Self-Reported vs. DIBCAC Assessed Score: What Actually Differs — and Why the Gap Is Dangerous
A self-reported vs DIBCAC assessed scoreruns on the same NIST SP 800-171 scoring methodology — but the two are not simply one assessment graded twice. A self-reported score is the number you calculate and submit yourself. A DIBCAC assessed score is a government-led assessment of the same requirements. What changes between them is who assesses, how deeply they verify, the confidence the government places in the result, which record takes precedence, and what happens next.
That last stretch is where a routine paperwork item quietly turns into a legal problem. Here’s the fast version, then the part almost every other page gets wrong.
Bottom line up front. If you posted a score to the Supplier Performance Risk System (SPRS) — the Department of Defense database where contractors report cybersecurity assessment scores — that number is a self-assessment. It’s a formal representation the government can hold you to, but it’s your own math. When the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assesses you, DoD posts the result and that number takes precedence. You have 14 business daysto respond. The difference between those two numbers has already produced a $507,144 DOJ settlement — for a gap of 280 points.
Which record is which — the 15-second version
| Question | Self-reported score | DIBCAC assessed score |
|---|---|---|
| Who produced it? | You (your team or your consultant) | Government personnel — in practice, DCMA’s DIBCAC |
| Government confidence level | Low — a legacy Basic score is labeled “Low” because it is self-generated | Medium or High |
| Who posts it to SPRS? | You | DoD posts the government result |
| Can it override the other? | No | Yes — when DCMA conducts it, it takes precedence |
| Is a deadline running? | Not from submitting it — though a Conditional Level 2 status carries a 180-day POA&M clock | Yes — 14 business days to rebut a government result |
| First move | Confirm the clause, record type, scope, date, and evidence behind it | Preserve the notice and calendar the deadline |
A quick word on picking help — and a safety line
The right CMMC provider isn’t the same for every contractor. The category you need — a C3PAO, an RPO/RP, an MSSP, a GRC platform, or a CUI enclave— depends on your level, scope, IT environment, and exactly which type of score problem you have. The categories are explained under What kind of help fits a score gap? below. The fastest way to map your situation to the right one is our routing tool.
Know there\u2019s a score gap but not sure what kind of help you need? Tell us your level, scope, and environment \u2014 never CUI \u2014 and we\u2019ll match you with source-checked provider options.
Map my CMMC path \u2192One honest admission, up front.We can’t tell you whether yourspecific score is safe. No article can, and no online tool can — including ours. A reported 110 can be perfectly defensible, or it can be a low-confidence number that collapses under a government evidence review. What we cando is show you exactly which record you’re holding, why the two numbers diverge, what the government can do about it, and what to do next without making your situation worse.
Self-reported vs DIBCAC assessed score: what’s the difference?
The difference is who grades the assessment and how much the government trusts the result. A self-reported score is produced by the contractor using the DoD Assessment Methodology, its own System Security Plan, and its own read of its environment — a self-generated number that, under the legacy framework, carries “Low” confidence. A DIBCAC assessed score is a government-led Medium or High assessment. When both records exist for the same contractor, the government-conducted result takes precedence.
Under the codified NIST SP 800-171 DoD Assessment Methodology, there are three assessment types, and their entire purpose is to signal how much verification stands behind the number.
| Self-reported (Basic) | DIBCAC Medium | DIBCAC High | |
|---|---|---|---|
| Who conducts it | The contractor grades itself | Government personnel (DCMA’s DIBCAC) | Government personnel (DCMA’s DIBCAC) |
| How | You review your own SSP against the 110 requirements and score it | Review of prior assessment information, thorough document review, and discussions with the contractor | Medium-review elements plus government verification, examination, and demonstration that requirements are implemented as described in the SSP |
| Confidence level | Low — self-generated | Medium | High |
| Scale (Level 2 scope) | 110 to −203 | 110 to −203 | 110 to −203 |
| Who posts to SPRS? | You | DoD | DoD |
| Takes precedence? | No | Yes, when conducted by DCMA | Yes, when conducted by DCMA |
| Rebuttal window | n/a | 14 business days | 14 business days |
Which “self-reported score” do you actually have in 2026?
