STATUS — Phase II suspended. . Self-assessment still in force.
The Department suspended CMMC Phase II (C3PAO requirement expansion). CMMC Level 1 (Self) and Level 2 (Self) requirements were not suspended. Your SPRS score, affirmation, and underlying NIST SP 800-171 Rev 2 obligation remain in force. See what changed and what didn’t.
CMMC Self-Assessment Services & Consultant: What to Buy, What It Costs, and Who Owns the Result
The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. This page is educational research, not legal, contractual, assessment, or compliance advice. Confirm scope and applicability with a CMMC Registered Practitioner or Registered Provider Organization (RP/RPO), or a qualified federal-contracts attorney.
If a solicitation, a contract modification, or a prime flow-down just told you to complete a CMMC self-assessment, and you’re weighing CMMC self-assessment services or a consultant, start here. The suspension did not remove that requirement. What you owe depends on your level, and the two paths aren’t the same:
- CMMC Level 1 (Self):your organization assesses the 15 basic safeguarding requirements in FAR 52.204-21, submits the compliance result to the government’s Supplier Performance Risk System (SPRS), and affirms annually.
- CMMC Level 2 (Self): you maintain a System Security Plan (SSP), assess the 110 requirements in NIST SP 800-171 Revision 2, submit your score and status to SPRS, and keep the annual affirmation current.
A consultant can do most of that work with you. What a consultant cannot do is own the result or make the affirmation — your organization does that, through a senior official within your company who has the authority to affirm.
And here’s the part almost nobody is saying out loud this month: pausing the audit didn’t pause the accountability. Your organization always owned the self-assessment and the signature under it — that never sat with a third party. What changed is that, with the third-party (C3PAO) check on hold, your self-assessment and that signature are now the main thing the government is relying on during the review. That makes buying this correctly more important now, not less.
This is the buyer’s manual for that decision — not a sales page. We read the July 13 suspension memo, cross-checked it against the CMMC Program rule at 32 CFR Part 170, worked through both the codified DFARS clauses and the February 2026 class deviation, and pulled the Department of Defense’s own cost estimates straight from the Federal Register.
Which readers this page is for — and which it isn’t
| This page is for you if… | This page is notyour best next step if… |
|---|---|
| Your paperwork requires CMMC Level 1 (Self) or Level 2 (Self) and you need help scoping, documenting, scoring, or submitting it | Your contract requires a Level 2 (C3PAO) certification assessment or Level 3 (DIBCAC) — see our C3PAO and assessment guides |
| You want to know what a self-assessment consultant should deliver, what it costs, and how to vet a quote | You mainly need technical remediation — building the controls — first; start with the readiness / MSP category |
| You have an SPRS score you're no longer sure you can defend | You don't yet know which assessment type your contract requires — resolve that first (below) |
Confirm your CMMC path before you scope a quote.
Find My CMMC Path →Do you still need a CMMC self-assessment after the July 2026 suspension?
Yes. On , the Department of War — the secondary title currently used by the Department of Defense in non-statutory communications — suspended the planned transition to CMMC Phase II, which would have expanded the use of Level 2 C3PAO requirements beginning November 10, 2026. But the Phase I self-assessment requirements that took effect November 10, 2025 remain in force. The audit expansion paused. The security requirement, the score, and the affirmation did not.
CMMC (Cybersecurity Maturity Model Certification) is the Defense Department’s program for verifying that contractors handling government information meet a defined cybersecurity baseline. The Department’s Chief Information Officer, Kirsten Davies, framed the move as cutting red tape rather than cutting cybersecurity. The certification mechanism is under a 60-day review. The obligation underneath it is not.
Put it together and you get the point of this page: during the review, new procurements may designate only Level 1 (Self) or Level 2 (Self) for CMMC — the C3PAO and Level 3 designations can’t be newly added. So for now, self-assessment is the CMMC path sitting in front of new awards. More companies are self-assessing than the rollout originally planned to route that way.
