tools are automatically out of scope
    Contractor Risk Managed AssetCould handle CUI but isn’t intended toClaiming “intent” with no technical or procedural enforcement
    Specialized AssetCan handle CUI but can’t be fully secured (e.g., OT, test equipment)Omitting operational technology or government-furnished equipment
    Out-of-Scope AssetCannot process, store, or transmit CUI; provides no security protection for CUI Assets; and is separated as requiredLabeling merely “unused” assets as out of scope, or assuming separation alone removes an in-scope asset

    Scope follows the information, not the org chart. Trace email, file transfer, endpoints, remote access, backups, printers, portable media, identity providers, managed service providers, and physical records.

  4. Freeze the assessment baseline

    Record the assessment date, the System Security Plan (SSP) name/version/date, the inventory and diagram versions, the requirement set version, the assessment guide version, the evidence repository, and the assessment team. “Freeze” means preserve the exact baseline behind your conclusion — not stop improving security.

  5. Evaluate every applicable objective

    The 110 Level 2 requirements break down into roughly 320 individual assessment objectives in NIST SP 800-171A. For each one, pick your method — Examine (documents, configurations, logs, policies), Interview (the people who run the control), or Test (demonstrate the mechanism works) — identify the evidence, and record the conclusion, the reasoning, the scope element, and the reviewer.

  6. Assign findings

    Each requirement is Met, Not Met, or Not Applicable (N/A). Do not mark a requirement Met while a single applicable objective is unsupported.

  7. Calculate the result

    Level 1: the assessment is Met only when all 15 requirements are Met. Level 2: start at 110 and subtract point values (next section). Flag any prohibited POA&M item before you treat the score as Conditional.

  8. Remediate or apply the POA&M gate

    Level 1: remediate before submission. Level 2 Final: remediate to 110. Level 2 Conditional: confirm you clear every threshold and restriction in the POA&M section below.

  9. Run an independent internal quality review

    A second person should challenge scope completeness, N/A rationales, evidence currency, draft artifacts, unsupported Met findings, the score math, POA&M eligibility, CAGE mapping, and SSP consistency.

  10. Submit to SPRS

    Prepare the full record before you open the portal — SPRS records your result; it does not perform the assessment. Use the correct Level 1 Self or Level 2 Self workflow the operative document requires. See the SPRS submission section below.

  11. Affirm

    A senior official internal to your organization must affirm. Affirmation is required at Conditional status, at Final status, after any POA&M closeout, and annually after Final status. See the affirmation section below.

Evidence Ledger download

Use the worksheet to track each objective, your evidence reference, assessment method, finding, and reviewer across all 110 requirements. No email gate.

Download CMMC Self-Assessment Evidence Ledger (.xlsx)

What evidence actually counts in a CMMC self-assessment?

A requirement can be marked Met only when every applicable objective is satisfied by evidence, and the rule requires that evidence to be final — not draft. The assessment should record why the evidence supports Met, Not Met, or N/A, not just check a box. 32 CFR 170.24 states plainly that working papers, drafts, and unofficial or unapproved policies are not acceptable evidence.

The damaging admission, and why it’s actually an advantage:

The SPRS submission is the easy part. Contractors on the r/CMMC forum have described posting their Level 1 result and feeling like they must have missed something — the common refrain is that it “felt too easy.” They didn’t misread the portal. SPRS records the result — it does not performthe assessment for you. That’s precisely why the hard, defensible work is entirely within your control.

Strong evidence proves a control operates. Weak evidence describes what should happen.

Evidence quality guide: stronger vs weaker or unacceptable evidence
Stronger evidenceWeaker or unacceptable evidence
Approved policy with an owner and effective dateDraft policy awaiting approval
Current configuration exportA note that a setting “should be enabled”
Completed access reviewA blank review template
Current log or report with dates and system contextA screenshot with no date or system
Closed change ticket tied to the implementationAn open ticket describing future work
A demonstration plus the retained resultA verbal assurance with nothing behind it
Current training completion recordsA training deck with no attendance evidence
An approved SSP describing actual operationA generic SSP template

N/A is not a convenience label. When you mark something Not Applicable, record why it doesn’t apply, what scope fact supports that, who reviewed it, and whether that fact could change. During an assessment, an objective assessed N/A counts the same as Met — which is precisely why an unsupported N/A is a scoring problem waiting to surface.