“Self-reported” now points to more than one record, and the difference matters. It can mean a legacy Basic NIST assessment under the former DFARS 252.204-7019/7020 framework, or a current CMMC Level 2 (Self) assessment under 32 CFR Part 170 and DFARS 252.204-7021. These are different objects with different obligations.
Effective February 1, 2026, class deviation 2026-O0025 directs contracting officers to use DFARS Part 240 — including DFARS 252.240-7997— for covered procurements. For covered procurements, this effectively drops the standalone 252.204-7019 provision, and the assessment mechanics from 252.204-7020 move into 252.240-7997. The codified text still exists in the eCFR and can remain relevant to historical records and existing contracts.
When a contract or solicitation includes DFARS 252.204-7021 and requires CMMC Level 2 (Self), 32 CFR 170.16 requires you to conduct the Level 2 self-assessment, submit the results to SPRS, and complete the annual affirmation of continuous compliance. Those obligations didn’t change.
Before you compare “your score” to “the DIBCAC score,” figure out which of these six records you’re actually looking at:
| Record | Governing authority | Who produces it | Evidence depth | Result & who posts | CMMC status? |
|---|---|---|---|---|---|
| Legacy Basic NIST assessment | Codified DFARS 252.204-7019/7020 (still in the eCFR; relevant to historical records and contracts that contain it) | Contractor | Review of your own SSP using the DoD Methodology | Numerical score, Low confidence; contractor submits to SPRS | No |
| CMMC Level 2 (Self) | 32 CFR 170.16 + DFARS 252.204-7021 | Your organization | CMMC scope assessed against NIST SP 800-171 Rev. 2 | Score + Conditional or Final Level 2 (Self) status; you submit to SPRS | Yes |
| Government Medium NIST assessment | DFARS 252.240-7997 (formerly 252.204-7020) | Government personnel (DCMA DIBCAC) | Prior-assessment review, document review, and discussions | Numerical score, Medium confidence; DoD posts to SPRS | No — not automatically |
| Government High NIST assessment | DFARS 252.240-7997 (formerly 252.204-7020) | Government personnel (DCMA DIBCAC) | Adds verification, examination, and demonstration of implementation | Numerical score, High confidence; DoD posts to SPRS | No — not automatically |
| CMMC Level 2 (C3PAO) | 32 CFR 170.17 + DFARS 252.204-7021 | An authorized C3PAO (private) | Formal third-party CMMC assessment | Conditional or Final Level 2 (C3PAO) status; C3PAO submits via CMMC eMASS, reflected in SPRS | Yes |
| CMMC Level 3 | 32 CFR 170.18 + DFARS 252.204-7021 | DCMA DIBCAC | Final Level 2 (C3PAO) prerequisite, plus 24 selected requirements from NIST SP 800-172 | Conditional or Final Level 3 status; DIBCAC submits via CMMC eMASS, reflected in SPRS | Yes |
If you can’t say with certainty which row you’re in, that’s the first thing to fix. Read the actual procurement documents:
- The solicitation provision— what does it require, and in which clause?
- The awarded contract clause— 252.204-7012? 252.204-7021? 252.240-7997?
- Any modification or deviation identifier— is this a Revolutionary FAR Overhaul contract?
- The SPRS or CMMC record itself— what type, what date, whose name is on it?
For the broader contractual picture — how the 2026 deviation and CMMC clauses fit together — see our companion explainer on how current 252.240-7997 assessments differ from the older 7019/7020 framework.
Does a DIBCAC assessed score mean CMMC Level 3?