What survived the suspension, and what didn’t
| Obligation | Status after the July 13, 2026 suspension | Controlling authority |
|---|---|---|
| Implement NIST SP 800-171 Rev 2 (110 requirements, 14 families) if you handle CUI | IN FORCEIn force | DFARS 252.204-7012; NIST SP 800-171 Rev 2 |
| CMMC Level 1 (Self) — annual self-assessment for Federal Contract Information (FCI) | IN FORCEIn force | 32 CFR Part 170 (§170.15); FAR 52.204-21 |
| CMMC Level 2 (Self) — self-assessment for CUI where the contract designates it | IN FORCEIn force — and the only CMMC Level 2 designation permitted in new procurement documents during the suspension | 32 CFR Part 170 (§170.16); DFARS 252.204-7021 |
| CMMC Level 2 (C3PAO) — third-party certification assessment | SUSPENDEDSuspended — may not be newly designated during the review | July 13, 2026 DoW suspension memo |
| CMMC Level 3 (DIBCAC) — government-led assessment | PARTIALNew Level 3 designations prohibited; select Government-led NIST SP 800-171 assessments continue | July 13, 2026 DoW suspension memo |
| Submit your result to SPRS — Level 1: a compliance result; Level 2 (Self): a score and status | IN FORCEIn force | 32 CFR §170.15, §170.16; SPRS; DoD Assessment Methodology |
| Annual affirmation by a senior Affirming Official (AO) | IN FORCEIn force | 32 CFR Part 170 (§170.22) |
| 72-hour cyber-incident reporting when DFARS 252.204-7012 is in your contract and its conditions are met | IN FORCEIn force | DFARS 252.204-7012 |
| CMMC flow-down — the correct level flows to subcontractors whose systems process, store, or transmit FCI/CUI | IN FORCEIn force — watch for solicitation amendments removing paused language | DFARS 252.204-7021 (7012 has its own separate flow-down conditions) |
Which “CMMC self-assessment” are you actually trying to complete?
“CMMC self-assessment” can mean three different things, and buying the right service for the wrong one is one of the most expensive early mistakes you can make. It can mean CMMC Level 1 (Self) for FCI, CMMC Level 2 (Self) for CUI, or — commonly but imprecisely — posting a bare NIST SP 800-171 score to SPRS. They touch related controls, but they produce different results and different obligations.
A contractor recently described trying to post a score and finding that “the button is greyed out.” That can be a permissions or software problem — but it can also mean the company is standing in the wrong workflow, trying to complete one status when the contract actually requires another. Confirm the exact record your contract calls for before you pay anyone. Built from the CMMC Program rule and the assessment guides, verified .
The three-workflow matrix
| CMMC Level 1 (Self) | CMMC Level 2 (Self) | Bare NIST SP 800-171 score in SPRS | |
|---|---|---|---|
| Triggered by | Contract requires Level 1 (Self); you handle FCI | Contract requires Level 2 (Self); you handle CUI | Paperwork containing the codified DFARS 252.204-7019/-7020 Basic Assessment requirements — confirm whether the Feb 2026 Part 240 deviation governs |
| Security baseline | 15 safeguarding requirements (FAR 52.204-21) | 110 requirements, 14 families (NIST SP 800-171 Rev 2) | The 110 NIST requirements |
| Assessment method | Objectives mapped in the CMMC Level 1 guide | NIST SP 800-171A (examine, interview, test) | Contractor self-score via the DoD Assessment Methodology |
| Official result | Final Level 1 (Self) — a compliance result, not a certification | Conditional or Final Level 2 (Self) — a score/status, not a certification | A score only — not a CMMC status |
| Cadence | Annual self-assessment + annual affirmation | Every 3 years + annual affirmation | Not more than three years old unless the solicitation specifies shorter |
| POA&M allowed? | No — every applicable requirement must be MET | Restricted — see the 180-day rule below | N/A (score reflects current state) |
| Evidence retention | 6 years (§170.15) | 6 years (§170.16) | The 6-year CMMC artifact rule is a CMMC requirement, not automatically this workflow — follow your contract |
| Primary authority | 32 CFR §170.15; FAR 52.204-21 | 32 CFR §170.16, §170.21, §170.22; NIST SP 800-171A | DFARS 252.204-7019 / 252.204-7020 when applicable — not 252.204-7021 |
The takeaway:a bare NIST score, a Level 1 (Self) status, and a Level 2 (Self) status are not interchangeable, and no consultant should sell them as one undifferentiated “self-assessment service.” If your prime asked only for “a SPRS score,” or your contract names both a Basic Assessment and a CMMC status, stop and get that clarified before you scope anything.
Not sure which workflow your contract requires?
