What About CMMC Level 2 Self-Assessments?

TL;DR: Don’t Count On It

If you're wondering whether Level 2 self-assessments are a viable option for your organization under the Cybersecurity Maturity Model Certification (CMMC) program, the short answer is: don’t count on it. While there are circumstances where a self-assessment may be allowed, they are the exception rather than the rule. Understanding the nuances and preparing for third-party evaluations – or customer audits even if self-assessment is allowed in a particular case – is essential.

When Level 2 Self-Assessments May Be Permitted by CMMC

According to the final CMMC rule (32 CFR 170), self-assessments may be permitted, but this will only be upon specification by the Contracting Officer (CO) and should not be the expectation for contractors. This means that most contractors pursuing CMMC Level 2 compliance will require an assessment performed by a Certified Third-Party Assessment Organization (C3PAO).

In limited cases, certain contracts may allow for self-assessments, typically as a temporary measure or for low-risk engagements. However, these exceptions are expected to be rare given that one of the primary motivations for establishing the CMMC program is to move away from contractor self-attestation.

Check Your Contracts

The best way to determine if a Level 2 self-assessment is permissible is to review your contracts carefully – both for existing contracts and for any contracts on which your organization intends to bid. Contract language will specify whether a self-assessment is acceptable and under what conditions. If there is any ambiguity, seek clarification from the customer CO to avoid compliance missteps.

Key clauses to look for include:

• Requirements for third-party (C3PAO) verification

• Conditions for renewal or extension of contracts

• Provisions related to audits or compliance reviews

Being proactive in understanding these terms can save your organization time and costly surprises.

Prepare for Customer Audits and Renewals

Even if your contract permits a Level 2 self-assessment, you should prepare for additional scrutiny. Under the final CMMC rule, the DoD “reserves the right to conduct a DCMA DIBCAC assessment of the [contractor]” even if the contract allows for self attestation (32 CFR 170.16(a)(1)(iv))). As the CMMC program gets into full swing, contract renewals after 2025 are likely to require a formal C3PAO audit even if the original contract only required self-assessment.

To mitigate risk:

• Maintain thorough documentation of your self-assessment process (including evidence artifacts).

• Ensure your cybersecurity measures meet or exceed the required CMMC standards.

• Be ready to demonstrate compliance on demand.

By adopting a proactive approach, you’ll position your organization for smoother renewals and stronger customer relationships.

Consider Working with a C3PAO or RPO for Your Self-Assessment

While engaging a third party to perform a self-assessment may seem counterintuitive, doing so can be beneficial even for organizations who are only required to self-assess. Registered Practitioner Organizations (RPOs) and C3PAOs are accredited by The CMMC Accreditation Body (CyberAB) and can provide expertise to ensure your organization is truly compliant. They can also clear up confusion on the interpretation of requirements and application of corresponding controls.

Many RPOs and C3PAOs offer gap analysis, readiness assessment, and/or mock audit services which can instill confidence among both internal and external stakeholders. Doing so can also demonstrate to existing and prospective customers that your organization takes CMMC compliance seriously and isn’t just “checking the boxes.”

Final Thoughts

While Level 2 self-assessments under the CMMC program may seem like an appealing way to minimize compliance costs, they’re not a reliable option for most defense contractors. Understanding when they are permitted, thoroughly reviewing contract terms, and preparing for potential audits are critical steps to ensure compliance and maintain customer trust. For long-term success, anticipating a C3PAO assessment to be required is often the most prudent path forward.

As a CyberAB RPO, Triumvirate Cybersecurity has experience assisting organizations in preparing for and demonstrating compliance with CMMC requirements. From readiness assessments to policy development and project management, we’re here to lend a hand at every step in your compliance journey.