No. DIBCAC performs government Medium and High NIST SP 800-171 assessments andis the government assessor for CMMC Level 3 — but those are two separate jobs with different authorities, prerequisites, and outputs. A numerical Medium or High score does not become a CMMC Level 3 status just because DIBCAC produced it. Conflating the two is the single most common misconception on this topic.
DIBCAC wears two hats. Read the label to know which one you’re looking at:
| DIBCAC role | What it produces |
|---|---|
| Government Medium or High NIST SP 800-171 assessment (DFARS 252.240-7997) | A numerical scoreand a confidence level — Medium or High |
| CMMC Level 3 assessment (32 CFR 170.18) | A CMMC status— Conditional or Final Level 3 — built on a Final Level 2 (C3PAO) foundation and 24 selected NIST SP 800-172 requirements |
The tell is in the words on the record. A government NIST assessment gives you a number and a confidence level. CMMC gives you a status— Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 — and Levels 2 and 3 can be labeled Conditional or Final. Level 3 can’t even begin until a Final Level 2 (C3PAO) status is in place. So if your paperwork says “Medium Assessment, score of 62,” that is a government NIST assessment. It is not a certification, and it is not Level 3. Precision here isn’t pedantry — it changes who you call and what you’re actually obligated to do.
Can DIBCAC override your self-reported SPRS score — and is a clock running?
Yes on both counts. Under current DFARS 252.240-7997, when DCMA conducts a Medium or High assessment, that result takes precedence over other assessment results, and DoD posts it to SPRS. Before it’s posted, you get an opportunity to respond: a contractor has 14 business daysto provide additional information demonstrating a requirement the team didn’t observe, or to rebut findings in question. Follow the assessment notice for the operative dates and submission steps.
The precedence rule and the rebuttal window both come from the assessment clause and carry forward into the current deviation. DFARS 252.204-7020(e) — now relocated to 252.240-7997 — states that DoD offers “rebuttal and adjudication of assessment summary level scores prior to posting,” and that “upon completion of each assessment, the contractor has 14 business days to provide additional information… or to rebut the findings.” This is real, current, and time-sensitive — the rare deadline on this topic that isn’t manufactured.
Two precision points, because loose phrasing here causes real mistakes:
- Precedence is not deletion.When DCMA conducts the assessment, the government’s result becomes the authoritative number for contracting purposes. Whether SPRS visually overwrites, archives, or retains your earlier entry is a separate interface question. 32 CFR Part 170 gives a subsequent DCMA DIBCAC investigative result precedence over a conflicting pre-existing CMMC status.
- A CMMC C3PAO dispute is a different process. If your disagreement is with a C3PAO’s Level 2 assessment, that runs through a separate re-evaluation and appeals path under 32 CFR 170.17 — don’t assume the 14-business-day government window applies to it.
What does DoD post to SPRS after a Medium or High assessment?
The record is more than a number — it’s a small dossier. For a government Medium or High assessment, DFARS 252.240-7997 (carrying forward the 252.204-7020 posting fields) identifies the standard assessed, the organization that conducted it, the associated CAGE codes, the assessment date and level, the summary-level score, and the date all requirements are expected to be fully implemented based on the associated plan of action. Knowing exactly what’s in that record tells you what to reconstruct and defend.
If a government result just landed, don’t start rewriting your environment. Preserve the record and protect your rights first: the government notice, the resulting assessment report, your SPRS record, the solicitation and contract, your prior score submission, and the SSP and scoring workbook you originally used. A technical fix completed afterthe assessment date doesn’t answer whether the original finding was correct — and it can look worse, not better. For a full breakdown of the six distinct DoD review types and how to identify which one you’re in, see Can DoD audit my CMMC self-assessment?
Not sure whether you need readiness support, evidence workflow, enclave architecture, or assessment prep? Map your level, scope, and timeline to the right provider category.
Find My CMMC Path \u2192Why do DIBCAC-assessed scores come back lower? (Where the points leak)
A lower government score does not automatically prove fraud. Verified scoring gaps usually come from requirements marked “met” without complete objective evidence, an incorrect scope, an SSP that doesn’t match the assessed environment, controls that were planned rather than implemented, or misapplication of the 1-, 3-, and 5-point methodology.