Find My CMMC Path →What legal risk does an unsupported CMMC self-assessment create?
With the third-party check on hold, your self-assessment result and the affirmation attached to it are what current CMMC eligibility runs on — and a score you knowingly can’t stand behind can create False Claims Act exposure. Under 31 U.S.C. § 3729, a false cybersecurity representation that is material to award or payment can trigger liability. “Knowingly” includes reckless disregard — signing without checking — and no cybersecurity breach is required for that representation-based theory.
A False Claims Act violation can carry up to three times the damages the government sustains because of the violation — not three times every dollar you were paid — plus an inflation-adjusted civil penalty currently between $14,308 and $28,619 per violation, and separate invoices may be treated as separate claims depending on the facts. The Justice Department’s Civil Cyber-Fraud Initiative, running since 2021, has made cybersecurity misrepresentation an enforcement priority. A recurring feature of these cases: they’re often triggered by insiders — someone inside the company who knows the submitted score doesn’t match the real environment.
Here’s the reassuring part, and it’s real: this risk is entirely manageable, and a defensible self-assessment is exactly how you retire it. A score you can trace to evidence, an accurate SSP, and an Affirming Official who reviewed the evidence before signing — that’s the good-faith, documented basis that supports what you submitted. If you’re carrying a score you’re no longer sure about, getting ahead of it is almost always the better position to be in. Fixing it before someone else flags it is the entire job of the services this page is about.
See also: False Claims Act risk and CMMC and CMMC annual affirmation legal liability.
What should CMMC self-assessment services actually include?
A defensible self-assessment engagement is a sequence of buyer-owned deliverables — not a gap scan, a questionnaire, or a black-box score. The exact deliverables depend on your workflow: Level 1 ends in a compliance result; Level 2 (Self) adds an SSP, objective-level findings, a numeric score, and — where eligible — restricted POA&M analysis. Whatever the level, you should end up owning the evidence, the finding rationale, and the record you’ll have to defend.
One hard truth: a consultant cannot take on your accountability.Under the rule, the Organization Seeking Assessment (OSA — that’s you) conducts and owns the official self-assessment, and your internal Affirming Official signs the affirmation in SPRS (32 CFR §170.16, §170.22). A consultant can facilitate the method and build the evidence with you — the CMMC Level 1 guide expressly allows outside help — but it stays yourassessment, and no one can affirm on your behalf. If a vendor’s whole pitch is “we install an EDR and a SIEM,” that’s technology, not a self-assessment.
So here’s the standard. This is our CMMC Self-Assessment Services Scope & Quote Standard (v1.0, verified ) — an editorial procurement standard that maps each work package to its governing authority, the deliverable you own, what a consultant may do, what you must retain, and the acceptance test. Assembled from 32 CFR Part 170, the CMMC Level 1 and Level 2 assessment guides, and NIST SP 800-171A.
The buyer-owned scope of work and acceptance matrix
| Work package | Applies to | Deliverable you own | Consultant may do | You must retain | How you know it’s done right |
|---|---|---|---|---|---|
| 1. Confirm the requirement | L1, L2, Basic | A memo naming the exact solicitation, clause, mod, or flow-down language and the required status | Read your supplied non-sensitive clause language and map it to the workflow | Authoritative interpretation where the language is ambiguous | The memo names Level 1 (Self), Level 2 (Self), a bare NIST score, or “unresolved,” and cites the controlling document |
| 2. Define the FCI/CUI data flow | L1, L2 | An approved data-flow and boundary narrative | Facilitate interviews and document likely flows | Confirmation of what you receive, create, store, transmit, and share | Every ingress, egress, user group, service provider, and storage location has an owner |
| 3. Inventory assets, sites, CAGE codes | L1, L2 | A reconciled scope inventory | Build the inventory and asset-category mapping | Validation of ownership and real operational use | Scope agrees across the diagram, SSP, CAGE list, and assessment record — not just “Microsoft 365” |
| 4. Map cloud/MSP responsibilities | L1, L2 | A Customer Responsibility Matrix and evidence-owner map | Review provider contracts and shared-responsibility docs | Confirmation of actual responsibility and access | Every inherited or shared requirement has a named evidence source — “the cloud is compliant” is not evidence |
| 5. Ready the SSP and evidence | L2 (Self); Basic | A current SSP and an objective-level evidence index | Draft, organize, and quality-check the documentation | Approval that it describes the real environment | Every relevant objective maps to final-form evidence, an owner, a location, and a date |