How is a CMMC self-assessment scored?

Level 1 is all-or-nothing: every one of the 15 requirements must be Met, and there’s no numeric score. Level 2 starts at 110 and subtracts 1, 3, or 5 points for each Not Met requirement, based on security impact, with a floor of −203. A 110 earns Final Level 2 (Self); a score of at least 88 with a compliant POA&M earns Conditional. The methodology is set in 32 CFR 170.24, carried over from the long-standing DoD Assessment Methodology for NIST SP 800-171.

Level 1 scoringis binary. All 15 requirements Met (or N/A) means Final Level 1 (Self). One Not Met requirement means you don’t have it — and because no POA&M is allowed at Level 1, you fix it before you submit.

Level 2 scoring works like a countdown from a perfect score:

Level 2 self-assessment score outcomes and their meaning
OutcomeWhat it means
110Final Level 2 (Self) at the initial assessment
88–109, all POA&M conditions metConditional Level 2 (Self)
Below 88No Conditional or Final status (“No Status”)
Any of the six prohibited requirements Not MetNo Conditional status — those requirements cannot be placed on the POA&M, so a Not Met finding on any of them blocks Conditional regardless of the math
Conditional items closed within 180 daysFinal Level 2 (Self) after closeout
Closeout missedConditional status expires

Two things surprise people.

First, negative scores are common on a first honest assessment.The 5-point requirements are the critical ones — and missing several of them drags you below zero fast. Multi-factor authentication (MFA) (IA.L2-3.5.3) deducts five points when it isn’t implemented, or three points in the specific partial-implementation case where it covers remote and privileged users but not non-privileged network access; CUI encryption (SC.L2-3.13.11) deducts five points when encryption isn’t used, or three when it’s used but not FIPS-validated. Those are the only two requirements the rule lets you partially credit.

Second — outside those two exceptions — there is no partial credit.A requirement that’s 90 percent implemented deducts its full point value, exactly like one you never started. So don’t model your score as if every objective earns fractions; it doesn’t.

Eighty-eight is a gate, not a finish line. It’s the minimum to reach Conditional status, and only if you also satisfy the point-value and prohibited-requirement rules in the next section. Then you have 180 days to reach a true 110.

Estimate your score before the government does.

Level 2 Score Estimator

Educational calculation only \u2014 not a submitted assessment. Encodes point weights from 32 CFR 170.24 and the DoD Assessment Methodology.

Not Met requirements

Partial-credit exceptions (32 CFR 170.24)

+110Final Level 2 (Self)

All 110 requirements Met — Final status on initial assessment.

This is an educational calculation, not a submitted assessment or a compliance determination. Point weights are from 32 CFR 170.24 and the DoD Assessment Methodology. Your actual score depends on your full scope and all applicable objectives.


Can you use a POA&M and still pass a CMMC self-assessment?

Level 1 never permits a POA&M. Level 2 allows Conditional status only when your score is at least 80% of 110 (that’s 88), the open items carry a point value of 1 (with one encryption exception), none of six specific requirements is on the POA&M, and you close everything within 180 days. These conditions are set in 32 CFR 170.21, which we read in full on July 16, 2026.

The six requirements that can neverbe on a POA&M:

Six CMMC Level 2 requirements prohibited from POA&M
RequirementShort name
AC.L2-3.1.20External Connections (CUI Data)
AC.L2-3.1.22Control Public Information (CUI Data)
CA.L2-3.12.4System Security PlanSSP \u2014 see note
PE.L2-3.10.3Escort Visitors (CUI Data)
PE.L2-3.10.4Physical Access Logs (CUI Data)
PE.L2-3.10.5Manage Physical Access (CUI Data)

CA.L2-3.12.4 (System Security Plan) — cannot be deferred.