Start with the math. Under the DoD Assessment Methodology, you begin at 110 and subtract 5, 3, or 1 pointfor each of the 110 requirements you haven’t fully met. The weights track security impact — the most critical controls carry five points. Because the weights sum to more than 110, a handful of five-point gaps can push you negative. The floor is −203. That’s by design: you can’t game the score by knocking out cheap one-pointers while ignoring the controls that actually protect CUI.
The following are verified scoring mechanisms and defensible evidence-risk categories — not a claim about which findings are most common across the DIB:
- MFA half-credit. Multi-factor authentication (requirement 3.5.3) costs the full 5 pointsif it’s missing, but only 3if it covers remote and privileged users and not general users. A self-assessment can read “implemented” when only admins actually have it.
- FIPS-validated vs. FIPS-capable.Encryption protecting CUI must be FIPS-validated (requirement 3.13.11). If you encrypt but the module isn’t FIPS 140-validated, that’s 3 pointsoff; if you don’t encrypt where required, 5. “We encrypt” and “our module is validated” are not the same statement.
- Planned is not implemented.A requirement sitting on a Plan of Action and Milestones (POA&M) is still not metand still deducts its full point value. Aspirational controls don’t earn points.
- Template SSPs. A System Security Plan filled in from a generic template describes a generic company. The gap between that template and your real systems is exactly where over-credit hides.
- Shared-responsibility assumptions.Controls checked off as “handled by our cloud provider” without confirming the boundary. Inherited controls have to be verified, not assumed.
- Scope. If the assessed boundary leaves out a CUI repository, remote users, or a connected corporate service, the earlier score was measuring a smaller, friendlier environment than the one a government assessor will examine.
- No current SSP, no completed assessment. Under 32 CFR 170.24(c)(5), the absence of an up-to-date SSP results in a finding that the assessment could not be completed because of incomplete information and noncompliance with DFARS 252.204-7012 — not an automatic 110-point deduction.
Editorial self-check tool
Would Your Score Survive a DIBCAC Assessment?
A useful way to audit yourself before anyone else does
| Where points leak | What the contractor believed | What a government assessor tests | First document to pull |
|---|---|---|---|
| Scope | "That system is outside CUI" | Data flows, connections, users, external service providers | Your CUI data-flow diagram |
| SSP | "It's documented" | Whether the document matches current operations | The dated SSP version |
| Scoring method | "We calculated 110" | Weighting and how partial implementation was treated | The original scoring workbook |
| Evidence | "We have a policy" | Whether artifacts show the control actually operating | A control-to-evidence index |
| Implementation | "The tool is installed" | Whether it’s configured and enforced across the scope | The configuration export |
| Timing | "We fixed that later" | What existed on the assessment date | Change and deployment records |
How big is the typical gap? We found no authoritative public dataset establishing a “typical” self-reported-to-government score gap as of July 16, 2026 — so we won’t hand you an invented average. The two public enforcement cases below are documented examples, not a benchmark.
What the LOGZONE and MORSECORP records show — and what they don’t prove
A large gap between a self-reported score and a later independent or government assessment can become part of a False Claims Act investigation when it’s paired with alleged or admitted contractual noncompliance and claims for payment. In June 2026, defense contractor LOGZONE agreed to pay $507,144 after DIBCAC assessed it at −170 against its self-reported 110. It followed MORSECORP’s $4.6 million settlement, where a self-reported 104 turned out to be −142. Neither record establishes that a numerical score gap alone creates liability.