| 6. Build the assessment plan | L2 | An approved examine/interview/test plan | Design the sampling, interviews, and tests | Systems and people made available | The plan names method, object, owner, schedule, and expected evidence per objective |
| 7. Assess at the objective level | L1, L2 | A findings workbook with full traceability | Conduct interviews, examine evidence, observe tests, document findings | Validation of accuracy and dispute resolution | Every finding shows objective, method, evidence, rationale, and MET / NOT MET / N/A |
| 8. Calculate and QA the result or score | L1 (result); L2 (score) | A reproducible result-or-score calculation | Calculate and independently quality-check | Approval of the factual basis | A second reviewer can rebuild your result from the findings alone |
| 9. Determine POA&M eligibility | L2 only | A written eligibility-and-closeout memo | Identify potentially eligible items; build remediation tracking | Approval of commitments and resourcing | The memo applies the score threshold and the excluded-item rules — not “any 88 qualifies” |
| 10. Hand off to SPRS and your AO | L1, L2 CMMC statuses | A submission packet and an AO decision packet | Prepare instructions and run a dry run | Account control; submit or authorize; make the affirmation call | Your AO can trace the result to evidence and understands the continuing obligation |
| 11. Sustain it | L1, L2 | An annual/triennial calendar and a change-trigger register | Establish the evidence-maintenance and reassessment cadence | Operation of the controls; reporting of material changes | Named owners, recurring dates, and change events are documented — not a binder nobody opens |
Insist your engagement also puts in writing: you own every editable artifact and can export it in standard formats (no lock-in to the consultant’s platform), the remediation and technical-implementation boundaries are defined, change-order triggers are listed, and the consultant will not control your SPRS credentials or make your affirmation. If a proposal resists any of those, that tells you something.
Who is responsible for a CMMC self-assessment: the contractor, the consultant, or the Affirming Official?
The consultant facilitates the method and builds the evidence; the OSA conducts and owns the official self-assessment; the Affirming Official owns the attestation. Blurring those three roles is how contractors end up paying for polished documents that don’t match their real environment — or worse, signing an affirmation nobody verified.
The rule is specific about the Affirming Official: a senior representative from within the OSA with the responsibility and authority to attest to continued compliance, who submits the affirmation into SPRS after the assessment, after any POA&M closeout, and annually thereafter (32 CFR §170.22). At a two-person shop, the owner may be the AO — but that person still needs to understand what they’re signing.
| Role | Primary work / retained accountability |
|---|---|
| Consultant / RPO | May support scoping, documentation, evidence collection, interviews, testing, draft findings, result-or-score calculation, QA, and handoff prep — does not own the official result or the affirmation |
| Your IT/security lead | Whether systems and data flows are represented accurately; whether evidence reflects real operations |
| Your business/control owners | Whether findings are factually correct; whether remediation commitments are achievable |
| Contracts/legal | What the contract actually requires; ambiguity resolution |
| Affirming Official (AO) | Whether the result is ready to submit and whether the company can truthfully affirm — this cannot be delegated to the consultant |
| SPRS administrator (internal) | Account control and the submission itself, under your access procedures |
What’s the difference between a CMMC self-assessment and a gap assessment?
A gap or readiness assessment is advisory — it tells you where you stand and what to fix. The official self-assessment is the regulated activity that produces your CMMC status. They’re often sold together, and both are useful, but they’re not the same deliverable, and a gap assessment alone does not create a Level 1 or Level 2 (Self) status.
A gap assessment measures your current controls against the standard, produces a working score, and hands you a prioritized remediation list. It has no fixed format and no submission step. The official self-assessmentfollows the rule’s scope rules, applies the NIST SP 800-171A methods, produces the result or score you submit to SPRS, and carries the annual affirmation. In plain terms: the gap assessment tells you what to build; the self-assessment attests to what you built. Most first-time contractors run a gap assessment first, remediate, then complete the official self-assessment — and a good consultant will keep those two phases clearly labeled in the scope and the invoice.
See also: CMMC Level 2 assessment guide.
How much do CMMC self-assessment services cost?