The rule goes further: without a current SSP at the time of assessment, the finding is that the assessment couldn’t be completed and that you’re noncompliant with DFARS 252.204-7012. A generic, draft, or materially inaccurate SSP is not harmless paperwork you’ll finish later — it can stop the assessment cold.

The 180-day closeout clockstarts on your Conditional CMMC Status Date. For a Level 2 self-assessment, you (the OSA) perform the closeout self-assessment the same way you did the initial one, reassess only the Not Met items from the original POA&M, and post the results to SPRS. Miss the window, and the Conditional status expires — with standard contractual remedies attached. Our deeper walkthrough is on the Conditional Level 2 POA&M closeout page.


How do you submit the self-assessment in SPRS, and who signs it?

You enter the applicable Self assessment through SPRS using the required Procurement Integrated Enterprise Environment (PIEE) role, complete the record, and route it for affirmation by a senior official. SPRS calculates your score and status from your entries — the user doesn’t simply choose “Conditional” or “Final” — and only a Conditional score of 88–109 or a Final 110 can be affirmed. The Affirming Official must be a senior representative from within your organization, responsible for CMMC compliance and authorized to affirm it, per 32 CFR 170.22.

Confirm access beforeyour deadline. You’ll need a PIEE account, the SPRS Cyber Vendor User role, the correct CAGE hierarchy, and a path for the Affirming Official to review and affirm — and role approvals take time.

SPRS field preparation: map each field to your source document before opening the portal.
SPRS fieldInternal source documentOwnerQA checkCommon error
Assessment record/workflowContract-status determination memoContracts/complianceUse the correct Level 1 Self or Level 2 Self workflow the operative document requiresEntering the result as a legacy Basic Assessment
ScopeApproved scope memoSecurity leadMatches SSP and diagramA vague “enterprise” label
Employee CountCurrent HR/finance headcount sourceHR/financeUses the current SPRS field definition and dateGuessing or using a stale count
CAGE codesCAGE-to-system mapContractsFull hierarchy includedOmitting a covered CAGE
ScoreApproved scoring workbookAssessment leadIndependent recalculation before entryCounting objectives as separate points
POA&M statusApproved POA&MSecurity leadEligibility verifiedIncluding a prohibited control
Affirming OfficialAuthority memoLeadershipSenior internal representativeUsing an outside consultant as the AO
Status dateAssessment recordAssessment leadConsistent across artifactsUsing the portal-entry date without checking

Who qualifies as the Affirming Official?

Someone internal to your organization, senior, responsible for compliance, authorized to make the affirmation, and able to understand the scope and evidence behind the statement. A consultant can help you prepare — a consultant cannot be your Affirming Official.

What is the Affirming Official actually attesting?

That your organization has implemented, and will maintain, all applicable CMMC security requirements for every system in the relevant assessment scope. Affirmation is required at Conditional status, at Final status, after any POA&M closeout, and annuallyafter Final status. That annual cadence is a common miss — the Level 2 assessment runs every three years, but the affirmation is every year. See our CMMC annual affirmation page for the full treatment.

When the Affirming Official should not sign yet:

Scope is unresolved; the SSP doesn’t describe actual operation; material evidence is still draft; a prohibited requirement is Not Met; the score hasn’t been independently checked; CAGE mapping is unresolved; the record type doesn’t match the contract; or something material changed since the assessment.

We\u2019ll point you to the record and provider category that fit your level, scope, and timeline. No CUI or contract uploads.

Map my situation to the right next step

What does a self-assessment status prove — and what does it not prove?

A current Self status shows that your organization entered and affirmed the applicable assessment result for a defined scope in SPRS. It does not make you “CMMC certified,” does not guarantee a contract award, does not authorize every system to handle CUI, and does not prevent a later government assessment from reaching a different result. A DIBCAC assessment can supersede a Level 2 (Self) result, per 32 CFR 170.16.

