The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

CMMC Level 2 Self-Assessment vs C3PAO Assessment: Which Path Your Contract Actually Requires

The Defense Compliance Report Editorial TeamIndependent CMMC and DIB compliance research
Published: Last reviewed:
Editorial research — not formally reviewed by a CMMC Subject Matter Advisor. Verify scope and applicability with a Registered Practitioner before acting.

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. This page is editorial research, not legal, contractual, or compliance advice. We are not affiliated with the Department of Defense, the Cyber AB, NIST, DCMA DIBCAC, or any U.S. government agency.

The 60-second answer

Here is the part nobody on the vendor side leads with: most defense contractors do not actually get to pick between a CMMC Level 2 self-assessment and a C3PAO assessment. Your solicitation language under DFARS 252.204-7025 (the Notice of CMMC Level Requirements) and your contract clause under DFARS 252.204-7021 (Contractor Compliance With the CMMC Level Requirements) do the picking for you. The clause inserted at award is the answer.

Both Level 2 paths grade your environment against the same 110 security requirements in NIST SP 800-171 Revision 2, organized into 14 control families and evaluated using the assessment procedures and objectives in NIST SP 800-171A. Same rulebook. The difference is who validates the result, where the result is recorded, and what your CMMC status legally means at award:

Last reviewed June 2026

In short: whether your CMMC Level 2 compliance can be self-assessed or must be verified by a C3PAO is determined by your contract, not by preference. The right route depends on the information you handle and your contract requirements. Use Find My CMMC Path to map your situation before requesting quotes or scheduling an assessment.

Your situation changes the answer

Find My CMMC Path

The right CMMC provider isn't the same for every contractor. The category you need — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. (The contract clause sets your level, not a checklist.) Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes.

  • What it asks: your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline
  • What you get: the provider category that fits your situation and the readiness steps to get there, with the questions to ask before requesting quotes
  • Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details
Find My CMMC Path →

How rare is the self path? The Department of Defense’s own Regulatory Impact Analysis projects, by Year 4 of full implementation, 6,759 entities at Level 2 (Self) against 118,289 entities at Level 2 (Certificate) — about 94.6% of projected Level 2 populations on the C3PAO path, not on self-assessment. That figure is DCR’s calculation from DoD’s published RIA table in the Federal Register (DFARS Final Rule, September 10, 2025).

If you want to find yourself before reading further:

Your situationLikely required pathRead this section next
Solicitation inserts Level 2 (Self)Level 2 (Self)“Where the two paths diverge” + “Scoring and POA&M”
Solicitation or contract inserts Level 2 (C3PAO)Level 2 (C3PAO)“Where the two paths diverge” + “Cost reality”
Sub handling CUI under a prime at Level 2 (C3PAO)Usually Level 2 (C3PAO) minimum“Subcontractors and flow-down”
FCI only, no CUILikely Level 1 (Self)“What both paths share” + FAQ
Clause language is ambiguousDo not guess“Who actually decides” + “What to do in the next 48 hours”

Get your answer in 60 seconds →

Seven questions, no email gate, no obligation. We route you to the provider category that fits your contract path — RPO/readiness, C3PAO, MSP/MSSP, GRC, or CUI enclave.

Find My CMMC Path →

Who actually decides — and why it usually is not you

Answer capsule.Whether a CMMC Level 2 self-assessment is sufficient, or a Level 2 C3PAO assessment is required, is determined by the contract — not by the contractor. DFARS 252.204-7025 identifies the required CMMC status level in the solicitation prior to award. DFARS 252.204-7021 obligates the awardee to maintain that status (or higher) during performance for any information system that will process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

This is where most contractor confusion starts. The instinct is to ask “which path should we pick?” The regulatory reality is that you read the clause and execute against what it says. The DFARS Final Rule (DFARS Case 2019-D041) took effect November 10, 2025, and Phase 1 of the CMMC rollout began the same day.

The one honest thing to say upfront

If your solicitation or flow-down inserts Level 2 (C3PAO), a Level 2 self-assessment does not satisfy that requirement. You do not get to choose the cheaper path because you prefer it. Do not build your plan around arguing the point later. The clause is the clause.

Where to find the answer in your paperwork:

What to do before you spend a dollar on vendor work:

  1. Locate the exact CMMC status inserted in your solicitation under DFARS 252.204-7025.
  2. Confirm whether the inserted status is Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC).
  3. If the language is silent or ambiguous, ask the contracting officer in writing and document the response.
  4. If you are a subcontractor, request your prime’s required CMMC status and the flow-down level in writing — before subcontract award.