There’s no honest universal consultant price, so start with the one primary-sourced anchor available: the 2024 CMMC Program rule’s regulatory economic analysis in the Federal Register. It models roughly $5,977 a year for a small entity at Level 1; about $34,277 for the initial Level 2 (Self) assessment and affirmation, or $37,196 over three years, for a small entity; and about $43,403 initial / $48,827 over three years for an other-than-small entity. Those figures assume the controls are already implemented, and they exclude the engineering and remediation that usually drive the real bill.
That last sentence is the whole game. The government’s number is the cost to prove compliance, not to achieve it. For context, the same rule models Level 2 (C3PAO) near $104,670 (small) to $117,768 (other-than-small)over three years — but that path is paused for new awards, so it’s a benchmark, not your invoice. See our full CMMC Level 2 cost guide for more on the cost landscape.
| Scenario | Estimated cost | The critical assumption |
|---|---|---|
| Small entity — Level 1 (Self) + affirmation | ~$5,977 / year | Controls already implemented; modeled labor across the rule's assumed categories |
| Small entity — Level 2 (Self) + affirmations | ~$34,277 initial; ~$37,196 over 3 years | Rev 2 already implemented; the model assigns labor hours across contractor and external-service-provider categories — these are modeling inputs, not a typical engagement duration |
| Other-than-small entity — Level 2 (Self) + affirmations | ~$43,403 initial; ~$48,827 over 3 years | Same assumption, larger environment |
| (Context only — paused for new awards) Level 2 C3PAO | ~$104,670–$117,768 over 3 years | Assessment + affirmations, not remediation |
What actually moves your number: the correct assessment type, your number of systems and boundaries, CAGE codes and sites, how many cloud and managed-service dependencies you carry, how mature your SSP and evidence already are, whether the environment is even implemented yet, your turnaround pressure, and whether remediation and sustainment are in or out of scope.
One lever moves several of them: scope. Level 2 scope is not limited to systems that directly store, process, or transmit CUI — it also includes Security Protection Assets, while Contractor Risk Managed Assets and Specialized Assets get their own documentation and assessment treatment under 32 CFR §170.19. A CUI enclave can shrink your scope, but only when the data flow, users, endpoints, administrative paths, connected systems, service providers, and security-protection assets actually support that boundary.
Which type of provider should you hire for a self-assessment?
Hire the category that matches the work you actually have left. This is our editorial read under The CMMC Path Framework: an RPO or readiness consultant for scope, evidence, and assessment method; an MSSP or CMMC-focused MSP when you also need the controls built and run; a GRC platform to structure evidence and workflow; a CUI enclave provider when architecture reduction is the strategy; and a C3PAO only when your contract requires a formal certification assessment — which, during the suspension, new awards generally will not.
| Provider category | Best fit for a self-assessment | Not the primary fit | What to verify before hiring |
|---|---|---|---|
| RPO / RP / readiness consultant | Scope, requirement interpretation, SSP, evidence, assessment method, findings | Running your infrastructure long-term; formal certification | RPO listing; a redacted sample SSP; their scoring methodology; who signs off; that you keep the evidence index |
| CMMC-focused MSP / MSSP | Implementing and operating the technical controls, plus evidence | Independently assessing its own managed work | That delivery is authoring + assessment, not just tooling; a clean exit/export plan and a responsibility matrix |
| GRC platform | Structuring evidence, versioning documents, tracking a running score | Replacing human scope judgment or building controls | The platform's score is not an official SPRS determination; you can fully export your data |
| vCISO / documentation specialist | Governance, policy, control ownership, SSP, executive coordination | Full managed infrastructure or certification | Specific federal-contracting experience and references |
| CUI enclave provider | Shrinking the CUI boundary when architecture change is justified | Automatically making every business process compliant | A residual-scope analysis — the enclave doesn't erase every connected system or your Security Protection Assets |
| C3PAO | A formal Level 2 certification assessment when the contract requires it | Default readiness or self-assessment help during the suspension | Current authorization; and a written conflict-of-interest representation (below) |
On the conflict-of-interest rule — get this exactly right. It is not a simple, permanent, industry-wide ban on a firm both preparing and assessing you. The specific rule (32 CFR §170.8) bars a CMMC ecosystem member from participating in the Level 2 certification assessment for an organization it consulted to prepare for any CMMC assessment within the preceding three years. Separately, the Cyber AB’s CMMC Assessment Process requires the C3PAO to identify and manage impartiality and conflicts. During the current suspension, new Level 2 C3PAO designations are prohibited anyway — but if you’re choosing a readiness partner today who you’d want to assess you later, keep that three-year separation in mind and require a written conflict representation tied to your specific engagement.