Language matters — sloppy claims create real exposure:

CMMC status claims: accurate vs inaccurate language
What people sayAccurate?Better wording
“We are CMMC certified.”No, for Self“We hold Final Level 1 (Self)” or “Final Level 2 (Self),” if true
“We passed a CMMC audit.”Potentially misleading“We completed and affirmed a CMMC Level 2 self-assessment for the identified scope”
“Our whole company is CMMC compliant.”Usually overbroadName the status, scope, systems, CAGE codes, and date
“We posted a 110, so the government can’t challenge it.”NoDIBCAC can later assess and supersede a Self result
“Our old SPRS score gives us Level 2 (Self).”NoConfirm a current CMMC Level 2 (Self) record and affirmation exist
“Phase 2 was paused, so 7012 disappeared.”NoThe Department says the safeguarding requirement remains

What a wrong self-assessment actually costs

Your SPRS score and the affirmation behind it are representations submitted directly to the federal government — and the CMMC affirmation is an attestation your senior official signs. When a knowingly false record or statement is material to a false or fraudulent claim for payment, the False Claims Act (31 U.S.C. § 3729) can apply — and its “knowingly” standard covers actual knowledge, deliberate ignorance, and reckless disregard, with treble damages and civil penalties on the table. The Justice Department’s Civil Cyber-Fraud Initiative has made cybersecurity representations a standing enforcement target.

Here is the pattern, assembled from Justice Department announcements. We list these as allegedfacts resolved by settlement, with no determination of liability. Each row is drawn from the government’s own release, and a discrepancy between a self-reported score and a later assessed one can become evidence in a False Claims Act matter when the government alleges a knowing, material misrepresentation.

DOJ Civil Cyber-Fraud Initiative settlements citing CMMC/NIST SP 800-171 misrepresentation. Each row is drawn from the cited government release. Allegations are not findings of liability.
ContractorSelf-reported scoreIndependently assessed scoreSettlementHow it started
LOGZONE Inc.110 (perfect)−170 (DIBCAC Medium Assessment)$507,144Government DIBCAC assessment (not whistleblower-driven)
MORSE Corp104−142$4.6MWhistleblower
Health Net / CenteneCompliance falsely certified$11.25MWhistleblower
Raytheon / RTXFalsely certified across 29 contracts$8.4MWhistleblower
Georgia Tech Research Corp98 (on a “fictitious” environment)$875KWhistleblower
Penn StateInflated scores across 15 contracts$1.25MWhistleblower

The LOGZONE case — the one triggered without a whistleblower:

In October 2021 the company self-reported a perfect 110. In February 2024, DIBCAC assessed LOGZONE’s implementation of NIST SP 800-171 under the covered Navy contracts at −170. That 110-to-negative-170 gap is what the case was built on, alongside the government’s allegation that LOGZONE submitted claims for payment while noncompliant. The Phase 2 pause doesn’t lower this risk — it arguably sharpens it, because with the third-party checkpoint suspended, the self-assessment and its affirmation are the representation the government is relying on, and the safeguarding duty and government assessment authority both remain.

An honest −40 is a real remediation baseline you can act on. An undocumented 110 is a liability. The whole point of the evidence discipline on this page is to make sure your affirmation is backed by proof you could hand a reviewer.

If you want a second set of eyes before your Affirming Official signs, a scoped gap assessment or a C3PAO mock assessment can pressure-test your score. One caution: a C3PAO mock assessment is a non-certification assessment conducted outside the CMMC Program. It produces no CMMC status, certificate, or eMASS result, and to stay within the Cyber AB’s rules the C3PAO may identify findings but generally may not provide advice, recommendations, or remediation for that same engagement. If what you actually need is help fixinggaps, that’s a readiness engagement, not a mock.


Can the government still audit your self-assessment?