Have the clause in front of you?Compare it against the Self vs C3PAO triggers in our Path Decision Tool — seven questions, instant answer with the rule citation that justifies it.

Check my Level 2 path →

The legal test — which CUI triggers a C3PAO assessment

Answer capsule.Under the DoD CMMC Implementation Guidance Memo, CUI that falls under the National Archives CUI Registry’s Defense Organizational Index Groupingnormally drives the Level 2 Certification (C3PAO) path. But during Phase 1 of the rollout, the DoD CMMC Program FAQ and 32 CFR § 170.3(e) confirm that Level 2 (C3PAO) is not automatically required even for Defense-grouping CUI — DoD expects some Level 2 (Self) requirements during Phase 1 and program managers exercise discretion based on program risk and competition availability.

That test comes straight from the DoD memo Implementing the Cybersecurity Maturity Model Certification Program: Guidance for Determining Appropriate CMMC Compliance Assessment Levels and Process for Waiving CMMC Assessment Requirements(hosted at the DoD Procurement Toolbox), read against 32 CFR § 170.3(e) and the DoD CMMC Program FAQ.

The five Defense Organizational Index Grouping categories, plainly:

CUI categoryPlain meaningPath it normally triggers
Controlled Technical Information (CTI)Technical drawings, specifications, manuals, designs, and computer software for defense itemsLevel 2 (C3PAO) under the DoD memo
Naval Nuclear Propulsion Information (NNPI)Information related to nuclear-powered Navy propulsion systemsLevel 2 (C3PAO) under the DoD memo
DoD Critical Infrastructure Security Information (DCRIT)Information about systems and assets vital to defense critical infrastructureLevel 2 (C3PAO) under the DoD memo
Privileged Safety Information (PSI)Information protected by safety privilegeLevel 2 (C3PAO) under the DoD memo
Unclassified Controlled Nuclear Information — Defense (DCNI)Defense nuclear information not classified but controlledLevel 2 (C3PAO) under the DoD memo

For most DIB suppliers, CTI is the trigger that decides this. If your contract sends drawings, specifications, or technical data for a defense item to you, you are inside the Defense Organizational Index Grouping.

The Phase 1 nuance that competitor pages keep missing.Even where the DoD memo would normally point to Level 2 (C3PAO), § 170.3(e)(1) lets DoD include Level 2 (C3PAO) during Phase 1 at its discretion — the DoD CMMC Program FAQ frames that discretion in terms of program risk and market research showing adequate competition. The practical effect: in Phase 1, you may see Level 2 (Self) inserted in some solicitations that involve Defense-grouping CUI. That does not mean the controls are different. The requirements are the same 110.

Two additional things worth flagging from the DoD memo:

  1. Waivers for the Level 2 self-assessment requirement are unlikely to be granted. The memo treats Level 2 self-assessment as a permanent, non-waivable requirement when it applies.
  2. Program managers have discretion to elevate. A program manager may insert Level 2 (C3PAO) when CUI risk warrants it; during Phase 1 the FAQ adds that the decision should be supported by market research showing adequate competition.

Have CUI category language or a prime flow-down in front of you? Run it through the Path Decision Tool before you ask vendors for quotes.

Check my Level 2 path →

What both paths share — do not skim this

Answer capsule.A CMMC Level 2 self-assessment and a CMMC Level 2 C3PAO assessment use the same 110 security requirements drawn from NIST SP 800-171 Revision 2, organized into 14 control families and evaluated using the assessment procedures and objectives in NIST SP 800-171A. Both require annual affirmation by a senior Affirming Official under 32 CFR § 170.22. Both use the DoD scoring methodology in § 170.24. Both allow Plans of Action and Milestones (POA&Ms) only under the same restricted conditions.

This is the most common misunderstanding in the field: contractors hear “self-assessment” and assume the rules get easier. They do not. The control set is identical. Only the verification step changes.

