The CMMC program divides defense contractors into two assessment tracks: organizations that can evaluate their own compliance, and organizations that must hire an independent assessor. Which track you're on determines not just your cost and timeline, but the level of rigor you need to demonstrate. If you're preparing for either path, you need to understand the difference before you start spending money.
The confusion I see most often comes from contractors who assume CMMC self-assessment works like a NIST 800-171 self-assessment—a form you fill out and submit to DoD. That's not what's happening here. A CMMC self-assessment is a formal certification process with specific requirements, documentation standards, and accountability mechanisms. It's lighter than a third-party assessment, but it's not casual.
This article covers when each assessment type applies, what they require, what they cost, and how to prepare for whichever path your contract determines.
When Self-Assessment Is Allowed Under CMMC
CMMC self-assessment is available only for Level 1 compliance. That's it. If your contract requires Level 2 or Level 3, you're hiring a third-party assessor. There's no opt-out.
Level 1 applies to contractors who handle Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI). FCI is contract-related information not intended for public release—things like pricing data, delivery schedules, proprietary technical information submitted as part of a proposal. If you're building widgets for DoD and the only sensitive information you handle is your own contract performance data, you're likely a Level 1 candidate.
The self-assessment option at Level 1 exists because the controls are foundational: basic access controls, incident response, media protection, system integrity. DoD determined that the risk of self-certification at this level is acceptable given the lower sensitivity of the data involved. That doesn't mean the assessment is lenient. It means DoD trusts contractors to accurately evaluate themselves against 17 security practices without an auditor looking over their shoulder.
Here's what self-assessment does not cover:
- Any contract that involves CUI, even if it's minimal
- Level 2 or Level 3 requirements
- Subcontractors working under a prime that handles CUI (the prime determines the requirement, not your direct data exposure)
If you're unsure whether your contracts involve CUI, the answer is probably yes. CUI includes technical data subject to export controls, logistics information, acquisition-sensitive data, and dozens of other categories. The pattern I see is contractors underestimating their CUI exposure because they focus on whether they're developing classified systems. CUI is unclassified. That's the whole problem—it's sensitive but doesn't carry classification markings, so it spreads.
For a detailed breakdown of which level applies to your contract type, see CMMC Level 1 vs Level 2: How to Know Which One You Need.
When Third-Party Assessment Is Required
Third-party assessment is mandatory for CMMC Level 2 and Level 3. Level 2 corresponds to the 110 security controls in NIST 800-171, plus 20 additional assessment objectives. Level 3 adds another layer of advanced protections for contractors handling the highest-sensitivity CUI.
The third-party requirement isn't negotiable. You can't self-assess Level 2 compliance even if you've been following NIST 800-171 for years. DoD decided that CUI protection demands independent verification, and the Cyber Accreditation Body (Cyber AB) certifies the assessors who conduct these evaluations.
Third-party assessors—called Certified CMMC Professionals (CCPs) for Level 2—are authorized by the Cyber AB and must follow the CMMC Assessment Process (CAP). They review your System Security Plan (SSP), conduct interviews, inspect technical configurations, validate evidence, and issue a finding. If you pass, you get a certification valid for three years. If you don't, you remediate gaps and try again.
One important clarification: even at Level 2, not all contractors need an assessment immediately. DoD is phasing CMMC requirements into contracts over time. But once your contract includes a CMMC clause requiring Level 2 certification, you have six months from contract award to complete the assessment if you don't already hold a valid certification. That timeline is tight if you're starting from scratch.
What About Level 3?
Level 3 assessments are conducted by government personnel, not by commercial CCPs. These are for organizations working on the most sensitive defense programs—typically involving advanced persistent threats or nation-state adversaries. If you're in this category, you already know it, and the assessment process is handled through Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) channels.
The Mechanics of a CMMC Self-Assessment
A CMMC self-assessment is a structured process. You're not filling out a checklist and calling it done. You're affirming compliance with 17 specific practices, documenting your implementation, and submitting that affirmation through the Supplier Performance Risk System (SPRS) portal.
Here's what the process actually involves:
Scoping your assessment environment. You define the boundaries of the systems and networks that process, store, or transmit FCI. This is your assessment scope. If FCI touches a system, that system is in scope. If it doesn't, it's out. The scope determines what you're evaluating.
Evaluating each of the 17 Level 1 practices. These practices cover basic cyber hygiene: limiting system access to authorized users, identifying and authenticating users, sanitizing or destroying media, managing system updates. For each practice, you assess whether your current controls meet the objective. You don't need external validation, but you do need evidence.
Documenting your implementation. This is where contractors get lazy. You need to show how each practice is implemented—what tools you use, what policies govern the control, what records you keep. A narrative SSP that says "we limit access to authorized users" without explaining how is insufficient. Document the mechanism: access control lists, role-based access, multi-factor authentication, whatever your method is.