We pulled both from the primary source — the DOJ press releases and settlement agreements — rather than law-firm summaries, and one column is doing real work here. Notice who found the gap, because it’s not the same story twice:
| Contractor | Self-reported | Assessed | Gap | Who found it | Resolution | How it surfaced | DOJ posture |
|---|---|---|---|---|---|---|---|
| LOGZONE Inc. (Huntsville, AL) | 110 (Oct. 13, 2021) | −170 (Feb. 2, 2024) | 280 pts | DIBCAC (a government assessment) | $507,144 (incl. $253,572 restitution), June 18, 2026 | Government-initiated DIBCAC assessment | Allegations resolved; no determination of liability |
| MORSECORP Inc. (Cambridge, MA) | 104 (Jan. 2021) | −142 (July 2022) | 246 pts | A third-party consultant (not DIBCAC) | $4.6M, March 26, 2025; relator share $851,000 | Qui tam by a former employee | Admitted facts on multiple points |
LOGZONEis the cleanest illustration of this exact query. The company posted a perfect 110 in October 2021. In an assessment dated February 2, 2024, DIBCAC scored its actual implementation at −170 — near the very bottom of the range. The settlement record identifies that 280-point difference and also describes broader alleged failures to implement required NIST SP 800-171 controls while submitting claims for payment on two Navy contracts. DOJ stated the settlement resolved allegations without a determination of liability. Notably, the published DOJ materials do not identify a relator or qui tam action — the government’s own assessment triggered the case, which is what makes it a warning even to contractors no whistleblower is watching.
MORSECORPadds the twist that should keep affirming officials up at night. MORSE self-reported 104 in January 2021. A third-party consultant told the company in July 2022 that the real number was −142. MORSE didn’t correct its SPRS entry until June 2023 — three months after the government served a subpoena. DOJ included that delayed update among the facts MORSE admitted. A former employee filed the qui tam complaint and received an $851,000 relator share.
Be clear-eyed about what these cases do — and don’t — establish. They show that dramatic, documented gaps between self-reported and independently assessed scores can anchor an expensive False Claims Act resolution when combined with alleged or admitted noncompliance. They do notprove that every 110 is inflated, that DIBCAC reduces scores by some predictable amount, or that a score gap alone caused either settlement. We say “the settlement record states,” not “the company was convicted.”
If your real worry is what your company represented— in a proposal, an award, an invoice, or an annual affirmation — that’s a legal question, not just a technical one. Read our companion piece on the difference between a contractor-entered and DIBCAC-assessed score, and what inaccurate SPRS representations can mean, and involve qualified counsel.
What did the July 13, 2026 CMMC Phase II suspension change?
It suspended the Phase II transition — not your safeguarding duties. On July 13, 2026, the Department of War suspended the CMMC Phase II transition and the designation of Level 2 (C3PAO) and Level 3 assessment requirements in procurement documents during a review. But self-assessments still stand, select government-led assessments may continue, DFARS 252.204-7012 is unchanged, and the Justice Department is still bringing False Claims Act cases. The suspension paused the scheduled third-party expansion. It did not pause DIBCAC or your liability.
Here’s the practical map, matched to the implementation direction:
| Item | Status as of July 16, 2026 |
|---|---|
| Phase I self-assessments (Level 1 Self, Level 2 Self) | In effect — the current operating posture |
| New CMMC level designations in procurements | Program Managers may designate only Level 1 (Self) or Level 2 (Self) during the suspension |
| Active solicitations / existing contracts with C3PAO or Level 3 requirements | Directed to be amended or modified to remove them — verify whether your document has actually been changed |
| Phase II third-party (C3PAO) transition, once expected Nov. 10, 2026 | Suspended — do not treat the old date as a settled deadline, and don’t invent a new one |
| DFARS 252.204-7012 safeguarding duties | Unchanged |
| DIBCAC Medium/High assessments | Select government-led assessments may continue |
| False Claims Act exposure | Unchanged — DOJ enforcement continues |
| CMMC Reform Task Force review | Underway; a Request for Information supports the review, with comments due August 14, 2026 |
The original schedule placed Phase I from November 10, 2025 through November 9, 2026 and Phase II at November 10, 2026; the July 13 action suspended that transition while keeping Phase I self-assessment requirements in place.