The 14 control families, in NIST SP 800-171 Rev. 2 order:

  1. Access Control (AC)
  2. Awareness and Training (AT)
  3. Audit and Accountability (AU)
  4. Configuration Management (CM)
  5. Identification and Authentication (IA)
  6. Incident Response (IR)
  7. Maintenance (MA)
  8. Media Protection (MP)
  9. Personnel Security (PS)
  10. Physical Protection (PE)
  11. Risk Assessment (RA)
  12. Security Assessment (CA)
  13. System and Communications Protection (SC)
  14. System and Information Integrity (SI)

Same families on both paths. Same control catalog. Same SSP requirement. Same annual affirmation obligation. Same three-year validity for Final status. The only material differences are operational — and that is where we go next.

Precision note on revisions

CMMC Level 2 currently maps to NIST SP 800-171 Revision 2— not Revision 3. NIST published Revision 3 in May 2024, but unless and until DoD amends 32 CFR Part 170, Rev. 2 is the controlling standard for CMMC Level 2 assessments. CMMC Level 3 layers in selected enhanced security requirements from NIST SP 800-172on top of Level 2. If a vendor pitches you a “Rev. 3 readiness” package for CMMC Level 2 today, ask them which rule section requires it.

CMMC Level 2 self-assessment vs C3PAO: where the two paths actually diverge

Answer capsule. Level 2 (Self) is scored by the OSA and submitted to SPRS, producing a self-assessment CMMC status. Level 2 (C3PAO) is scored by Cyber AB authorized or accredited assessors using NIST SP 800-171A, uploaded into CMMC eMASS by the C3PAO, transmitted to SPRS, and produces a Conditional or Final Level 2 (C3PAO) CMMC Status associated with CMMC UID information for the covered information systems. Both have a three-year validity for Final status, with annual affirmation. The assessment-team composition, evidence rigor, re-evaluation rights, and provider independence rules differ materially.

The operational differences, side by side:

DimensionLevel 2 (Self)Level 2 (C3PAO)Primary source
Security requirements110 NIST SP 800-171 Rev. 2Same 11032 CFR § 170.14
Who scoresThe OSAC3PAO assessment team (Lead CCA + at least one additional CCA, plus a QA reviewer)§ 170.9; § 170.17
Where results are recordedSPRS, by the OSACMMC eMASS, by the C3PAO, then transmitted to SPRS§ 170.16; § 170.17
Status producedConditional or Final Level 2 (Self)Conditional or Final Level 2 (C3PAO), associated with CMMC UID information§ 170.16; § 170.17
Validity3 years for Final, annual affirmation3 years for Final, annual affirmation§ 170.16; § 170.17
Re-evaluation rightsNone (no assessor)NOT MET items may be re-evaluated for up to 10 business days post-assessment if conditions in § 170.17(c)(2) are met and the findings report has not been delivered§ 170.17(c)(2)
Background investigationInternal staffC3PAO personnel in the Level 2 assessment role must complete a Tier 3 background investigation§ 170.9
Artifact retentionOSA retains assessment evidence for six years from the CMMC Status DateOSC retains evidence for six years; C3PAO enters artifact names, hash values, and hashing algorithm into CMMC eMASS§ 170.16(c)(4); § 170.17(c)(4)

What actually goes into SPRS vs CMMC eMASS

This is the field-level distinction most pages skip:

Level 2 (Self) — submitted to SPRS by the OSALevel 2 (C3PAO) — entered in CMMC eMASS by the C3PAO, transmitted to SPRS
OSA-calculated assessment score (out of 110)Assessment results and assessment unique identifier
CAGE code(s) for covered information systemsC3PAO identification and assessor information
Status date and CMMC Status (Conditional or Final)CAGE code(s) for covered information systems
SSP name, version, and dateSSP name, version, and date
POA&M information, if applicableStatus date and CMMC Status (Conditional or Final)
Affirming Official informationArtifact names, hash values, and hashing algorithm
Annual affirmation entriesData transmits to SPRS

A note on the C3PAO independence rule, because it is the one that catches well-meaning contractors. Some firms hold both RPO and C3PAO authorizations as a business entity. Under 32 CFR § 170.9 and the Cyber AB requirements grounded in ISO/IEC 17020, a C3PAO must not perform a Level 2 certification assessment for an OSC to which it has provided consulting, implementation, product sales, or services covering that assessment scope within the prior three years. Treat readiness support and the formal C3PAO assessment as separate vendor selections unless the C3PAO can document, in writing, exactly how it satisfies the independence requirement.