Yes. Even when you’re eligible to self-assess, the government keeps the right to run its own assessment through DCMA DIBCAC, and during the current pause the Department will use “select government-led assessments.” If DIBCAC assesses you, its result takes precedence over your self-reported score in SPRS. That precedence is stated in 32 CFR 170.16; the government’s assessment authority sits in DFARS 252.204-7020.

Your self-assessment is not the last word. It’s a representation the government can test later — as LOGZONE learned. That’s not a reason to panic; it’s the reason to do the self-assessment defensibly, keep your evidence for six years, and make sure the number in SPRS is one you can stand behind if a government assessor ever recreates it.


What if your solicitation or contract still requires a C3PAO after the suspension?

Don’t silently substitute a Self status, and don’t assume the public announcement rewrote your contract. Obtain the solicitation amendment, contract modification, or written contracting-officer or prime direction contemplated by the July implementation guidance before you rely on a different path. The guidance directs contracting officers to amend affected solicitations and to remove requirements from active contracts by modification — but that paperwork has to actually issue.

Active solicitation:Ask about amendment status, the revised required status, the effect on your proposal, the updated clause, the new compliance date, and any effect on records you’ve already submitted.

Existing contract:Request written guidance from the contracting officer and the prime’s contracts team.

Subcontractor:Ask the prime whether it’s passing through an operative government requirement, imposing its own supplier-risk condition, or planning a subcontract modification — and whether a Self status satisfies the current condition.

Template — written confirmation request (operational starting point, not legal advice)

Subject: Written confirmation of current CMMC status requirement

Our solicitation/contract currently identifies [exact status]. Following the July 13, 2026 suspension of Phase 2 requirements, please confirm whether that status remains operative for this procurement or whether an amendment or modification will replace it. Please also confirm the applicable compliance date and the systems/CAGE codes expected to support performance. We will continue to follow the current written requirement until a change is formally issued.


How much does a CMMC self-assessment audit cost?

There is no honest universal price for a CMMC self-assessment, because the total depends on your scope, your existing implementation, your evidence quality, your internal labor, the remediation you need, tooling, any outside help, and ongoing maintenance. Separate the cost of performing the assessment from the cost of becoming and staying able to support the result. Anyone quoting you a single tidy number is blending things that shouldn’t be blended.

Industry practitioners consistently report that the third-party assessment fee, when you get there, is typically only 20 to 30 percent of the total cost of getting certified; remediation and technology are the larger line items. The assessment is rarely the expensive part. Scoping and fixing gaps are.

Cost anatomy for a CMMC self-assessment: the drivers that actually predict spend.
Cost driverWhat moves it
Contract & applicability reviewNumber of contracts, primes, CAGE codes, and ambiguous flow-downs
ScopingNumber of CUI flows, facilities, endpoints, providers, and specialized assets
Evidence developmentQuality of your existing documentation and operational records
Internal assessmentNumber of objectives, interviewees, systems, and reviewers
RemediationControl gaps, technical debt, and process changes
TechnologyIdentity, logging, endpoint, cloud, encryption, backup, enclave, and GRC needs
Outside readiness helpScope complexity and your internal expertise
POA&M closeoutNumber and difficulty of eligible open items
Ongoing maintenanceEvidence refresh, monitoring, change management, annual affirmation, reassessment

A free spreadsheet can calculate a score. It can’t make a missing safeguard operational, turn a draft policy into final evidence, or make an inaccurate scope defensible. Those are the line items that drive a real budget. For a deeper build-up, see our CMMC Level 2 cost breakdown.


When should you get outside help — and what kind?

Your organization remains responsible for the self-assessment and the affirmation, but outside specialists can resolve scope, architecture, implementation, evidence, and workflow problems you can’t close in-house. Choose the category based on the obstacle in front of you — not based on whoever called you first. We map this with The CMMC Path Framework: the logic that maps your required CMMC level, FCI-versus-CUI handling, assessment type, IT and cloud environment, and contract timeline to the provider category that fits.

