The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

STATUS — Phase II suspended. . Self-assessment still in force.

The Department suspended CMMC Phase II (C3PAO requirement expansion). CMMC Level 1 (Self) and Level 2 (Self) requirements were not suspended. Your SPRS score, affirmation, and underlying NIST SP 800-171 Rev 2 obligation remain in force. See what changed and what didn’t.

CMMC Self-Assessment Services & Consultant: What to Buy, What It Costs, and Who Owns the Result

By The Defense Compliance Report Editorial Team · Last reviewed: · Regulatory state verified:

Rechecked when official guidance changes during the CMMC reform review.

Independent editorial research — not formally reviewed by an outside CMMC advisor. Confirm scope and applicability with a Registered Practitioner or a federal-contracts attorney before acting.

The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. This page is educational research, not legal, contractual, assessment, or compliance advice. Confirm scope and applicability with a CMMC Registered Practitioner or Registered Provider Organization (RP/RPO), or a qualified federal-contracts attorney.

If a solicitation, a contract modification, or a prime flow-down just told you to complete a CMMC self-assessment, and you’re weighing CMMC self-assessment services or a consultant, start here. The suspension did not remove that requirement. What you owe depends on your level, and the two paths aren’t the same:

A consultant can do most of that work with you. What a consultant cannot do is own the result or make the affirmation — your organization does that, through a senior official within your company who has the authority to affirm.

And here’s the part almost nobody is saying out loud this month: pausing the audit didn’t pause the accountability. Your organization always owned the self-assessment and the signature under it — that never sat with a third party. What changed is that, with the third-party (C3PAO) check on hold, your self-assessment and that signature are now the main thing the government is relying on during the review. That makes buying this correctly more important now, not less.

This is the buyer’s manual for that decision — not a sales page. We read the July 13 suspension memo, cross-checked it against the CMMC Program rule at 32 CFR Part 170, worked through both the codified DFARS clauses and the February 2026 class deviation, and pulled the Department of Defense’s own cost estimates straight from the Federal Register.

Which readers this page is for — and which it isn’t

Which readers this page is for and which it is not
This page is for you if…This page is notyour best next step if…
Your paperwork requires CMMC Level 1 (Self) or Level 2 (Self) and you need help scoping, documenting, scoring, or submitting itYour contract requires a Level 2 (C3PAO) certification assessment or Level 3 (DIBCAC) — see our C3PAO and assessment guides
You want to know what a self-assessment consultant should deliver, what it costs, and how to vet a quoteYou mainly need technical remediation — building the controls — first; start with the readiness / MSP category
You have an SPRS score you're no longer sure you can defendYou don't yet know which assessment type your contract requires — resolve that first (below)

Confirm your CMMC path before you scope a quote.

The right provider isn’t the same for every contractor — your required level, data type, environment, and timeline all affect the category you need. Use the routing tool to map your situation before you request a single quote. Do not submit CUI, drawings, or contract numbers.

Find My CMMC Path →

Do you still need a CMMC self-assessment after the July 2026 suspension?

Yes. On , the Department of War — the secondary title currently used by the Department of Defense in non-statutory communications — suspended the planned transition to CMMC Phase II, which would have expanded the use of Level 2 C3PAO requirements beginning November 10, 2026. But the Phase I self-assessment requirements that took effect November 10, 2025 remain in force. The audit expansion paused. The security requirement, the score, and the affirmation did not.

CMMC (Cybersecurity Maturity Model Certification) is the Defense Department’s program for verifying that contractors handling government information meet a defined cybersecurity baseline. The Department’s Chief Information Officer, Kirsten Davies, framed the move as cutting red tape rather than cutting cybersecurity. The certification mechanism is under a 60-day review. The obligation underneath it is not.

Put it together and you get the point of this page: during the review, new procurements may designate only Level 1 (Self) or Level 2 (Self) for CMMC — the C3PAO and Level 3 designations can’t be newly added. So for now, self-assessment is the CMMC path sitting in front of new awards. More companies are self-assessing than the rollout originally planned to route that way.

One caution: a press release is not your contract. The implementation memo directs contracting officers to amend affected solicitations and modifyaffected contracts. If your live paperwork still names a C3PAO or Level 3 requirement, don’t assume it silently changed — get the amendment, modification, or written direction that applies to your award. Confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney.

What survived the suspension, and what didn’t

Built from the July 13 release and implementation memo, the CMMC Program rule (32 CFR Part 170), and the DFARS clauses. Verified .