Addressing any gaps. If you find a practice you're not meeting, you fix it before you submit your self-assessment. There's no provision for Plans of Action and Milestones (POA&Ms) at Level 1. You either meet all 17 practices, or you don't certify. If you can't meet a practice yet, delay your assessment until you can.
Submitting your affirmation. Once you've confirmed compliance, a senior company official—typically a C-level executive or equivalent—signs an affirmation statement and submits it through SPRS. That signature carries weight. You're attesting under penalty of law that your self-assessment is accurate.
The self-assessment certification is valid for three years, assuming your scope and controls don't materially change. If you add new systems or contracts that expand your FCI footprint, you may need to reassess.
Need Guidance on Your CMMC Path?
Carl helps defense contractors understand their compliance obligations and build programs that hold up under scrutiny. From readiness assessments to executive briefings, his sessions clarify what CMMC means for your organization.
Book Carl to SpeakThe Third-Party Assessment Process
Third-party assessments follow a more formal structure. You're not self-certifying; you're being audited by an accredited professional who reports findings to DoD. The process typically spans several weeks and involves multiple phases.
Pre-Assessment Phase
Before the formal assessment starts, you engage a CCP and define the scope. The assessor reviews your SSP, policies, and architecture diagrams to understand your environment. They'll identify any obvious gaps or documentation deficiencies that need correction before the on-site (or remote) assessment begins.
This is the time to fix what's broken. If your SSP is outdated or incomplete, update it. If you have controls that aren't documented, document them. If you have gaps you know about, close them or prepare a POA&M if Level 2 allows for conditional certification under specific circumstances. Don't walk into an assessment hoping the assessor won't notice obvious deficiencies.
Assessment Phase
The formal assessment involves three main activities: interviews, technical testing, and evidence review. The assessor talks to your IT staff, compliance leads, and system owners to understand how controls are implemented. They inspect configurations, review logs, test access controls, and verify that what you documented is actually in place.
Technical testing isn't penetration testing. The assessor isn't trying to break into your systems. They're validating that controls function as described. For example, if your SSP says you enforce multi-factor authentication for remote access, the assessor will attempt a remote login to verify that MFA is required. If it's not, that's a finding.
Evidence review is where documentation matters. The assessor will ask for proof that controls are consistently applied: access control logs, patch management records, incident response reports, configuration baselines. If you can't produce evidence, you can't claim compliance.
Post-Assessment Phase
After the assessment, the CCP issues a report detailing findings. If you meet all required practices, you receive a certification that's uploaded to SPRS and valid for three years. If you have findings, you remediate them and work with the assessor to validate corrections.
One common misconception: a finding doesn't automatically mean you failed. Depending on the severity and the control in question, you may be able to address the gap and still achieve certification. But this depends on DoD's policies around POA&Ms and conditional certifications, which are still evolving. Don't count on leniency.
Cost Comparison: Self-Assessment vs Third-Party
The cost difference between the two paths is significant, but not in the way most contractors expect. The assessment itself is the smaller cost. The real expense is remediation and the infrastructure required to meet the controls.
CMMC Self-Assessment Costs
A self-assessment has no direct assessor fee. You're not paying a CCP. But you still have internal costs:
- Staff time: Someone has to conduct the assessment, document findings, and prepare the affirmation. For a small contractor with a straightforward environment, this might be 40-80 hours of work. For a larger or more complex organization, it could be several hundred hours.
- Consulting support: Many contractors hire consultants to guide the self-assessment process, review their SSP, and validate that their controls meet CMMC objectives. Consulting fees vary, but expect $5,000 to $20,000 depending on scope and complexity.
- Remediation: If you have gaps, you'll need to fix them. This could mean implementing new access controls, upgrading systems, deploying monitoring tools, or revising policies. Remediation costs are highly variable but can easily exceed $50,000 for contractors starting from a low baseline.
The pattern I see is contractors underestimating the documentation burden. They assume self-assessment means less paperwork. It doesn't. You still need an SSP, you still need evidence, and you still need someone competent to evaluate your controls. The only thing you're saving is the assessor's fee.
Third-Party Assessment Costs
Third-party assessments carry an explicit assessor fee on top of internal costs. CCP fees for a Level 2 assessment typically range from $15,000 to $50,000, depending on the size and complexity of your environment. Larger organizations with multiple sites, complex networks, or extensive CUI handling can see fees above $100,000.
But again, the assessor fee is the smaller cost. The real expense is the same as self-assessment: remediation. If you're starting from a NIST 800-171 baseline and already have most controls in place, remediation might be modest. If you're starting from scratch, you're looking at $100,000 to $500,000 or more to implement the required controls, infrastructure, and documentation.