How to compare CMMC self-assessment consultant quotes without getting played
Compare every proposal against one scope you defined — not against each vendor’s marketing vocabulary. Three consultants will quote three different things and call them all “CMMC self-assessment services.” The decisive fields are objective-level depth, buyer-owned deliverables, evidence ownership, what’s excluded, SPRS and AO support, secure-data handling, and change-order triggers — not the lowest total.
Send every bidder the same scope (packages 1–11 above) and the same assumptions, then normalize on these twenty fields:
- Assessment path (Level 1 Self / Level 2 Self / bare NIST score / readiness only)
- Scope and stated assumptions
- CAGE codes and sites covered
- Deliverables (mapped to packages 1–11)
- Objective-level method (examine/interview/test), not a questionnaire
- SSP scope — draft, review, or author
- Evidence depth — index only, or collection and validation
- Technical implementation — included or excluded
- Documentation remediation — included or excluded
- POA&M eligibility work
- Retesting after remediation
- SPRS handoff support
- Affirming Official decision-packet support
- Artifact ownership and export format
- Secure-data handling (where your evidence lives, who can touch it)
- Written conflict-of-interest representation
- Change-order triggers and rates
- Sustainment — included or excluded
- Fixed fee vs. time-and-materials
- Payment milestones
What a trustworthy consultant should never promise
If you see any of these, slow down. Built from the rule itself.
| Red flag | Why it matters | What good looks like instead |
|---|---|---|
| "Guaranteed CMMC certification" | Self-assessment doesn't produce a certificate, and no one can guarantee a future outcome | "We'll perform the documented scope and surface every unresolved finding" |
| "We own or sign your assessment" | The OSA owns it; your internal AO affirms it (§170.16, §170.22) | "We prepare an evidence-backed handoff for your authorized officials" |
| "Your bare SPRS score is your Level 2 status" | Different workflows, different results | They identify the exact workflow you're in |
| "Revision 3 is required for CMMC Level 2 now" | CMMC still incorporates Rev 2; Rev 3 is a future-readiness topic pending rulemaking | They distinguish current CMMC from future readiness |
| "Any score of 88 can use a POA&M" | The rule also restricts which unmet items may be deferred | They apply both the threshold and the excluded-item rules |
| "Upload your diagrams and system details here" | Public forms aren't for sensitive data | Non-sensitive intake first, then an approved secure channel |
| "We'll prep you and then assess you with the same team" | May trip the three-year conflict rule (§170.8) and impartiality requirements | Written conflict analysis before you engage |
| "All your evidence stays in our platform" | Creates exit and audit risk | Full, client-owned export in standard formats |
| "One fixed price before we know your path or scope" | Usually hides exclusions and change orders | Stated assumptions and scope-change triggers |
Put every bidder on the same footing using the scope and the twenty fields above. When you’re ready for introductions, request scoped quotes from matched provider categories. Do not submit CUI, drawings, or contract numbers.
What should you have ready before you hire a CMMC self-assessment consultant?
Walk into the first call with the facts that let a consultant scope accurately — it shortens the engagement and sharpens the quote. The single most useful thing you can bring is the governing paperwork, because that’s what settles your level and assessment type before anyone estimates a dollar.
Have these on hand: the exact solicitation, contract clause, modification, or prime flow-down language; your CAGE code list; a rough inventory of the systems and sites that touch government information; a first pass at how FCI or CUI moves through your environment; your current SSP status (drafted, partial, or none); a list of your cloud, MSP, and external-service-provider dependencies; any existing SPRS score or CMMC status; your contract or proposal deadline; and the internal people who’ll own the work — including whoever will serve as your Affirming Official. You don’t need this to be polished. You need it to be honest, because a consultant who scopes off “we handle CUI” without seeing the real picture is guessing, and you’ll pay for the guess in change orders.
Which DFARS clause controls your assessment workflow?