What the suspension does notmean: that NIST SP 800-171 stopped mattering, that the cyber clauses vanished, that an unsupported historical score is now safe, or that Phase II has a confirmed new start date. The review could lead to significant changes to the program, and officials have not committed to keeping it in its current form — but permanent amendments to codified 32 CFR or DFARS text require the applicable rulemaking process. Because this section is time-sensitive, verify the official program page before relying on it for a contract decision.
If anything, the suspension raises the stakes on the self-vs-DIBCAC question. With the third-party transition paused, contractor self-assessments and select government-led assessments remain directly relevant, and the suspension does not suspend the False Claims Act or erase the existing cybersecurity clauses.
What should you do if your self-reported score might not hold up?
Preserve the original record before you change anything, then figure out what kind of problem you actually have. Identify the exact clause, record type, date, CAGE scope, SSP version, and evidence behind the number. Then classify the mismatch — scope, documentation, scoring method, evidence, implementation, timing, or a legal representation issue — because that classification decides whether you need a readiness consultant, an implementation team, an evidence platform, or an attorney.
Work it in this order:
- Freeze and preserve. Save the submitted score, the submission date, who submitted it, the CAGE scope, the SSP (name, version, date), the scoring workbook, the evidence index, and the relevant contract clauses and approvals. Never conceal, destroy, rewrite, or backdate anything.
- Identify the record and authority. Use the six-record table above. A legacy Basic score and a CMMC Level 2 (Self) status are not the same object.
- Reconstruct the score as of the assessment date. Separate what existed then, what was merely planned then, what you remediated later, and what you simply can’t substantiate.
- Map every claimed requirement to evidence.For each control: who owns it, which system, the implementation statement, the test objective, the artifact that proves it, and the artifact’s date. A policy saying something should happen is not proof it did.
- Classify the mismatch before correcting it (see the triage table below).
- Separate remediation from legal response. A cybersecurity consultant can tell you whether controls and evidence support a score. That does not make them the right advisor on disclosure duties, privilege, or litigation risk tied to prior representations.
- Make only supportable, traceable corrections. “Lower the number immediately” is not automatically right — the correct action depends on the record, the contract, any government notice, and possible legal implications.
| Mismatch type | Typical signal | First safe action | Category that usually fits | Don’t |
|---|---|---|---|---|
| Record-type | Team calls a Medium result "Level 3" | Identify the exact status or confidence label | RP/RPO or a knowledgeable compliance lead | Treat every DIBCAC result as certification |
| Clause | Contract cites 252.240-7997 but your process assumes 7019/7020 | Read the solicitation, award, modification, and deviation | Contracts professional; counsel where material | Use a generic checklist as the authority |
| Scope | CAGEs, CUI systems, users, or external providers differ | Rebuild the CUI/data-flow and assessment boundary | RP/RPO; enclave specialist | Recalculate before resolving the boundary |
| Scoring method | The 110 can’t be reproduced | Recalculate from the correct methodology | RP/RPO or assessment-readiness specialist | Preserve a number you can’t explain |
| Evidence | Policies exist but artifacts don’t prove operation | Build a requirement-to-evidence map | GRC/evidence platform + readiness support | Upload sensitive evidence into an unvetted tool |
| Implementation | Evidence honestly shows a missing control | Build a technical remediation plan | MSP/MSSP or implementation specialist | Hire a C3PAO to perform remediation |
| Timing/version | Different SSPs or environments were assessed | Reconstruct the state on each assessment date | RP/RPO + technical owner | Compare numbers without aligning dates/scope |
| Government finding | A Medium/High result and response instructions arrived | Calendar the 14-business-day deadline; preserve the notice | Response team; counsel where appropriate | Start rewriting historical evidence |
| Representation risk | An unsupported score tied to a proposal, award, invoice, or affirmation | Preserve records; get qualified legal advice | Federal-contracts / False Claims Act counsel | Treat it as only a technical ticket |
What kind of help fits a score gap?