Phase 1 reality — what is actually being required right now

Answer capsule.The CMMC phased rollout schedule in 32 CFR § 170.3(e) sets Phase 1 from November 10, 2025 through November 9, 2026, focused primarily on Level 1 (Self) and Level 2 (Self) requirements as conditions of contract award, with DoD discretion to insert Level 2 (C3PAO) when warranted. Phase 2 begins November 10, 2026, when DoD intends to include Level 2 (C3PAO) requirements as a standard condition of award for applicable contracts. Phase 3 (Level 3 DIBCAC) begins November 10, 2027. Phase 4 (full implementation) begins November 10, 2028.

The Cyber AB Marketplace, per its public Town Hall recap data in early 2026, listed approximately 103 authorized C3PAOs and 759 CCAs serving a Defense Industrial Base of more than 300,000 contractors. Cumulative Level 2 certifications issued reached roughly 1,000by early 2026, with monthly issuance running approximately 150–200 in the same window.

Translation in plain language: scheduling a C3PAO assessment is not a same-week affair. In the public coverage and provider materials reviewed in early 2026, C3PAO scheduling windows were commonly quoted at 3–9 months out. If your contract window opens in late 2026 or 2027, the queue math matters now — not later.

Scoring, the 88-point threshold, and the six controls you cannot POA&M

Answer capsule.Both Level 2 paths use the DoD scoring methodology in 32 CFR § 170.24. Each NIST SP 800-171 requirement is worth 1, 3, or 5 points and scored subtractively from a maximum of 110. To achieve Conditional Level 2 status (Self or C3PAO), the assessment score must be at least 88 of 110 (80%), only 1-pointrequirements may appear on the POA&M with one narrow exception for SC.L2-3.13.11, and six specific requirements may never appear on a POA&Mregardless of point value. Conditional status converts to Final only if a POA&M closeout is confirmed within 180 days of the Conditional CMMC Status Date.

The scoring math, in plain terms:

  • • You start at 110 points.
  • • Each unmet requirement deducts its assigned point value (1, 3, or 5).
  • • A score of 88 or above with a permissible POA&M = Conditional Level 2.
  • • A score of 110 (everything MET) = Final Level 2 at the assessment.
  • • A score below 88 = no CMMC status.
  • • The math is identical on Self and C3PAO. Only the scorer is different.

The six prohibited POA&M controls

These come directly from 32 CFR § 170.21(a)(2)(iii). Even if you score 109 of 110, if your single unmet requirement is one of these six, you do not get Conditional status — the assessment fails:

Control IDNameSource
AC.L2-3.1.20External Connections (CUI Data)§ 170.21(a)(2)(iii)(A)
AC.L2-3.1.22Control Public Information (CUI Data)§ 170.21(a)(2)(iii)(B)
CA.L2-3.12.4System Security Plan§ 170.21(a)(2)(iii)(C); § 170.24(d)(5)
PE.L2-3.10.3Escort Visitors (CUI Data)§ 170.21(a)(2)(iii)(D)
PE.L2-3.10.4Physical Access Logs (CUI Data)§ 170.21(a)(2)(iii)(E)
PE.L2-3.10.5Manage Physical Access (CUI Data)§ 170.21(a)(2)(iii)(F)

The SSP (CA.L2-3.12.4)is the most dangerous of the six to miss because it cannot be placed on a POA&M and must be in place and up to date at the time of assessment. An SSP that is “in progress,” “partially drafted,” or “being updated” at the time of the assessment is NOT MET per § 170.24(d)(5), and because the SSP is one of the six prohibited POA&M items, the assessment fails regardless of any other score.

The narrow exception.SC.L2-3.13.11 (FIPS-validated encryption of CUI) is worth 5 points. Per § 170.24, if encryption is employed but not FIPS-validated, 3 pointsare subtracted rather than 5, and the gap may be eligible for POA&M. If encryption is not employed at all, the full 5 points are subtracted and no POA&M is permitted. This is the rule’s one structural relief valve, and even it requires you to have some encryption in place.

A date on your calendar

Per the NIST Cryptographic Module Validation Program, all remaining active FIPS 140-2 certificates move to the CMVP Historical List on September 21, 2026. NIST guidance is that historical modules support existing systems, while new systems should use active FIPS 140-3-validated modules. If your assessment window falls after that date and your environment still depends on FIPS 140-2 modules without a documented FIPS 140-3 transition path, you have a foreseeable scoring exposure on SC.L2-3.13.11.