Because this topic now spans several clause numbers, here’s the crosswalk — current as of . Confirm the exact language in your own paperwork; existing contracts and new covered procurements can reference different clauses during the transition.
| Clause | What it does | Who performs the assessment | What enters SPRS | Creates a CMMC status? |
|---|---|---|---|---|
| DFARS 252.204-7012 | Safeguarding covered defense information; 72-hour incident reporting | You (implement NIST SP 800-171) | Nothing itself | NO |
| DFARS 252.204-7019 / -7020 (codified; superseded in covered new procurements by the Feb 2026 deviation) | The legacy "Basic Assessment" self-assessment and DoD assessment requirements | Contractor (Basic); Government (Medium/High) | A summary NIST score | NO |
| DFARS 252.240-7997 (Feb 1, 2026 class deviation, Part 240) | Government Medium and High NIST SP 800-171 assessments | Government | Government-entered assessment results | NO |
| DFARS 252.204-7021 | Your CMMC status requirement and annual affirmation | You (Self) or an authorized C3PAO | CMMC status, score/result, CMMC UID, affirmation | YES |
| DFARS 252.204-7025 | States the required CMMC level in the solicitation | — | — | Sets the required status |
What happens if your self-assessment finds gaps?
At Level 1, an unmet applicable requirement stops you cold — there is no assessment POA&M, so everything must be MET before you reach Final Level 1 (Self). At Level 2 (Self), you can still be eligible for award with a Conditional status if your score reaches 80% of the maximum (88 of 110) and certain critical requirements are met, but every deferred item goes on a POA&M that must close within 180 days. This comes straight from the rule text at 32 CFR §170.21.
The nuance that trips people: 88 is necessary but not sufficient.The rule applies two separate filters to what can even go on the assessment POA&M. First, any requirement worth more than one point can’t be deferred — with one narrow exception, the encryption requirement SC.L2-3.13.11. Second, six requirements are categorically barred regardless of points: AC.L2-3.1.20, AC.L2-3.1.22, CA.L2-3.12.4, PE.L2-3.10.3, PE.L2-3.10.4, and PE.L2-3.10.5. You can’t hit 88 by leaving the wrong controls open and expect the math to save you.
Then the clock runs. Within 180 days of a Conditional status, you must remediate the original NOT MET requirements and pass a POA&M closeout assessment — one that reassesses only those original items. Clear it and you reach Final Level 2 (Self). Miss the 180 days and the Conditional status expires, and standard contractual remedies apply (32 CFR §170.21(b)).
Note the distinction: an internal operational plan you use to manage a temporary deficiency is not automatically the same thing as the formal assessment POA&M that supports a Conditional status.
Who submits and affirms the result in SPRS?
You do — and you should keep control of the account. The contractor verifies the scope, CAGE codes, and official result — and, for Level 2, the score — then hands the Affirming Official an evidence-backed decision packet before that senior official attests to continuing compliance in SPRS. A consultant may guide the submission under your access procedures, but the affirmation is yours to make.
What goes in depends on the workflow. A Level 1 (Self) record captures your level, status date, assessment scope, associated CAGE codes, and compliance result. A Level 2 (Self) record adds your overall score and POA&M status where applicable. In every case, the affirmation is a formal attestation entered by your named Affirming Official — which is exactly why that official should review the evidence, not just the number, before signing.
Your AO decision packet should include: the final result, the scope, an evidence-quality summary, any unmet items, POA&M status, material assumptions, unresolved disagreements, where the evidence is retained, and the continuing-compliance obligations that don’t end at submission.
Starting from scratch and want a self-serve next step? Download the CMMC Readiness Checklist, mapped to the 14 control families. A direct download. Do not submit CUI.
What changes for small shops, subcontractors, and CUI enclave users?
The obligation doesn’t shrink because you’re small, but the engagement should be right-sized to your real boundary, your internal capacity, and your provider dependencies. A two-person subcontractor, a machine shop leaning on an MSP, a SaaS company living in the cloud, and an enclave user can need very different interviews, implementation help, and evidence ownership — even when the assessment designation is identical. The category routes below are our editorial conclusions under The CMMC Path Framework.