Match the provider category to the problem, not the panic. Use an RP/RPO for scope, methodology, and readiness; an MSP/MSSP for technical implementation and ongoing operations; a GRC platform for evidence workflow; and a CUI-enclave specialist when architecture and scope isolation are the core issue.
- RP/RPO — when the problem is scope, methodology, or readiness. Best for reconstructing scope, reviewing the SSP and scoring logic, mapping evidence, and sequencing remediation. Not a substitute for a formal C3PAO assessment or for legal advice.
- MSP/MSSP — when the problem is implementation. Best for identity and access, endpoint management, logging and monitoring, configuration enforcement, and incident response. Verify genuine CUI-environment competence and a clear responsibility matrix before signing.
- GRC / evidence platform — when the problem is repeatability. Best for requirement ownership, evidence indexing, version history, and recurring collection. The honest limitation: software organizes unsupported claims just as efficiently as supported ones. Its value shows up after scope and control interpretation are sound.
- CUI enclave — when architecture drives the problem.A properly designed and documented enclave can reduce your CMMC assessment scope by isolating where CUI is processed, stored, and transmitted. It does not automatically place connected assets, security-protection assets, or external services out of scope — buying or naming an “enclave” isn’t the same as reducing scope.
- C3PAO — only when you’re ready for a formal Level 2 assessment. Not the default remediation category, and bound by independence rules. Under 32 CFR 170.8, a CMMC ecosystem member may not participate in your Level 2 certification assessment if it served as a consultant preparing your organization within the prior three years. Note, too, that new C3PAO designations are paused during the current review.
- Federal-contracts counsel — when prior representations are implicated. Bid representations, award-eligibility statements, invoices, certifications, affirmations, or a government inquiry all point here.
That routing logic has a name. The CMMC Path Frameworkmaps a contractor’s required CMMC level, FCI-versus-CUI handling, assessment type, IT and cloud environment, and contract timeline to the provider category most likely to fit. It routes to a category, not a named provider, and it is not a score, a ranking, or compliance advice. See the full explanation at CMMC provider categories.
Map your CMMC level, scope, and timeline to the right provider category \u2014 RP/RPO, MSP/MSSP, GRC platform, CUI enclave, or C3PAO. Never enter CUI.
Find My CMMC Path \u2192What we actually verified
We built this page from primary sources and dated our work, because on a topic this consequential, that’s the difference between an authority and an aggregator.
Verified directly (July 16, 2026):
- The three assessment tiers, the “Low” confidence label for a contractor self-assessment, and the Medium/High evidence distinctions — DFARS 252.204-7020 and the DoD Assessment Methodology v1.2.1.
- The precedence rule “when conducted by DCMA,” the 14-business-dayrebuttal window, and the exact SPRS posting fields — DFARS 252.204-7020(e)/(d), carried into 252.240-7997.
- The February 1, 2026 posture: 252.204-7019 dropped for covered procurements, 252.204-7020 mechanics moved into 252.240-7997, codified text remains in the eCFR — class deviation 2026-O0025.
- The separate CMMC status paths, the eMASS posting path, and the Conditional 180-day POA&M window (Levels 2 and 3 only) — 32 CFR 170.16–170.18, 32 CFR 170.9, and DFARS 252.204-7021.
- The July 13, 2026 CMMC Phase II suspension and the implementation direction limiting current designations to Level 1 (Self) and Level 2 (Self).
- LOGZONE’s 110 self-report, its −170 DIBCAC assessment (Feb. 2, 2024), the $507,144 settlement, $253,572 restitution, and the no-determination-of-liability qualifier — DOJ.
- MORSECORP’s 104 self-report, −142 actual, $4.6M settlement, and $851,000 relator share — DOJ.
