The Department of Defense (DoD) is beginning the phased rollout of new contractual requirements on November 10, 2025, starting with CMMC self-assessment requirements. That means contractors and subcontractors will need to demonstrate compliance with CMMC Level 1 or Level 2 requirements through a formal self-assessment process before award.

If your organization is preparing to bid on or maintain defense contracts past this date, keep reading. We’ll cover how self-assessments work, who needs to complete them, and how the right tool can accelerate the self-certification process so you’re ready for enforcement. 

If you’re new to CMMC 2.0, check out our on-demand webinar that explains what this framework requires, who it applies to, and how to get certified.

What is a CMMC self-assessment?

A CMMC self-assessment is the process of evaluating your own information system against CMMC Level 1 or Level 2 practices to see if you are in compliance with the 15 basic safeguarding requirements for FCI specified in FAR Clause 52.204-21 or the 110 requirements of NIST 800-171, respectively.

Instead of having a certified third-party (a C3PAO) perform the assessment, your team is responsible for completing a self-assessment internally or with a third party assisting. It is also responsible for documenting and reporting those results, along with an executive affirmation of compliance, in the Supplier Performance Risk System (SPRS) to achieve a current CMMC status.

This self-assessment process is designed to help the DoD verify that suppliers are capable of protecting sensitive unclassified information on their behalf before awarding or renewing contracts. These contracts contain information that is important to national security, but pose relatively low risk, including Federal Contract Information (FCI) and non-critical Controlled Unclassified Information (CUI) and Security Protection Data (SPD).

But this self-assessment process is not just designed to benefit the DoD—it’s also designed to help contractors, subcontractors, service providers in the Defense Industrial Base (DIB):

• Maintain eligibility for existing and new contracts
• Verify and demonstrate that required CMMC controls are in place
• Identify and document gaps in their compliance posture
• Build a roadmap for achieving CMMC certification at the required level, or higher

For these reasons, a self-assessment can be both a compliance checkpoint for maintaining or bidding on contracts with sensitive but lower risk unclassified information and a readiness exercise for the more rigorous third-party assessments required for more critical programs and contracts.

Who needs to complete a self-assessment in Phase 1?

During Phase 1 of the phased implementation plan described in 32 CFR § 170.3 (e), the DoD will require self-assessments for a majority of new defense contracts, including:

• All contractors handling Federal Contract Information (FCI): They must complete an annual Level 1 self-assessment and submit the results along with an affirmation of compliance in SPRS to demonstrate and verify that 15 basic safeguarding practices are in place. 
• A small percentage of contractors handling less sensitive CUI and SPD will be required to perform Level 2 self-assessments to be eligible for contract award. These results, including a score ranging from -203 to 110 based on the implementation of NIST SP 800-171 requirements, and executive affirmation must be submitted in SPRS.

In the 32 CFR rule, the DoD estimated the number of entities in the DIB that would eventually achieve CMMC certification by assessment level and type. They estimated that, in total, 63% would complete a Level 1 self-assessment and only 2% would complete Level 2 self-assessment. 

Starting in Phase 2, although DoD contracting officials do have discretion to add this requirement in contracts during Phase 1, the vast majority (95%) of contracts with a Level 2 requirement will require third-party assessments. But Phase 1 allows a small percentage to achieve Level 2 self-certification.

Image Source: Impact and Cost Analysis of the Revised CMMC Program in 32 CFR rule

What if your contract doesn’t include a CMMC Level 1 or 2 (Self) requirement in November?

Even if your November contracts don’t explicitly include CMMC Level 1 (Self) or Level 2 (Self), completing a self-assessment can pay off. 

Here are some reasons organizations may seek CMMC self-certification now, before it’s required:

• Stay in (or climb) the supply chain with primes. Many primes are already requiring subcontractors to demonstrate CMMC readiness—Lockheed Martin, for example, starting reaching out to suppliers that had unimplemented CMMC controls in June. Showing a current self-assessment (with results, scores, and executive affirmation in SPRS) signals low risk and makes awarding or renewing subcontracts easier.
• De-risk future phases. Contractual requirements increase in later phases. Proactively completing a self-assessment can surface gaps while there’s still time to remediate—before third-party assessments or tighter award windows kick in.
• Win new opportunities. If your pipeline includes DoD or federal bids with the Defense Logistics Agency (DLA) and Department of Energy, for example,, being able to demonstrate CMMC status—even when not required—can be a huge competitive advantage.
• Leverage overlap and formalize existing compliance efforts. If you’re already aligned to NIST 800-171 (or similar federal frameworks such as NIST 800-53 or FedRAMP), a CMMC self-assessment formalizes that work and provides increased assurance to government contractors, primes, and internal stakeholders. 

Bottom line: a voluntary CMMC self-assessment can be a fast, low-cost way to build trust, reduce surprises or delays later, and create a competitive edge—whether you’re aiming for CMMC Level 1 or 2 certification now or preparing for higher levels later.

Let’s take a closer look at the self-assessment requirements of these two different levels.

CMMC Level 1 self-assessment requirements

Specified in 32 CFR § 170.15, Level 1 self-assessment requirements include:

• Achieving a MET result for all 15 requirements for FCI specified in FAR Clause 52.204-21
• Scoring the self-assessment as MET (or NOT MET) in its entirety
• Submitting self-assessment results and score into the SPRS
• Submitting an executive affirmation of compliance in SPRS

Since each of the 15 Level 1 requirements and 54 assessment objectives must be fully implemented to achieve a CMMC Status of Final Level 1 (Self), there is no Plan of Action and Milestones (POA&M) allowed at this level. To maintain this status, the OSA must complete the steps above annually. 

Who do these requirements apply to?