CMMC obligations after the July 13, 2026 suspension
ObligationStatus after the July 13, 2026 suspensionControlling authority
Implement NIST SP 800-171 Rev 2 (110 requirements, 14 families) if you handle CUIIN FORCEIn forceDFARS 252.204-7012; NIST SP 800-171 Rev 2
CMMC Level 1 (Self) — annual self-assessment for Federal Contract Information (FCI)IN FORCEIn force32 CFR Part 170 (§170.15); FAR 52.204-21
CMMC Level 2 (Self) — self-assessment for CUI where the contract designates itIN FORCEIn force — and the only CMMC Level 2 designation permitted in new procurement documents during the suspension32 CFR Part 170 (§170.16); DFARS 252.204-7021
CMMC Level 2 (C3PAO) — third-party certification assessmentSUSPENDEDSuspended — may not be newly designated during the reviewJuly 13, 2026 DoW suspension memo
CMMC Level 3 (DIBCAC) — government-led assessmentPARTIALNew Level 3 designations prohibited; select Government-led NIST SP 800-171 assessments continueJuly 13, 2026 DoW suspension memo
Submit your result to SPRS — Level 1: a compliance result; Level 2 (Self): a score and statusIN FORCEIn force32 CFR §170.15, §170.16; SPRS; DoD Assessment Methodology
Annual affirmation by a senior Affirming Official (AO)IN FORCEIn force32 CFR Part 170 (§170.22)
72-hour cyber-incident reporting when DFARS 252.204-7012 is in your contract and its conditions are metIN FORCEIn forceDFARS 252.204-7012
CMMC flow-down — the correct level flows to subcontractors whose systems process, store, or transmit FCI/CUIIN FORCEIn force — watch for solicitation amendments removing paused languageDFARS 252.204-7021 (7012 has its own separate flow-down conditions)

A note on the February 2026 class deviation. Effective , a class deviation (2026-O0025) directs contracting officers to use the new DFARS Part 240 and clause 252.240-7997 in covered solicitations and contracts. That deviation clause covers the Government’s Medium and High NIST SP 800-171 assessments — it does notrecreate the old contractor “Basic Assessment” self-assessment. The codified DFARS still publishes 252.204-7019 and 252.204-7020, so you’ll still see those numbers in existing and transition-era paperwork, and DFARS 252.204-7021 separately governs your CMMC status and affirmation. Don’t assume a bare “Basic Assessment” NIST score and a CMMC Level 1 or Level 2 (Self) status are the same thing.

Which “CMMC self-assessment” are you actually trying to complete?

“CMMC self-assessment” can mean three different things, and buying the right service for the wrong one is one of the most expensive early mistakes you can make. It can mean CMMC Level 1 (Self) for FCI, CMMC Level 2 (Self) for CUI, or — commonly but imprecisely — posting a bare NIST SP 800-171 score to SPRS. They touch related controls, but they produce different results and different obligations.

A contractor recently described trying to post a score and finding that “the button is greyed out.” That can be a permissions or software problem — but it can also mean the company is standing in the wrong workflow, trying to complete one status when the contract actually requires another. Confirm the exact record your contract calls for before you pay anyone. Built from the CMMC Program rule and the assessment guides, verified .

The three-workflow matrix

Three-workflow matrix: CMMC Level 1 Self, Level 2 Self, and bare NIST SP 800-171 score in SPRS
 CMMC Level 1 (Self)CMMC Level 2 (Self)Bare NIST SP 800-171 score in SPRS
Triggered byContract requires Level 1 (Self); you handle FCIContract requires Level 2 (Self); you handle CUIPaperwork containing the codified DFARS 252.204-7019/-7020 Basic Assessment requirements — confirm whether the Feb 2026 Part 240 deviation governs
Security baseline15 safeguarding requirements (FAR 52.204-21)110 requirements, 14 families (NIST SP 800-171 Rev 2)The 110 NIST requirements
Assessment methodObjectives mapped in the CMMC Level 1 guideNIST SP 800-171A (examine, interview, test)Contractor self-score via the DoD Assessment Methodology
Official resultFinal Level 1 (Self) — a compliance result, not a certificationConditional or Final Level 2 (Self) — a score/status, not a certificationA score only — not a CMMC status
CadenceAnnual self-assessment + annual affirmationEvery 3 years + annual affirmationNot more than three years old unless the solicitation specifies shorter
POA&M allowed?No — every applicable requirement must be METRestricted — see the 180-day rule belowN/A (score reflects current state)
Evidence retention6 years (§170.15)6 years (§170.16)The 6-year CMMC artifact rule is a CMMC requirement, not automatically this workflow — follow your contract
Primary authority32 CFR §170.15; FAR 52.204-2132 CFR §170.16, §170.21, §170.22; NIST SP 800-171ADFARS 252.204-7019 / 252.204-7020 when applicable — not 252.204-7021

The takeaway:a bare NIST score, a Level 1 (Self) status, and a Level 2 (Self) status are not interchangeable, and no consultant should sell them as one undifferentiated “self-assessment service.” If your prime asked only for “a SPRS score,” or your contract names both a Basic Assessment and a CMMC status, stop and get that clarified before you scope anything.

Not sure which workflow your contract requires?

The right CMMC provider isn’t the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist.

Find My CMMC Path →

Do not submit CUI, drawings, or contract numbers.

