What About CMMC Level 2 Self-Assessments?

TL;DR: A Good Starting Point, but Don’t Count On Them Long-Term

If you're wondering whether Level 2 self-assessments are a viable option for your organization under the Cybersecurity Maturity Model Certification (CMMC) program, the short answer is: for now, yes. Phase 1 of CMMC rollout (November 2025–November 2026) is prioritizing self-assessments, but don’t count on self-assessments being the default long-term.

While there are circumstances where a self-assessment may be allowed, they will be the exception rather than the rule once Phase 2 of CMMC rollout begins. Understanding the nuances and preparing for third-party evaluations—or DIBCAC/customer audits even if self-assessment is allowed in a particular case—is essential.

CMMC Rollout Phase 1: Prioritizing Self-Assessments

According to the DoD CIO website, "CMMC Phase 1 Implementation (Nov 10, 2025 - Nov 9, 2026) [is] to focus primarily on CMMC Level 1 and Level 2 self-assessments." This gives organizations time to adapt to the changing regulatory environment and for the CMMC ecosystem to build sufficient capacity for performing certification assessments.

However, defense contractors are still required to document a system security plan (SSP), calculate their assessment score using the NIST SP 800-171 DoD Assessment Methodology, and upload the results to SPRS with a senior officer attesting to the accuracy of the information.

Once CMMC Phase 2 begins on November 10, 2026, applicable solicitations will begin requiring Level 2 Certification rather than self-assessment in most cases.

When CMMC Level 2 Self-Assessments May Be Permitted after Phase 1

According to the final CMMC rule (32 CFR 170), self-assessments may be permitted even after Phase 1, but this will only be upon specification by the Contracting Officer (CO) and should not be the expectation for contractors. This means that most contractors pursuing CMMC Level 2 compliance will require an assessment performed by a Certified Third-Party Assessment Organization (C3PAO) following the initial ramp-up period.

In limited cases, certain contracts may allow for self-assessments, typically as a temporary measure or for low-risk engagements. However, these exceptions are expected to be rare given that one of the primary motivations for establishing the CMMC program is to move away from contractor self-attestation.

Check Your Contracts

The best way to determine if a Level 2 self-assessment is permitted is to review your contracts carefully—both for existing contracts and for any contracts on which your organization intends to bid. Contract language will specify whether a self-assessment is allowed and under what conditions. If there is any ambiguity, seek clarification from the CO to avoid compliance missteps.

Key clauses to look for include:

• CMMC Level requirements—Level 2 (Self) vs. Level 2 (C3PAO)

• Requirements for third-party (C3PAO) verification

• DFARS 252.204-7012 or -7025

• Conditions for renewal or extension of contracts

• Provisions related to audits or compliance reviews (even if self-assessment is permitted)

Being proactive in understanding these terms can save your organization time and costly surprises. Something else worth noting is that many prime contractors have signaled that they intend to require their subs to achieve certification as a way to reduce their liability for downstream security & compliance—even if they are only required to self-attest.

Prepare for Customer Audits and Renewals

Even if your contract permits a Level 2 self-assessment, you should prepare for additional scrutiny ahead of renewals or exercise of a contract option. Under the final CMMC rule, the DoD “reserves the right to conduct a DCMA DIBCAC assessment of the [contractor]” even if the contract allows for self attestation (32 CFR 170.16(a)(1)(iv))).

As the CMMC program gets into full swing, contract renewals after 2025 are likely to require a formal C3PAO audit even if the original contract only required self-assessment. To mitigate risk:

• Maintain thorough documentation of your self-assessment process (including evidence artifacts)

• Ensure your cybersecurity measures meet or exceed the required NIST SP 800-171 (Rev. 2) requirements

• Be ready to demonstrate compliance if requested

By adopting a proactive approach, you’ll position your organization for smoother renewals and stronger customer relationships.

Consider Working with an RPO or C3PAO for Your Self-Assessment

While engaging a third party to perform a self-assessment may seem counterintuitive, doing so can be beneficial even for organizations who are only required to self-assess. Registered Practitioner Organizations (RPOs) and C3PAOs are accredited by The CMMC Accreditation Body (CyberAB) and can provide expertise to ensure your organization is truly compliant. They can also clear up confusion on the interpretation of requirements and application of corresponding controls.

Many RPOs and C3PAOs offer gap analysis, readiness assessment, and/or mock audit services which can instill confidence among both internal and external stakeholders. Doing so can also demonstrate to existing and prospective customers that your organization takes CMMC compliance seriously and isn’t just “checking the boxes.”

Pro Tip: The CMMC Program Rule (32 CFR 170) includes conflict-of-interest restrictions which impact whether you can use the same organization to assist with preparation and perform your certification assessment. If using a C3PAO for both, be sure you understand how they enforce isolation between preparation and assessment teams.

Final Thoughts

While Level 2 self-assessments are a good way to ramp up the CMMC program, they’re not a reliable option for most defense contractors long-term. Understanding when they are permitted, thoroughly reviewing contract terms, and preparing for potential audits are critical steps to ensure compliance and maintain customer trust. For long-term success, anticipating a C3PAO assessment to be required is often the most prudent path forward.

As a CyberAB RPO, Triumvirate Cybersecurity has experience assisting organizations in preparing for and demonstrating compliance with CMMC requirements. From readiness assessments to policy development and project management, we’re here to lend a hand at every step in your compliance journey.