POA&M closeout. If you achieve Conditional status, you have 180 daysfrom the Conditional CMMC Status Date to remediate the POA&M items and have closeout confirmed (§ 170.21(b)). On the C3PAO path, a POA&M closeout assessment must be performed by a C3PAO within that 180-day window. Miss the window and the Conditional status for the information system expires.

Artifact retention. Hashed assessment artifacts must be retained for six yearsfrom the CMMC Status Date (§ 170.17(c)(4)). On the C3PAO path, the C3PAO enters artifact names, hash values, and the hashing algorithm into CMMC eMASS. The clock starts at the assessment, not at award.

Want the Level 2 Readiness Checklist mapped to the 14 control families?

Free, no email gate, structured so an Affirming Official has a defensible evidence trail before signing.

Download the CMMC Readiness Checklist →

What it actually costs — Self vs C3PAO, by organization size

Answer capsule. The CMMC Program Final Rule estimated the Level 2 (C3PAO) three-year cycle at approximately $104,670 for a small entity and $117,768 for an other-than-small entity, covering the triennial assessment and two annual affirmations. Those figures are government burden estimates — and they explicitly exclude implementation, remediation, gap assessment, mock assessment, and pre-assessment consulting costs, because the DoD treats those as obligations already adjudicated under DFARS 252.204-7012. Independent market coverage from 2025–2026 commonly shows C3PAO assessment fees alone running roughly $30,000–$150,000 depending on organization size and scope, with the assessment fee representing a minority of total first-cycle compliance cost.

That distinction — what the DoD estimate covers vs what it excludes — is the single biggest reason small contractors experience cost shock. The $104,670 figure is real and is the official three-year burden estimate. It is not the total cost of getting your environment ready. Implementation and remediation usually dwarf the assessment line item.

The cost stack — shared by both paths, except line 6:

  1. Scoping and CUI data flow analysis
  2. Gap assessment against NIST SP 800-171A
  3. SSP and supporting documentation
  4. Remediation labor (the biggest variable)
  5. Technology and tooling (cloud, enclave, MSSP, GRC, FIPS-validated modules)
  6. Assessment fee — C3PAO path only; on Self, the equivalent is your team’s time
  7. Annual affirmation and ongoing maintenance

Realistic cost bands, by organization size.DCR editorial budgeting estimates assembled from official DoD figures plus 2025–2026 market coverage in trade press and provider materials. Budgeting guidance, not quotes. Refreshed quarterly.

Org sizePathAssessment feePrep & remediationTechnology & enclaveAnnual ongoingFirst-cycle total
Under 50 employeesLevel 2 (Self)~$3K–$20K (internal time, optional RPO)$15K–$80K$0–$60K$5K–$15K~$20K–$175K
Under 50 employeesLevel 2 (C3PAO)~$30K–$50K$20K–$100K$20K–$100K$10K–$25K~$70K–$275K
50–200 employeesLevel 2 (C3PAO)~$50K–$80K$30K–$150K$30K–$200K$20K–$50K~$130K–$480K
200+ employeesLevel 2 (C3PAO)~$80K–$150K+$50K–$250K+$50K–$500K+$40K–$150K+~$220K–$1M+

What competitor coverage usually misses on the cost side:

Want category-appropriate quotes that fit your scope?

Get matched by provider category — C3PAO, readiness/RPO, MSP/MSSP, GRC, or CUI enclave — based on your level, scope, and timeline.

Get matched →

The Affirming Official — the personal liability nobody warns you about

Answer capsule.Under 32 CFR § 170.22, every CMMC assessment — Self or C3PAO — must be affirmed by a senior Affirming Official from within the OSA at the time of assessment and annually thereafter. The Affirming Official is the senior representative responsible for the OSA’s compliance with CMMC requirements and authorized to affirm continuing compliance. The affirmation is recorded in SPRS, is a federal submission, and is enforceable.

This is the section most competitor pages skip. § 170.22 is short and consequential. The Affirming Official:

The affirmation is recorded in SPRS. It is enforceable. And SPRS cybersecurity representations have already been the basis for notable civil False Claims Act enforcement.

Case in point: MORSECORP, $4.6 million

On March 26, 2025, the U.S. Department of Justice announced that MORSECORP, Inc.(“MORSE”), a Cambridge, Massachusetts defense contractor, agreed to pay $4.6 millionto resolve civil False Claims Act allegations involving cybersecurity compliance on Army and Air Force contracts. The case began as a qui tam action filed by MORSECORP’s own Head of Security and Facility Security Officer, who received approximately $851,000 (18.5%)of the settlement under the False Claims Act’s relator provisions. (Sources: DOJ press release, Office of Public Affairs; U.S. Attorney’s Office, District of Massachusetts.)