Here’s the part nobody’s advertising.

With the third-party check on hold, your self-assessment result and the affirmation attached to it are what current CMMC eligibility runs on — and a score you knowingly can’t stand behind can create False Claims Act exposure. Under 31 U.S.C. § 3729, a false cybersecurity representation that is material to award or payment can trigger liability. “Knowingly” includes reckless disregard — signing without checking — and no cybersecurity breach is required for that representation-based theory.

General enforcement information, not legal advice.

A False Claims Act violation can carry up to three times the damages the government sustains because of the violation — not three times every dollar you were paid — plus an inflation-adjusted civil penalty currently between $14,308 and $28,619 per violation, and separate invoices may be treated as separate claims depending on the facts. The Justice Department’s Civil Cyber-Fraud Initiative, running since 2021, has made cybersecurity misrepresentation an enforcement priority. A recurring feature of these cases: they’re often triggered by insiders — someone inside the company who knows the submitted score doesn’t match the real environment.

Here’s the reassuring part, and it’s real: this risk is entirely manageable, and a defensible self-assessment is exactly how you retire it. A score you can trace to evidence, an accurate SSP, and an Affirming Official who reviewed the evidence before signing — that’s the good-faith, documented basis that supports what you submitted. If you’re carrying a score you’re no longer sure about, getting ahead of it is almost always the better position to be in. Fixing it before someone else flags it is the entire job of the services this page is about.

See also: False Claims Act risk and CMMC and CMMC annual affirmation legal liability.

What should CMMC self-assessment services actually include?

A defensible self-assessment engagement is a sequence of buyer-owned deliverables — not a gap scan, a questionnaire, or a black-box score. The exact deliverables depend on your workflow: Level 1 ends in a compliance result; Level 2 (Self) adds an SSP, objective-level findings, a numeric score, and — where eligible — restricted POA&M analysis. Whatever the level, you should end up owning the evidence, the finding rationale, and the record you’ll have to defend.

One hard truth: a consultant cannot take on your accountability.Under the rule, the Organization Seeking Assessment (OSA — that’s you) conducts and owns the official self-assessment, and your internal Affirming Official signs the affirmation in SPRS (32 CFR §170.16, §170.22). A consultant can facilitate the method and build the evidence with you — the CMMC Level 1 guide expressly allows outside help — but it stays yourassessment, and no one can affirm on your behalf. If a vendor’s whole pitch is “we install an EDR and a SIEM,” that’s technology, not a self-assessment.

So here’s the standard. This is our CMMC Self-Assessment Services Scope & Quote Standard (v1.0, verified ) — an editorial procurement standard that maps each work package to its governing authority, the deliverable you own, what a consultant may do, what you must retain, and the acceptance test. Assembled from 32 CFR Part 170, the CMMC Level 1 and Level 2 assessment guides, and NIST SP 800-171A.

The buyer-owned scope of work and acceptance matrix

CMMC self-assessment services scope and quality standard — buyer-owned work packages and acceptance criteria
Work packageApplies toDeliverable you ownConsultant may doYou must retainHow you know it’s done right
1. Confirm the requirementL1, L2, BasicA memo naming the exact solicitation, clause, mod, or flow-down language and the required statusRead your supplied non-sensitive clause language and map it to the workflowAuthoritative interpretation where the language is ambiguousThe memo names Level 1 (Self), Level 2 (Self), a bare NIST score, or “unresolved,” and cites the controlling document
2. Define the FCI/CUI data flowL1, L2An approved data-flow and boundary narrativeFacilitate interviews and document likely flowsConfirmation of what you receive, create, store, transmit, and shareEvery ingress, egress, user group, service provider, and storage location has an owner
3. Inventory assets, sites, CAGE codesL1, L2A reconciled scope inventoryBuild the inventory and asset-category mappingValidation of ownership and real operational useScope agrees across the diagram, SSP, CAGE list, and assessment record — not just “Microsoft 365”
4. Map cloud/MSP responsibilitiesL1, L2A Customer Responsibility Matrix and evidence-owner mapReview provider contracts and shared-responsibility docsConfirmation of actual responsibility and accessEvery inherited or shared requirement has a named evidence source — “the cloud is compliant” is not evidence
5. Ready the SSP and evidenceL2 (Self); BasicA current SSP and an objective-level evidence indexDraft, organize, and quality-check the documentationApproval that it describes the real environmentEvery relevant objective maps to final-form evidence, an owner, a location, and a date
6. Build the assessment planL2An approved examine/interview/test planDesign the sampling, interviews, and testsSystems and people made availableThe plan names method, object, owner, schedule, and expected evidence per objective
7. Assess at the objective levelL1, L2A findings workbook with full traceabilityConduct interviews, examine evidence, observe tests, document findingsValidation of accuracy and dispute resolutionEvery finding shows objective, method, evidence, rationale, and MET / NOT MET / N/A
8. Calculate and QA the result or scoreL1 (result); L2 (score)A reproducible result-or-score calculationCalculate and independently quality-checkApproval of the factual basisA second reviewer can rebuild your result from the findings alone
9. Determine POA&M eligibilityL2 onlyA written eligibility-and-closeout memoIdentify potentially eligible items; build remediation trackingApproval of commitments and resourcingThe memo applies the score threshold and the excluded-item rules — not “any 88 qualifies”
10. Hand off to SPRS and your AOL1, L2 CMMC statusesA submission packet and an AO decision packetPrepare instructions and run a dry runAccount control; submit or authorize; make the affirmation callYour AO can trace the result to evidence and understands the continuing obligation
11. Sustain itL1, L2An annual/triennial calendar and a change-trigger registerEstablish the evidence-maintenance and reassessment cadenceOperation of the controls; reporting of material changesNamed owners, recurring dates, and change events are documented — not a binder nobody opens