| Persona | The one question that decides your scope | Likely category | The common overbuy |
|---|---|---|---|
| 1–5 person contractor | Who can truthfully own the Affirming Official role? | RPO + targeted MSP support | An enterprise managed program before the boundary is defined |
| Small manufacturer / machine shop | How are Specialized Assets and shop-floor systems handled? | CMMC-focused MSP/MSSP + readiness | Treating office IT as the entire scope |
| Sub with a vague prime request | What data and status does the flow-down actually name? | Contract clarification + readiness advisor | Buying a C3PAO assessment before the subcontract is clear |
| Existing MSP customer | Who owns each piece of evidence, and can you get it? | MSP + independent readiness/documentation | Assuming the MSP's compliance proves yours |
| CUI enclave / GCC High user | What Security Protection Assets and admin paths remain in scope? | Enclave architect + scoping support | Treating a product purchase as complete compliance |
| Cloud/SaaS contractor | What are the CSP/ESP responsibilities and privileged-admin paths? | Cloud-security readiness + vCISO/GRC | Looking only at the cloud authorization |
| Multiple CAGEs or sites | Does scope reconcile to each CAGE and system? | Experienced scoping/readiness team | One generic company-wide score with no scope logic |
If any of these is your situation and you’re not sure which category fits, that’s exactly what the routing tool is for. If you clearly need something otherthan self-assessment help (technical remediation, an enclave build, or a formal certification path), we’d rather send you to the right guide than sell you the wrong scope.
How long does a CMMC self-assessment take?
There’s no fixed calendar duration — it’s driven by your level, your starting posture, and how much remediation stands between you and a defensible result. The Final Rule’s modeled labor hours are burden-model inputs, not a promised project length, so treat any consultant’s timeline as a function of your gap, not a standard.
Three honest patterns. If you handle only FCI and your basics are in place, a Level 1 (Self) can move quickly — the work is confirming and documenting the 15 safeguards. If you handle CUI and the 110 requirements are genuinely implemented, a Level 2 (Self) is mostly assessment, evidence assembly, and scoring — measured in weeks once the SSP and evidence are ready. If you handle CUI and there are real gaps, the calendar is set by remediation, not the assessment, and that’s where months go. The fastest path to a status you can defend is scoping tightly and getting the SSP and evidence in order before you assess — not compressing the assessment itself.
How we researched and verified this guide
We separated three kinds of claims: binding requirements (cited to the primary authority), current-status facts (dated and re-verified), and our own editorial judgment (labeled as such). We don’t rank named providers on this page, and we didn’t evaluate any specific company’s quality for it.
What we verified on : the July 13 Phase II suspension release and implementation memo; the CMMC Program rule at 32 CFR Part 170 (published in the Federal Register, effective December 16, 2024); the DFARS acquisition rule and clause 252.204-7021 (effective November 10, 2025), provision 252.204-7025, clause 252.204-7012, the codified 252.204-7019/-7020, and the February 2026 Part 240 class deviation and clause 252.240-7997; the CMMC Level 1 and Level 2 assessment guides; NIST SP 800-171 Rev 2 and NIST SP 800-171A; and the Final Rule’s cost estimates. Community forums were used only to capture how buyers describe the problem — never as a source for a regulatory claim.
What we could not establish, and won’t fake:a universal consultant price, any named provider’s quality or outcomes, certification pass rates, a confirmed restart date for Phase II, or the outcome of the 60-day review. When those firm up, we’ll update this page and change the “Last verified” date.
CMMC self-assessment services FAQ
- Do I need a consultant for CMMC Level 1?
- Can a consultant perform my CMMC self-assessment?
- Can a consultant submit my score and affirmation to SPRS?
- Does consultant help produce CMMC certification?
- Is Level 2 (Self) still in effect in July 2026?
- Is a bare NIST 800-171 SPRS score the same as Level 2 (Self)?
- Can Level 1 use a POA&M?
- What Level 2 score qualifies for Conditional status?
- How long is a Level 2 (Self) status good for?
- Do I have to hire an RPO?
- Can my MSP do this?
- Should I hire a C3PAO during the suspension?
- What should I never put into a matching or intake form?
- What if my signed paperwork conflicts with the suspension?
Ready to move?
Primary sources
Related resources
- CMMC Phase 2 Suspended: What Still Binds You
- Is CMMC Still Required After the Suspension?
- CMMC Level 2 Assessment Guide
- How Much Does CMMC Level 2 Cost?
- False Claims Act Risk and CMMC
- CMMC Annual Affirmation Legal Liability
- CMMC Readiness Checklist (Download)
- CMMC Final Rule Overview
- CMMC 2.0 Explained
- What Is CMMC?