According to the DOJ release and the parties’ admissions, MORSECORP:

  • Did not fully implement all 110 NIST SP 800-171 controls during the relevant period (January 2018 through February 2023).
  • Did not have a consolidated written System Security Plan describing system boundaries and control implementation for each covered information system.
  • Used a third-party SaaS email host that did not meet the FedRAMP Moderate baseline required for handling Covered Defense Information.
  • In January 2021, submitted a SPRS basic assessment score of 104 (nearly perfect compliance) — a score the company knew or should have known was inaccurate.
  • In July 2022, engaged a third-party consultant to conduct a gap analysis, which calculated the actual summary-level score at negative 142.
  • Did not update its SPRS score until June 2023.

We are not citing MORSECORP to scare you. We are citing it because it is the cleanest, primary-sourced illustration on public record of why the cybersecurity representations a contractor makes to the Government carry weight. It is a major public False Claims Act resolution involving a defense contractor’s cybersecurity-control compliance, NIST SP 800-171 implementation, and SPRS score representations. The relator was an insider, not a regulator.

What this means operationally:

Need the structured evidence trail before someone signs? The Level 2 Readiness Checklist is mapped to the 14 control families so the Affirming Official has a defensible record of what was reviewed and when.

Download the CMMC Readiness Checklist →

Subcontractors and flow-down — what to ask your prime before you spend

Answer capsule.Under 32 CFR § 170.23 and DFARS 252.204-7021, primes are responsible for flowing CMMC requirements down to subcontractors at the level appropriate for the data the sub will handle. If a sub will only handle FCI, the prime may require Level 1 (Self). If a sub will handle CUI, the sub must hold at least Level 2 (Self or C3PAO) matching the prime’s obligation. If a prime holds a Level 3 (DIBCAC) obligation and is flowing CUI down to a sub, the sub must hold at least Level 2 (C3PAO).

If you are a sub, the worst thing you can do is guess. The second-worst is build to your prime’s marketing language instead of contract language.

Five questions to send your prime in writing before you sign anything:

  1. What CMMC level is in the prime contract you hold with DoD? This sets the ceiling.
  2. What CMMC status will you require from us at the flow-down — Level 2 (Self) or Level 2 (C3PAO)? Get the exact status named.
  3. What CUI category will be flowed to us, and how will it be marked? CTI, NNPI, DCRIT, PSI, DCNI, or other.
  4. What is your timeline expectation? Status required at subcontract award, at option exercise, or by a specific milestone.
  5. What documentation will you accept as proof of status before subcontract award?

Ask in writing. Document responses. Keep them with the subcontract file. If a prime cannot answer these questions, they are not ready to flow the requirement down — and you are not in a position to scope your assessment.

How cloud, enclave, MSP/MSSP, and ESP choices change the picture

Answer capsule.Your cloud and managed-services choices do not change the CMMC level your contract requires, but they materially change scope, evidence, inheritance, cost, and timeline. 32 CFR Part 170 includes specific scoping categories and requirements for Cloud Service Providers (CSPs) and External Service Providers (ESPs) that process, store, or transmit CUI or security protection data — including FedRAMP Moderate (or equivalent) for in-scope CSP environments handling CUI under DFARS 252.204-7012.

Four common environment decisions, and what they actually do:

CSPs that handle CUI in their environment must meet FedRAMP Moderate baseline or equivalent under DFARS 252.204-7012. ESPs handling CUI or security protection data must be documented in your SSP and reflected in your Customer Responsibility Matrix (CRM). An outsourced control is still your control under your CMMC status. The vendor does not carry your assessment.

Decide your environment before you book the C3PAO. CMMC scope must be specified before the assessment, and scope changes after contracting drive evidence rework, asset re-categorization, and re-assessment exposure.

Realistic timeline — from clause to Final status

Answer capsule. A typical CMMC Level 2 timeline runs 6–18 monthsfrom “we have a clause” to “we hold a Final status.” Scoping and gap analysis take roughly 2–4 months; remediation and documentation 3–9 months; C3PAO scheduling at current capacity 3–9 months; the formal C3PAO assessment 2–10 working days; and POA&M closeout, if Conditional, up to 180 days. A Level 2 self-assessment compresses the scheduling and closeout phases but does not compress the underlying remediation work.