Insist your engagement also puts in writing: you own every editable artifact and can export it in standard formats (no lock-in to the consultant’s platform), the remediation and technical-implementation boundaries are defined, change-order triggers are listed, and the consultant will not control your SPRS credentials or make your affirmation. If a proposal resists any of those, that tells you something.

Who is responsible for a CMMC self-assessment: the contractor, the consultant, or the Affirming Official?

The consultant facilitates the method and builds the evidence; the OSA conducts and owns the official self-assessment; the Affirming Official owns the attestation. Blurring those three roles is how contractors end up paying for polished documents that don’t match their real environment — or worse, signing an affirmation nobody verified.

The rule is specific about the Affirming Official: a senior representative from within the OSA with the responsibility and authority to attest to continued compliance, who submits the affirmation into SPRS after the assessment, after any POA&M closeout, and annually thereafter (32 CFR §170.22). At a two-person shop, the owner may be the AO — but that person still needs to understand what they’re signing.

Responsibility matrix for a CMMC self-assessment engagement
RolePrimary work / retained accountability
Consultant / RPOMay support scoping, documentation, evidence collection, interviews, testing, draft findings, result-or-score calculation, QA, and handoff prep — does not own the official result or the affirmation
Your IT/security leadWhether systems and data flows are represented accurately; whether evidence reflects real operations
Your business/control ownersWhether findings are factually correct; whether remediation commitments are achievable
Contracts/legalWhat the contract actually requires; ambiguity resolution
Affirming Official (AO)Whether the result is ready to submit and whether the company can truthfully affirm — this cannot be delegated to the consultant
SPRS administrator (internal)Account control and the submission itself, under your access procedures

What’s the difference between a CMMC self-assessment and a gap assessment?

A gap or readiness assessment is advisory — it tells you where you stand and what to fix. The official self-assessment is the regulated activity that produces your CMMC status. They’re often sold together, and both are useful, but they’re not the same deliverable, and a gap assessment alone does not create a Level 1 or Level 2 (Self) status.

A gap assessment measures your current controls against the standard, produces a working score, and hands you a prioritized remediation list. It has no fixed format and no submission step. The official self-assessmentfollows the rule’s scope rules, applies the NIST SP 800-171A methods, produces the result or score you submit to SPRS, and carries the annual affirmation. In plain terms: the gap assessment tells you what to build; the self-assessment attests to what you built. Most first-time contractors run a gap assessment first, remediate, then complete the official self-assessment — and a good consultant will keep those two phases clearly labeled in the scope and the invoice.

See also: CMMC Level 2 assessment guide.

How much do CMMC self-assessment services cost?

There’s no honest universal consultant price, so start with the one primary-sourced anchor available: the 2024 CMMC Program rule’s regulatory economic analysis in the Federal Register. It models roughly $5,977 a year for a small entity at Level 1; about $34,277 for the initial Level 2 (Self) assessment and affirmation, or $37,196 over three years, for a small entity; and about $43,403 initial / $48,827 over three years for an other-than-small entity. Those figures assume the controls are already implemented, and they exclude the engineering and remediation that usually drive the real bill.

That last sentence is the whole game. The government’s number is the cost to prove compliance, not to achieve it. For context, the same rule models Level 2 (C3PAO) near $104,670 (small) to $117,768 (other-than-small)over three years — but that path is paused for new awards, so it’s a benchmark, not your invoice. See our full CMMC Level 2 cost guide for more on the cost landscape.

2024 Final Rule regulatory burden estimates — not consultant price quotes. Source: Federal Register (88 FR 89058, Dec 26, 2024). Last verified .
ScenarioEstimated costThe critical assumption
Small entity — Level 1 (Self) + affirmation~$5,977 / yearControls already implemented; modeled labor across the rule's assumed categories
Small entity — Level 2 (Self) + affirmations~$34,277 initial; ~$37,196 over 3 yearsRev 2 already implemented; the model assigns labor hours across contractor and external-service-provider categories — these are modeling inputs, not a typical engagement duration
Other-than-small entity — Level 2 (Self) + affirmations~$43,403 initial; ~$48,827 over 3 yearsSame assumption, larger environment
(Context only — paused for new awards) Level 2 C3PAO~$104,670–$117,768 over 3 yearsAssessment + affirmations, not remediation

What actually moves your number: the correct assessment type, your number of systems and boundaries, CAGE codes and sites, how many cloud and managed-service dependencies you carry, how mature your SSP and evidence already are, whether the environment is even implemented yet, your turnaround pressure, and whether remediation and sustainment are in or out of scope.