CMMC provider category guide: obstacle to category mapping
Your obstacleCategory to considerWhat it can help withWhat to verify first
Unsure about level, scope, or readiness planRPO / RP (Registered Provider Organization / Registered Practitioner)Applicability support, scoping, gap analysis, roadmap, documentationCyber AB status if represented, exact deliverables, conflicts, evidence method
Controls aren’t operating consistentlyMSSP or CMMC-focused MSPSecurity operations, tooling, monitoring, identity, evidence operationsCUI access, shared-responsibility matrix, personnel and locations
Evidence is scatteredGRC platformRequirement mapping, evidence organization, workflows, POA&M trackingCurrent CMMC mapping, exportability, access controls, data handling
Your enterprise is too broad to secure affordablyCUI enclave provider or architectScope reduction, controlled collaboration, isolated workloadsActual data flows, endpoint and printing implications, shared responsibility
Contract language is ambiguousQualified federal-contracts attorneyLegal and contract interpretationRelevant federal procurement and cybersecurity experience
A C3PAO requirement remains in your operative documentsC3PAO / assessment resources + contracting clarificationAssessment planning once the written requirement is confirmedCurrent authorization status, independence, scope, and whether an amendment is coming

Readiness help and formal assessment must stay separate.

Under 32 CFR 170.8(b)(17)(ii)(G) and the Cyber AB Code of Professional Conduct, a C3PAO and its assessment-team members may not perform a Level 2 certification assessment for an organization they served as a consultant — to prepare it for anyCMMC assessment — within the prior three years. Don’t hire a C3PAO to build your controls and then grade the same environment it built. Software alone doesn’t satisfy CMMC either; a GRC platform organizes evidence, it doesn’t implement your controls.

Tell us your level, scope, environment, obstacle, and timeline, and we\u2019ll identify the provider category and source-checked options that fit. Do not submit CUI, drawings, system diagrams, credentials, or sensitive contract details.

Get matched with source-checked CMMC provider options
Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

What are the most common CMMC self-assessment mistakes?

The costly errors almost all happen beforethe score is entered: choosing the wrong record, scoring before scope is defined, treating draft policies as evidence, skipping assessment objectives, misusing a POA&M, and asking an executive to affirm without a defensible packet. Fixing these is mostly discipline, not spend.

Most common CMMC self-assessment mistakes, why they happen, and their consequences
MistakeWhy it happensConsequence
Treating SPRS entry as the assessmentThe portal is fastUnsupported result
Using an old Basic score as current CMMC SelfBoth use SPRS and Rev. 2Wrong record; no required CMMC status
Scoring before defining scopeWanting a quick baselineScore grades an unknown system
Marking a requirement Met while an objective is unsupportedCheckbox mindsetInflated, indefensible score
Using draft policies as evidenceDocumentation sprintMet finding lacks acceptable proof
Treating N/A as a shortcutWanting less workUnsupported exclusion
Putting a prohibited item on a POA&MLooking only at 88No Conditional status
Missing or draft SSPUnderestimating CA.L2-3.12.4Assessment can’t be completed
Calling a self-assessment “certification”Marketing shorthandMisrepresentation
Missing the annual affirmationConfusing the 3-year assessment with the annual affirmationStatus or eligibility problem
Scoring current Level 2 against Rev. 3NIST published a newer revisionWrong baseline
Ignoring changes after the assessmentTreating status as staticScope/evidence no longer matches reality
Letting a consultant own all the evidenceOutsourcing accountabilityThe AO can’t explain the result

Working through it methodically is the fix. Our CMMC readiness checklist walks the same order this page does.