Build your plan backward from the date you need the status — not forward from today. Two timing realities worth pricing in:

The most expensive mistakes

Answer capsule.The four highest-cost mistakes contractors make on the CMMC Level 2 path are: (1) treating a self-assessment as if it has easier rules; (2) entering an assessment with an SSP that is incomplete — CA.L2-3.12.4 is one of the six prohibited POA&M items; (3) using encryption that is not FIPS-validated and losing 3 or 5 points on SC.L2-3.13.11; and (4) scoping the CUI boundary too broadly and dragging unnecessary systems into the assessment.

What to do in the next 48 hours

Answer capsule. Before contacting any vendor, complete six contract-side steps: locate the exact CMMC status inserted in your solicitation (look for DFARS 252.204-7025 and the inserted level), confirm the contract clause language (DFARS 252.204-7021), identify the CUI categories at play, map the systems that will process or store those categories, check your current SPRS score and affirmation status, and document any prime flow-down language in writing.

If a new solicitation or prime flow-down just triggered this question, this is the order of operations:

  1. Copy the exact CMMC clause language out of your solicitation or contract. Do not paraphrase. The clause is the answer.
  2. Identify the inserted status — Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC).
  3. Map the CUI categories that will be flowed to you. Especially CTI.
  4. Inventory the systems that will process, store, or transmit that CUI.
  5. Check your current SPRS posture — score, date, Affirming Official on file, any open POA&M.
  6. Get the prime’s flow-down expectations in writing if you are a sub.

Then decide your provider category — not the specific provider, the category — based on where you actually are:

If this is your real blockerProvider category to engageDo not buy yet
You do not yet know your CUI scopeReadiness consultant / RPOC3PAO assessment
Your controls are not implementedMSP / MSSPFormal assessment
Your evidence is disorganizedGRC platform + readiness supportFormal assessment
Enterprise scope is too expensive to assessCUI enclave / secure cloudWhole-enterprise assessment
You are assessment-ready and the contract requires Level 2 (C3PAO)Authorized or accredited C3PAOAnother readiness-only report

What we actually verified

For this guide, last verified May 27, 2026, the Defense Compliance Report editorial team read or re-checked:

What we did not verify: specific C3PAO firm quotes (these are negotiated per engagement), private prime flow-down policies (these are contractual and confidential), and individual SPRS scores (these are private to each contractor).

How often we refresh this page: quarterly for Phase status, Cyber AB Marketplace numbers, and FIPS validation timeline; annually for cost data; ad hoc for any new DoD memo or Federal Register publication affecting Level 2 assessment.

Frequently asked questions

Is CMMC Level 2 self-assessment still allowed?

Yes. Level 2 (Self) is a recognized CMMC status when the solicitation, contract, or flow-down language specifies Level 2 (Self). It does not satisfy a Level 2 (C3PAO) requirement. The DoD CMMC Implementation Guidance Memo treats Level 2 (Self) as the permitted path when the CUI is outside the National Archives CUI Registry’s Defense Organizational Index Grouping, and the DoD CMMC Program FAQ confirms that DoD expects some Level 2 (Self) requirements during Phase 1 even where Defense-grouping CUI might apply. (32 CFR § 170.16; DoD CMMC Implementation Guidance Memo; DoD CMMC Program FAQ.)

Are the requirements actually different for Level 2 (Self) and Level 2 (C3PAO)?

No. The control set is identical — 110 requirements from NIST SP 800-171 Revision 2, across 14 control families, evaluated using the assessment procedures and objectives in NIST SP 800-171A. The difference is who validates the result, where it is recorded, and whether you receive a Level 2 (C3PAO) CMMC Status.

Does a Level 2 self-assessment produce a CMMC certificate?

No. Level 2 (Self) produces a self-assessment CMMC status reflected in SPRS. Only the Level 2 (C3PAO) path produces a Conditional or Final Level 2 (C3PAO) CMMC Status with the associated CMMC UID information, issued through the CMMC eMASS reporting workflow.

Where are Level 2 self-assessment results submitted?

In SPRS, by the OSA, along with the Affirming Official information and any permissible POA&M. (32 CFR § 170.16.)

Where are Level 2 C3PAO assessment results submitted?