One lever moves several of them: scope. Level 2 scope is not limited to systems that directly store, process, or transmit CUI — it also includes Security Protection Assets, while Contractor Risk Managed Assets and Specialized Assets get their own documentation and assessment treatment under 32 CFR §170.19. A CUI enclave can shrink your scope, but only when the data flow, users, endpoints, administrative paths, connected systems, service providers, and security-protection assets actually support that boundary.

Which type of provider should you hire for a self-assessment?

Hire the category that matches the work you actually have left. This is our editorial read under The CMMC Path Framework: an RPO or readiness consultant for scope, evidence, and assessment method; an MSSP or CMMC-focused MSP when you also need the controls built and run; a GRC platform to structure evidence and workflow; a CUI enclave provider when architecture reduction is the strategy; and a C3PAO only when your contract requires a formal certification assessment — which, during the suspension, new awards generally will not.

Quick definitions. RPO/RP = Registered Provider Organization / Registered Practitioner, listed advisors who help you prepare. MSSP = Managed Security Service Provider, who implements and operates security controls. GRC platform = governance, risk, and compliance software for evidence and workflow. CUI enclave = a segmented environment intended to constrain CUI workflows. C3PAO = Certified Third-Party Assessment Organization; an authorized C3PAO is the permitted category for a formal Level 2 certification assessment.

CMMC self-assessment provider categories — best fit, not-fit, and what to verify before hiring
Provider categoryBest fit for a self-assessmentNot the primary fitWhat to verify before hiring
RPO / RP / readiness consultantScope, requirement interpretation, SSP, evidence, assessment method, findingsRunning your infrastructure long-term; formal certificationRPO listing; a redacted sample SSP; their scoring methodology; who signs off; that you keep the evidence index
CMMC-focused MSP / MSSPImplementing and operating the technical controls, plus evidenceIndependently assessing its own managed workThat delivery is authoring + assessment, not just tooling; a clean exit/export plan and a responsibility matrix
GRC platformStructuring evidence, versioning documents, tracking a running scoreReplacing human scope judgment or building controlsThe platform's score is not an official SPRS determination; you can fully export your data
vCISO / documentation specialistGovernance, policy, control ownership, SSP, executive coordinationFull managed infrastructure or certificationSpecific federal-contracting experience and references
CUI enclave providerShrinking the CUI boundary when architecture change is justifiedAutomatically making every business process compliantA residual-scope analysis — the enclave doesn't erase every connected system or your Security Protection Assets
C3PAOA formal Level 2 certification assessment when the contract requires itDefault readiness or self-assessment help during the suspensionCurrent authorization; and a written conflict-of-interest representation (below)

On the conflict-of-interest rule — get this exactly right. It is not a simple, permanent, industry-wide ban on a firm both preparing and assessing you. The specific rule (32 CFR §170.8) bars a CMMC ecosystem member from participating in the Level 2 certification assessment for an organization it consulted to prepare for any CMMC assessment within the preceding three years. Separately, the Cyber AB’s CMMC Assessment Process requires the C3PAO to identify and manage impartiality and conflicts. During the current suspension, new Level 2 C3PAO designations are prohibited anyway — but if you’re choosing a readiness partner today who you’d want to assess you later, keep that three-year separation in mind and require a written conflict representation tied to your specific engagement.

How to compare CMMC self-assessment consultant quotes without getting played

Compare every proposal against one scope you defined — not against each vendor’s marketing vocabulary. Three consultants will quote three different things and call them all “CMMC self-assessment services.” The decisive fields are objective-level depth, buyer-owned deliverables, evidence ownership, what’s excluded, SPRS and AO support, secure-data handling, and change-order triggers — not the lowest total.

Send every bidder the same scope (packages 1–11 above) and the same assumptions, then normalize on these twenty fields:

  1. Assessment path (Level 1 Self / Level 2 Self / bare NIST score / readiness only)
  2. Scope and stated assumptions
  3. CAGE codes and sites covered
  4. Deliverables (mapped to packages 1–11)
  5. Objective-level method (examine/interview/test), not a questionnaire
  6. SSP scope — draft, review, or author
  7. Evidence depth — index only, or collection and validation
  8. Technical implementation — included or excluded
  9. Documentation remediation — included or excluded
  10. POA&M eligibility work
  11. Retesting after remediation
  12. SPRS handoff support
  13. Affirming Official decision-packet support
  14. Artifact ownership and export format
  15. Secure-data handling (where your evidence lives, who can touch it)
  16. Written conflict-of-interest representation
  17. Change-order triggers and rates
  18. Sustainment — included or excluded
  19. Fixed fee vs. time-and-materials
  20. Payment milestones

What a trustworthy consultant should never promise

If you see any of these, slow down. Built from the rule itself.