Deliberately not claimed:a “typical” DIBCAC score reduction; that every 110 is unsupported; that a negative score is an automatic disqualification; that a government result visually deletes an earlier SPRS entry; that a score gap alone caused either settlement; that a Medium or High result is CMMC Level 3; that Phase II has a confirmed new start date; or that any provider can guarantee a score or a certification outcome.
Frequently asked questions
- Is a self-reported SPRS score "official"?
- A contractor-entered score can be an official submission in SPRS, but "officially submitted" and "independently government-assessed" are different things. A legacy Basic self-assessment carries Low confidence because it is contractor-generated; a CMMC Level 2 (Self) submission is a separate CMMC status record with its own scope, affirmation, and recurrence rules. Don't apply the legacy Low-confidence label to a Level 2 (Self) status.
- Can DIBCAC enter a different SPRS score than the one I posted?
- Yes. When DCMA completes a Medium or High assessment, that result takes precedence and DoD posts it to SPRS. We won't overstate whether your earlier entry is deleted or archived — the point is that the government's higher-confidence number becomes the score of record for contracting purposes.
- Is a DIBCAC Medium assessment the same as CMMC Level 3?
- No. A Medium assessment is a government NIST SP 800-171 assessment with Medium confidence. CMMC Level 3 is a separate status path with its own prerequisites (a Final Level 2 C3PAO status first) and 24 selected NIST SP 800-172 requirements under 32 CFR 170.18.
- Is a government High assessment always on-site?
- Don't reduce it to a location label. A High assessment adds government verification, examination, and demonstration that controls are implemented as described — the logistics come from the notice and current authority, not a rule of thumb.
- How long do I have to challenge a DIBCAC result?
- 14 business days after the assessment to submit additional information or rebut findings, under DFARS 252.204-7020(e), carried into 252.240-7997. A dispute with a C3PAO's Level 2 assessment is different: a NOT MET requirement can be re-evaluated during the assessment and for a short window afterward (10 business days) under 32 CFR 170.17, before the Assessment Findings Report is delivered — with appeals to the Accreditation Body beyond that. Don't mix the two timelines.
- Did DFARS 252.240-7997 replace 252.204-7020 everywhere?
- For covered procurements, class deviation 2026-O0025 directs contracting officers to use 252.240-7997 in place of the codified framework as of February 1, 2026. The codified 252.204-7020 text still exists in the eCFR and can remain relevant to historical records and existing contracts — so check your actual procurement documents.
- Does a negative SPRS score automatically make us ineligible?
- There's no universal rule. The effect depends on the solicitation, the contract, the applicable clauses, the responsibility and award decisions, and any required assessment status. A negative score is a serious signal, but eligibility is contract-specific.
- We can't support our score — should we just lower it right now?
- Preserve the original record and identify the governing procedure first. A technical correction, a contractual notice, a legal disclosure, a government rebuttal, and a CMMC affirmation are different actions. Where prior representations may carry legal significance, involve qualified counsel before you act.
- What's the minimum score for CMMC Level 2 (Self)?
- To be eligible for Conditional status with a POA&M, the score divided by the 110 Level 2 requirements must be at least 0.8 — 88 points — and the POA&M must satisfy the point-value and requirement-specific exclusions in 32 CFR 170.21(a)(2). A Conditional Level 2 status must then be closed out within 180 days.
- Did the Phase II suspension eliminate CMMC or NIST SP 800-171 obligations?
- No. Phase I self-assessments remain, select government-led assessments continue, and DFARS 252.204-7012 safeguarding duties are unchanged. The suspension paused the third-party transition, not the underlying requirements.
- Can a GRC platform validate our score for us?
- It can organize requirements, evidence, SSP content, POA&Ms, ownership, and version history. It cannot independently turn an unsupported implementation claim into a verified control, and it cannot issue an official SPRS or CMMC result.
Need a next step?
Need help deciding what type of CMMC provider you need? Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options. Start with Find My CMMC Path.
Find My CMMC Path →