Frequently asked questions

Is a CMMC self-assessment an audit?
Not in the rule’s language. A self-assessment is one your own organization performs and affirms; the CMMC rule reserves “certification assessment” for the C3PAO and DIBCAC versions and doesn’t use “audit” as a formal category. They evaluate against the same standards, but only the third-party and government versions are external assessments.
Can a consultant perform the self-assessment for us?
A consultant can support the work — scoping, gap analysis, evidence organization — but your organization (the OSA) owns the result, the submission, and the affirmation. Outside support doesn’t transfer that responsibility, and your Affirming Official must be an internal senior representative.
Does CMMC Level 1 require a C3PAO?
No. Level 1 is a self-assessment with an annual assessment and an annual affirmation, per 32 CFR 170.15 — no C3PAO certification is required. Outside consultants may support the work, but the organization performs and affirms the Self assessment.
Is CMMC Level 2 self-assessment still allowed after the July 2026 suspension?
Yes. The Department’s current guidance keeps Level 1 (Self) and Level 2 (Self) in place during the Phase 1 pause. What was paused is the third-party certification step, not the self-assessment.
Does an old SPRS Basic score satisfy CMMC Level 2 (Self)?
Not automatically. A legacy NIST SP 800-171 DoD Basic Assessment and a current CMMC Level 2 (Self) status are different records. Confirm that the required current CMMC Self record, scope, status, and affirmation actually exist.
What’s the passing score for Level 2 (Self)?
Final status requires all requirements Met and a score of 110. Conditional status can begin at 88, but only when every POA&M condition in 32 CFR 170.21 is satisfied.
Can CMMC Level 1 use a POA&M?
No. POA&Ms are never permitted at Level 1 — you must close every gap before you submit.
How long does a Level 2 (Self) status last?
Final Level 2 (Self) runs on a three-year assessment cycle, but the affirmation is required annually, and a significant change to your environment can require reassessment sooner.
Should I assess against NIST SP 800-171 Revision 2 or Revision 3?
Revision 2. NIST withdrew SP 800-171 Revision 2 in its own publication catalog on May 14, 2024 and issued Revision 3, but the Department’s current guidance says CMMC Level 2 assessments remain based on Revision 2 until DoD amends the controlling rule. Re-check this before every page update.
Does posting the assessment authorize us to handle CUI?
No. You still have to meet the applicable contractual safeguarding requirements and keep CUI handling inside the protected environment and authorized processes.
What if our CUI exists only on paper?
Per the Department’s current CMMC FAQ, an organization that handles only hard-copy CUI isn’t required to complete a CMMC third-party assessment for that, though it may elect one — but the hard-copy CUI must still be safeguarded under DFARS 252.204-7012. The moment that information is scanned, entered, photographed, uploaded, printed from a system, or emailed, the system handling it is expected to meet the applicable CMMC assessment requirements. Confirm your specific facts before relying on a hard-copy-only interpretation.
What change requires a reassessment?
Per the Department’s current guidance, the Affirming Official determines whether a change is significant. Routine, like-for-like security updates generally aren’t significant, but reassessment is required when a requirement or objective you previously assessed as N/A becomes applicable — for example, when you begin handling CUI on a system that didn’t before.
Is a self-assessment the same as the 110 controls in a C3PAO assessment?
Level 2 Self and Level 2 C3PAO assessments use the same 110 Revision 2 requirements and the same Level 2 scoring methodology; the difference is who assesses. Level 1 uses the 15 FAR safeguarding requirements, and Level 3 adds 24 selected NIST SP 800-172 requirements on top of the 110.

What we actually verified for this guide

We checked the current Department CMMC announcement and program guidance, the controlling sections of 32 CFR Part 170, the relevant DFARS clause text, and the July 2026 suspension materials against their primary sources. Claims about contract applicability are deliberately qualified, because the controlling document differs by procurement, modification, and deviation.

Verified :

What we did notdo: we did not use a live contractor account to submit an assessment, we did not evaluate any named provider, we did not accept a universal market cost range, we make no claim about any specific reader’s contract, and we did not produce a legal opinion. This is educational research. Confirm scope and applicability with a CMMC Registered Practitioner or a qualified federal-contracts attorney before you act. More on how we work is on our methodology page and editorial standards.

Found an error in our reading of a rule or a source? Tell us — we check corrections against the primary source, and material changes update the verification date at the top of this page.


Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Find My CMMC Path

Do not submit CUI, drawings, system diagrams, credentials, vulnerability information, export-controlled technical data, or sensitive contract details through any form on this site.