Red flags in CMMC self-assessment consultant proposals and what good looks like instead
Red flagWhy it mattersWhat good looks like instead
"Guaranteed CMMC certification"Self-assessment doesn't produce a certificate, and no one can guarantee a future outcome"We'll perform the documented scope and surface every unresolved finding"
"We own or sign your assessment"The OSA owns it; your internal AO affirms it (§170.16, §170.22)"We prepare an evidence-backed handoff for your authorized officials"
"Your bare SPRS score is your Level 2 status"Different workflows, different resultsThey identify the exact workflow you're in
"Revision 3 is required for CMMC Level 2 now"CMMC still incorporates Rev 2; Rev 3 is a future-readiness topic pending rulemakingThey distinguish current CMMC from future readiness
"Any score of 88 can use a POA&M"The rule also restricts which unmet items may be deferredThey apply both the threshold and the excluded-item rules
"Upload your diagrams and system details here"Public forms aren't for sensitive dataNon-sensitive intake first, then an approved secure channel
"We'll prep you and then assess you with the same team"May trip the three-year conflict rule (§170.8) and impartiality requirementsWritten conflict analysis before you engage
"All your evidence stays in our platform"Creates exit and audit riskFull, client-owned export in standard formats
"One fixed price before we know your path or scope"Usually hides exclusions and change ordersStated assumptions and scope-change triggers
Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

Put every bidder on the same footing using the scope and the twenty fields above. When you’re ready for introductions, request scoped quotes from matched provider categories. Do not submit CUI, drawings, or contract numbers.

What should you have ready before you hire a CMMC self-assessment consultant?

Walk into the first call with the facts that let a consultant scope accurately — it shortens the engagement and sharpens the quote. The single most useful thing you can bring is the governing paperwork, because that’s what settles your level and assessment type before anyone estimates a dollar.

Have these on hand: the exact solicitation, contract clause, modification, or prime flow-down language; your CAGE code list; a rough inventory of the systems and sites that touch government information; a first pass at how FCI or CUI moves through your environment; your current SSP status (drafted, partial, or none); a list of your cloud, MSP, and external-service-provider dependencies; any existing SPRS score or CMMC status; your contract or proposal deadline; and the internal people who’ll own the work — including whoever will serve as your Affirming Official. You don’t need this to be polished. You need it to be honest, because a consultant who scopes off “we handle CUI” without seeing the real picture is guessing, and you’ll pay for the guess in change orders.

Which DFARS clause controls your assessment workflow?

Because this topic now spans several clause numbers, here’s the crosswalk — current as of . Confirm the exact language in your own paperwork; existing contracts and new covered procurements can reference different clauses during the transition.

DFARS clause crosswalk for CMMC assessment workflows, current as of July 15, 2026
ClauseWhat it doesWho performs the assessmentWhat enters SPRSCreates a CMMC status?
DFARS 252.204-7012Safeguarding covered defense information; 72-hour incident reportingYou (implement NIST SP 800-171)Nothing itselfNO
DFARS 252.204-7019 / -7020 (codified; superseded in covered new procurements by the Feb 2026 deviation)The legacy "Basic Assessment" self-assessment and DoD assessment requirementsContractor (Basic); Government (Medium/High)A summary NIST scoreNO
DFARS 252.240-7997 (Feb 1, 2026 class deviation, Part 240)Government Medium and High NIST SP 800-171 assessmentsGovernmentGovernment-entered assessment resultsNO
DFARS 252.204-7021Your CMMC status requirement and annual affirmationYou (Self) or an authorized C3PAOCMMC status, score/result, CMMC UID, affirmationYES
DFARS 252.204-7025States the required CMMC level in the solicitationSets the required status

What happens if your self-assessment finds gaps?

At Level 1, an unmet applicable requirement stops you cold — there is no assessment POA&M, so everything must be MET before you reach Final Level 1 (Self). At Level 2 (Self), you can still be eligible for award with a Conditional status if your score reaches 80% of the maximum (88 of 110) and certain critical requirements are met, but every deferred item goes on a POA&M that must close within 180 days. This comes straight from the rule text at 32 CFR §170.21.

The nuance that trips people: 88 is necessary but not sufficient.The rule applies two separate filters to what can even go on the assessment POA&M. First, any requirement worth more than one point can’t be deferred — with one narrow exception, the encryption requirement SC.L2-3.13.11. Second, six requirements are categorically barred regardless of points: AC.L2-3.1.20, AC.L2-3.1.22, CA.L2-3.12.4, PE.L2-3.10.3, PE.L2-3.10.4, and PE.L2-3.10.5. You can’t hit 88 by leaving the wrong controls open and expect the math to save you.