Internal labor is also higher for third-party assessments. Your team will spend significant time responding to assessor inquiries, producing evidence, and walking through technical configurations. Plan for at least 200-400 hours of internal effort for a mid-sized contractor.
How to Prepare for Either Path
The preparation work for both assessment types is largely the same. You need to know your scope, document your controls, and fix any gaps. The difference is who validates your work.
Start with a gap analysis. Before you commit to an assessment, you need to know where you stand. Conduct an internal gap analysis against the applicable control set—either the 17 Level 1 practices or the 110 Level 2 controls. Identify what's in place, what's missing, and what's only partially implemented.
Build or update your System Security Plan. The SSP is your primary documentation artifact. It describes your system boundaries, the data you handle, your security controls, and how those controls are implemented. If you don't have an SSP, you need one. If you have one but it's outdated, update it. The SSP drives the entire assessment process.
Collect evidence. For each control you claim to implement, you need evidence. This might be configuration files, policy documents, access logs, vulnerability scan reports, training records, or incident response records. Evidence should be current, specific, and tied directly to the control objective. Generic policies that don't reflect your actual practices won't pass scrutiny.
Fix gaps before the assessment. Don't schedule an assessment hoping you'll remediate during the process. Remediate first, then assess. This is especially important for self-assessments, where there's no mechanism to conditionally pass. If you're not compliant, delay the assessment until you are.
Train your team. Your staff will be interviewed during a third-party assessment. They need to understand how controls work, why they're implemented, and what their role is in maintaining compliance. A configuration that's technically correct but that no one on your team can explain will raise red flags.
For a detailed preparation checklist, see CMMC Readiness: What You Need Before Starting an Assessment.
Bring Clarity to Your Compliance Strategy
Carl's keynotes help leadership teams understand what compliance really means for their organization—not just the requirements, but the strategy behind them. See all keynote speaking topics or reach out about your event.
Book Carl for Your EventCommon Mistakes Contractors Make
I've seen contractors fail or delay assessments for predictable reasons. Most of these mistakes are avoidable if you know what to watch for.
Treating Self-Assessment as a Shortcut
The biggest mistake is assuming self-assessment means lower standards. It doesn't. The controls are the controls. The only difference is who validates your compliance. If you cut corners because you think no one will check, you're setting yourself up for problems when DoD audits your certification or when you need to transition to Level 2 later.
Incomplete Scoping
Contractors often under-scope their environment, either to reduce costs or because they don't understand where FCI or CUI flows. If you exclude systems that actually process sensitive data, your assessment is invalid. Worse, if DoD discovers the error, your certification can be revoked.
Scoping requires a thorough data flow analysis. Map where FCI or CUI enters your environment, where it's stored, where it's processed, and where it's transmitted. Every system that touches that data is in scope.
Weak Documentation
Documentation is not an afterthought. It's the core of your assessment. If you implement a control but can't document it, you don't get credit. If your documentation is vague or generic, an assessor will challenge it. Strong documentation is specific, current, and directly tied to the control objective.
Ignoring Continuous Compliance
CMMC certification is valid for three years, but compliance is continuous. If you pass an assessment and then let controls lapse, you're non-compliant. DoD can audit your compliance at any time, and if they find you've deviated from the controls you certified, you can lose your certification and your contracts.
Build compliance into your operations, not just your assessment. Make it part of onboarding, system changes, vendor management, and incident response. Continuous compliance is how you avoid scrambling before the next assessment.
What Leadership Needs to Understand
The choice between CMMC self-assessment and third-party assessment isn't really a choice. It's dictated by your contract requirements and the data you handle. But leadership still has decisions to make: how much to invest in preparation, whether to bring in outside help, and how to integrate CMMC into your broader compliance strategy.
The mistake I see at the executive level is treating CMMC as a one-time project. Certification is a milestone, not a finish line. If you're a defense contractor, cybersecurity compliance is now part of your cost structure, your risk profile, and your competitive positioning. Companies that understand this early build compliance into their operations and use it as a differentiator when competing for contracts. Companies that treat it as a checkbox scramble every three years and lose ground to competitors who took it seriously.
If you're pursuing self-assessment, don't underestimate the internal lift. You're taking on the validation responsibility yourself, which means you need competent people, solid processes, and leadership willing to sign an affirmation that your assessment is accurate. If you're pursuing third-party assessment, budget appropriately—not just for the assessor, but for the remediation and documentation work that will consume far more resources.
Either path requires a commitment. The contractors who succeed are the ones who treat CMMC as a program, not a project, and who build the infrastructure to sustain compliance beyond the assessment itself.