The C3PAO uploads results into CMMC eMASS — including the assessment unique identifier, C3PAO and assessor information, CAGE code(s), SSP name/version/date, status date, assessment results, POA&M data, artifact names, hash values, and hashing algorithm. The applicable data is then transmitted to SPRS. The C3PAO does not write directly into your SPRS record. (32 CFR § 170.17.)

How long is a Level 2 status valid?

A Final Level 2 (Self) or Final Level 2 (C3PAO) status is valid for up to three years, with annual affirmation required throughout the period. Conditional Level 2 statuses depend on POA&M closeout within 180 days of the Conditional CMMC Status Date.

Can I use a POA&M for Level 2?

Sometimes, narrowly. Conditional Level 2 status is available only if you score at least 88 of 110, only 1-point requirements are on the POA&M (with one narrow 3-point exceptionfor SC.L2-3.13.11 when encryption is employed but not FIPS-validated), and none of the six prohibited controls under 32 CFR § 170.21(a)(2)(iii) are on the POA&M. Closeout must complete within 180 days.

Can my readiness consultant also be my C3PAO?

Not if the firm provided consulting, implementation, product sales, or services to the OSC for that assessment scope within the prior three years. The safe operating rule is to keep readiness support and the formal C3PAO assessment as separate vendor selections unless the C3PAO can document, in writing, how it satisfies Cyber AB conflict-of-interest requirements under 32 CFR § 170.9 and ISO/IEC 17020.

Does NIST SP 800-171 Revision 3 apply to CMMC Level 2?

Not currently. CMMC Level 2 maps to NIST SP 800-171 Revision 2 under the present rule. NIST published Revision 3 in May 2024, but unless and until DoD amends 32 CFR Part 170, Revision 2 is the controlling standard for CMMC Level 2 assessments. CMMC Level 3 layers in selected enhanced security requirements from NIST SP 800-172.

If I am a sub, do I need C3PAO when my prime is at Level 2 (C3PAO)?

If your prime is at Level 2 (C3PAO) and is flowing CUI to you, yes — Level 2 (C3PAO) is generally the minimum required at the sub. If your prime is at Level 3 (DIBCAC) and is flowing CUI to you, Level 2 (C3PAO) is the minimum at the sub. Always confirm the specific flow-down language in writing. (32 CFR § 170.23.)

What happens if I miss the 180-day POA&M closeout?

The Conditional Level 2 CMMC Status for the information system expires. To regain status, you would need to remediate and undergo a new assessment.

How do DFARS 252.204-7019 and 252.204-7020 affect SPRS?

DFARS 252.204-7019 is the legacy/codified solicitation provision requiring a current NIST SP 800-171 DoD Assessment summary score in SPRS — not more than three years old. DFARS 252.204-7020 is the legacy/codified contract clause governing Government access rights for DoD assessments and SPRS posting. In solicitations issued under the 2026 RFO/Class Deviation, DFARS 252.240-7997 carries the assessment and SPRS-posting function instead. Whichever path applies, the underlying NIST SP 800-171 assessment obligation and SPRS posting continue alongside the CMMC clauses (DFARS 252.204-7021 and 252.204-7025).

Are there waivers for CMMC?

The CMMC rule contemplates limited waiver authority for the level requirement in narrow circumstances, but the DoD CMMC Implementation Guidance Memo is explicit that waivers for the Level 2 self-assessment requirement specifically are unlikely to be granted. Even when a waiver is granted, the underlying NIST SP 800-171 implementation obligation remains.

Need help deciding what type of CMMC provider you need?

Get matched with source-checked provider options.

We route by provider category — readiness consultant (RPO), C3PAO, MSP/MSSP, GRC platform, or CUI enclave — based on what your contract requires and where you actually are. Verifiedmeans we confirm the provider’s category status relevant to the request, such as Cyber AB Marketplace listing for C3PAOs and RPOs where applicable. Verification is not a DoD, Cyber AB, or government endorsement.

Which provider category fits your situation

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. This page is editorial research, not legal, contractual, or compliance advice. We are not affiliated with the Department of Defense, the Cyber AB, NIST, DCMA DIBCAC, or any U.S. government agency. Sources cited inline; full primary-source list in “What we actually verified.”

Byline: The Defense Compliance Report Editorial Team. Last verified: May 27, 2026.

Your situation changes the answer

Find My CMMC Path

The right provider category — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline. Use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes. Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details.

Find My CMMC Path →