Then the clock runs. Within 180 days of a Conditional status, you must remediate the original NOT MET requirements and pass a POA&M closeout assessment — one that reassesses only those original items. Clear it and you reach Final Level 2 (Self). Miss the 180 days and the Conditional status expires, and standard contractual remedies apply (32 CFR §170.21(b)).

Note the distinction: an internal operational plan you use to manage a temporary deficiency is not automatically the same thing as the formal assessment POA&M that supports a Conditional status.

Who submits and affirms the result in SPRS?

You do — and you should keep control of the account. The contractor verifies the scope, CAGE codes, and official result — and, for Level 2, the score — then hands the Affirming Official an evidence-backed decision packet before that senior official attests to continuing compliance in SPRS. A consultant may guide the submission under your access procedures, but the affirmation is yours to make.

What goes in depends on the workflow. A Level 1 (Self) record captures your level, status date, assessment scope, associated CAGE codes, and compliance result. A Level 2 (Self) record adds your overall score and POA&M status where applicable. In every case, the affirmation is a formal attestation entered by your named Affirming Official — which is exactly why that official should review the evidence, not just the number, before signing.

Your AO decision packet should include: the final result, the scope, an evidence-quality summary, any unmet items, POA&M status, material assumptions, unresolved disagreements, where the evidence is retained, and the continuing-compliance obligations that don’t end at submission.

Starting from scratch and want a self-serve next step? Download the CMMC Readiness Checklist, mapped to the 14 control families. A direct download. Do not submit CUI.

What changes for small shops, subcontractors, and CUI enclave users?

The obligation doesn’t shrink because you’re small, but the engagement should be right-sized to your real boundary, your internal capacity, and your provider dependencies. A two-person subcontractor, a machine shop leaning on an MSP, a SaaS company living in the cloud, and an enclave user can need very different interviews, implementation help, and evidence ownership — even when the assessment designation is identical. The category routes below are our editorial conclusions under The CMMC Path Framework.

CMMC contractor personas and recommended provider categories for self-assessment engagements
PersonaThe one question that decides your scopeLikely categoryThe common overbuy
1–5 person contractorWho can truthfully own the Affirming Official role?RPO + targeted MSP supportAn enterprise managed program before the boundary is defined
Small manufacturer / machine shopHow are Specialized Assets and shop-floor systems handled?CMMC-focused MSP/MSSP + readinessTreating office IT as the entire scope
Sub with a vague prime requestWhat data and status does the flow-down actually name?Contract clarification + readiness advisorBuying a C3PAO assessment before the subcontract is clear
Existing MSP customerWho owns each piece of evidence, and can you get it?MSP + independent readiness/documentationAssuming the MSP's compliance proves yours
CUI enclave / GCC High userWhat Security Protection Assets and admin paths remain in scope?Enclave architect + scoping supportTreating a product purchase as complete compliance
Cloud/SaaS contractorWhat are the CSP/ESP responsibilities and privileged-admin paths?Cloud-security readiness + vCISO/GRCLooking only at the cloud authorization
Multiple CAGEs or sitesDoes scope reconcile to each CAGE and system?Experienced scoping/readiness teamOne generic company-wide score with no scope logic

If any of these is your situation and you’re not sure which category fits, that’s exactly what the routing tool is for. If you clearly need something otherthan self-assessment help (technical remediation, an enclave build, or a formal certification path), we’d rather send you to the right guide than sell you the wrong scope.

How long does a CMMC self-assessment take?

There’s no fixed calendar duration — it’s driven by your level, your starting posture, and how much remediation stands between you and a defensible result. The Final Rule’s modeled labor hours are burden-model inputs, not a promised project length, so treat any consultant’s timeline as a function of your gap, not a standard.

Three honest patterns. If you handle only FCI and your basics are in place, a Level 1 (Self) can move quickly — the work is confirming and documenting the 15 safeguards. If you handle CUI and the 110 requirements are genuinely implemented, a Level 2 (Self) is mostly assessment, evidence assembly, and scoring — measured in weeks once the SSP and evidence are ready. If you handle CUI and there are real gaps, the calendar is set by remediation, not the assessment, and that’s where months go. The fastest path to a status you can defend is scoping tightly and getting the SSP and evidence in order before you assess — not compressing the assessment itself.

How we researched and verified this guide

We separated three kinds of claims: binding requirements (cited to the primary authority), current-status facts (dated and re-verified), and our own editorial judgment (labeled as such). We don’t rank named providers on this page, and we didn’t evaluate any specific company’s quality for it.

What we verified on : the July 13 Phase II suspension release and implementation memo; the CMMC Program rule at 32 CFR Part 170 (published in the Federal Register, effective December 16, 2024); the DFARS acquisition rule and clause 252.204-7021 (effective November 10, 2025), provision 252.204-7025, clause 252.204-7012, the codified 252.204-7019/-7020, and the February 2026 Part 240 class deviation and clause 252.240-7997; the CMMC Level 1 and Level 2 assessment guides; NIST SP 800-171 Rev 2 and NIST SP 800-171A; and the Final Rule’s cost estimates. Community forums were used only to capture how buyers describe the problem — never as a source for a regulatory claim.

What we could not establish, and won’t fake:a universal consultant price, any named provider’s quality or outcomes, certification pass rates, a confirmed restart date for Phase II, or the outcome of the 60-day review. When those firm up, we’ll update this page and change the “Last verified” date.

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. It is not affiliated with the Cyber AB, the Department of Defense, the Department of War, DCMA DIBCAC, NIST, or any U.S. government agency. This page is educational research, not legal, contractual, assessment, or compliance advice.

CMMC self-assessment services FAQ

These are the follow-ups most likely to send you back to search — answered short, with the controlling authority. Each answer stands on its own.

Do I need a consultant for CMMC Level 1?
Not necessarily. You can conduct Level 1 (Self) internally against the 15 FAR 52.204-21 safeguards, or bring in help; outside assistance doesn't turn it into a certification. Hire help when scope, evidence, technical verification, or the SPRS and affirmation steps aren't adequately covered in-house.
Can a consultant perform my CMMC self-assessment?
A consultant can support scope, evidence, interviews, testing, findings, scoring, and the handoff, but the official workflow stays your self-assessment — the OSA conducts and owns it (32 CFR §170.16). Define the consultant's role precisely and keep ownership of the findings, the result, and the affirmation.
Can a consultant submit my score and affirmation to SPRS?
A consultant can guide the submission under your access procedures, but you should keep account control, and your internal Affirming Official must make the affirmation (§170.22). It's a formal attestation entered by your named official.
Does consultant help produce CMMC certification?
No. Level 1 (Self) and Level 2 (Self) produce self-assessment statuses, not a certificate. A certificate comes only from a formal C3PAO assessment — currently not permitted as a new designation during the suspension.
Is Level 2 (Self) still in effect in July 2026?
Yes. The July 13 implementation memo keeps Level 2 (Self) in force and limits new CMMC Level 2 designations during the review to Level 1 (Self) or Level 2 (Self).
Is a bare NIST 800-171 SPRS score the same as Level 2 (Self)?
No. A bare score comes from the codified DFARS 252.204-7019/-7020 workflow where those provisions apply; it's a number, not a CMMC status. Level 2 (Self) is a status under 32 CFR §170.16 with its own workflow and affirmation.
Can Level 1 use a POA&M?
No. There's no assessment POA&M at Level 1 (Self) — every applicable requirement must be MET before you reach Final Level 1 (32 CFR §170.15, §170.21).
What Level 2 score qualifies for Conditional status?
Your score divided by 110 must be at least 0.8 — so at least 88 — and the unmet items must comply with the POA&M restrictions in §170.21: no requirement worth more than one point (except the SC.L2-3.13.11 encryption exception), and none of the six categorically barred requirements. The 88 threshold alone isn't enough.
How long is a Level 2 (Self) status good for?
Final Level 2 (Self) is current for up to three years, provided the annual affirmation stays current and there have been no changes in your compliance with 32 CFR Part 170 since the CMMC Status Date (DFARS 252.204-7021). A Conditional status carries a 180-day closeout deadline.
Do I have to hire an RPO?
No rule requires it. An RPO or qualified readiness consultant is often useful when the missing work is scope, documentation, evidence, or assessment preparation — but it's a choice, not a mandate.
Can my MSP do this?
Often, especially the technical implementation, operations, and evidence. Just separate, in writing, the MSP's implementation and evidence duties from your organization's final self-assessment and affirmation responsibility.
Should I hire a C3PAO during the suspension?
Not as the automatic first step if your requirement is currently Level 1 (Self) or Level 2 (Self). You may still prepare for a possible future certification — but that's readiness work, and it should be described honestly as such unless your contract actually requires the formal assessment.
What should I never put into a matching or intake form?
Do not submit CUI, drawings, contract numbers, system diagrams, credentials, vulnerability details, or export-controlled technical data.
What if my signed paperwork conflicts with the suspension?
Get the applicable solicitation amendment, contract modification, or written contracting direction. A general announcement doesn't rewrite the document governing your award.

Ready to move?

You came here to figure out what to buy, from whom, and who’s on the hook for the result. Now you know: self-assessment is still required, you own the outcome, and the right help is scoped, transparent, and yours to keep. The only step left is matching your specific situation to the right kind of provider before you spend a dollar.

Do not submit CUI, drawings, contract numbers, system diagrams, vulnerability details, credentials, or sensitive technical data.

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

Primary sources

Related resources

Page last reviewed . Regulatory state last verified . Updated when official guidance changes. This page is educational research, not legal, contractual, assessment, or compliance advice.