CMMC Level 1 (Self) will be the most common requirement for small businesses and subcontractors in Phase 1 and subsequent phases of the rollout, applying to approximately 63% of the DIB.

Because it requires implementing 15 practices aligned with FAR 52.204-21, such as using antivirus software, restricting physical access to systems, and ensuring employees use strong passwords, organizations should seek CMMC Level 1 certification if they want to:

• Maintain eligibility for existing contracts and new awards after November 10, 2025
• Strengthen their baseline cybersecurity posture.

CMMC Level 2 self-assessment requirements

Specified in 32 CFR § 170.16, Level 2 self-assessment requirements to achieve a final status include:

• Achieving a MET result for all security requirements in NIST 800-172 Revision 2
• Scoring the self-assessment until the maximum score of 110 is achieved
• Submitting self-assessment results and score into the SPRS
• Submitting an executive affirmation of compliance in SPRS

To maintain this status, the OSA must complete a self-assessment and submit the results and score in SPRS every three years and the executive affirmation annually. 

Unlike Level 1, Level 2 entities can achieve a conditional status of Level 2 (Self) if they meet the following requirements:

• Implements enough security requirements in NIST 800-172 Revision 2 to achieve minimum score of 88 (with POA&Ms in place)
• Documents any unmet requirements in a POA&M
• Does not include any of the requirements listed in 32 CFR 170.21(a)(2)(iii) in the POA&M
• Remediate all NOT MET requirements and perform a POA&M closeout self-assessment within 180 days (6 months) of the Conditional CMMC Status Date

If they do not close out the POA&M within the 180-day timeframe, their conditional status will expire and the OSA will be ineligible for additional awards with a Level 2 (Self) requirement. If they do close it out within the timeframe, then they will achieve the CMMC Status of Final Level 2 (Self).

Who do these requirements apply to?

CMMC Level 2 (Self) will be a relatively rare requirement for contractors and subcontractors in Phase 1 and in subsequent phases of the rollout, applying to approximately 2% of the DIB.

This contractual requirement will apply to organizations handling more sensitive unclassified information, like controlled technical information, export controlled information, and critical infrastructure data, and involve more rigorous self-assessment requirements than Level 1. However, because the CMMC Level 2 (Self) requirement is for a select number of “non-prioritized acquisitions” where the CUI or SPD is considered lower risk, it is not as rigorous as CMMC Level 2 (C3PAO).

Performing a CMMC self-assessment, particularly for a Level 2 (Self) requirement, can be confusing and time-consuming. Let’s go over the process below so you can navigate it more easily. 

How to conduct a CMMC self-assessment

A self-assessment doesn’t have to be overwhelming. Here’s a step-by-step breakdown of the self-assessment process, using guidance from the DoD’s CMMC Level 1 Self-Assessment Guide​ and CMMC Level 2 Self-Assessment Guide​.

1. Identify the correct assessment level

A successful CMMC self-assessment follows similar steps to a third-party assessment, but you’re running it yourself (or optionally with a third-party partner assisting). 

Start by confirming which level applies:

• If you only handle FCI, complete a CMMC Level 1 self-assessment.
• If you handle non-critical CUI or SPD, complete a CMMC Level 2 self-assessment.

2. Review the security requirements

Level 1 includes 15 basic safeguarding requirements and 54 assessment objectives. To demonstrate Level 1 compliance, the OSA will need a finding of MET or NOT APPLICABLE on all Level 1 security requirements.

Level 2 maps to the 110 controls in NIST SP 800-171 and 320 assessment objectives. To demonstrate final Level 2 compliance, the OSA will need a finding of MET or NOT APPLICABLE on all Level 2 security requirements.

3. Specify scope

Next, define scope. The CMMC Self-Assessment Scope identifies which assets within the contractor’s environment will be assessed and the details of the self-assessment. 

For a CMMC Level 1 self-assessment, the assets that process, store, or transmit FCI are considered in scope and should be assessed against the CMMC Level 1 practices. 

For a CMMC Level 2 self-assessment, the assets that process, store, or transmit CUI and assets that provide security protections for these assets are considered in scope and should be assessed against the CMMC Level 2 practices. These fall into one of four asset categories defined in 32 CFR § 170.19(c)(1). You can read more about them in our guide to scoping. 

3. Perform a gap analysis

Now, you’re ready to perform a gap analysis and build your remediation plan. If you’re taking a manual approach, you can use the official DoD self-assessment guides for Level 1 and 2 to determine whether each practice is MET (or NOT APPLICABLE). 

For Level 1, you must achieve MET/NA across all requirements since POA&Ms aren’t allowed so you have to close all gaps before moving forward.

For Level 2, you must achieve MET/NA across all requirements to achieve a final certification, but there is opportunity for a conditional status. So during this step, assess your implementation of all NIST SP 800-171 requirements and calculate your SPRS score (from –203 to 110) based on all MET and NOT MET findings. If you’re short of 110, create a POA&M with clear owners and dates—but remember that certain requirements can’t be left on a POA&M and that you will only have 180 days to remediate from your conditional status date. 

Performing this gap analysis, compiling all the evidence, and managing remediation efforts manually can feel like playing a game of whack-a-mole. A CMMC automation tool can simplify this step for you. It can collect all evidence for you and map controls along with its assessment objectives, implementation status, and evidence to requirements so you can see exactly where you stand in terms of CMMC readiness.

4. Score your implementation

Once your assessment is complete, you’ll need to score your results. For Level 1, there is no numerical value. You score your assessment as MET if all 15 requirements and assessment objectives are fully implemented—or NOT MET if they aren’t. 

For Level 2, assessment results are given a numerical score. You are given one, three, or five points based on the NIST 800-171 requirements you have fully implemented. This produces your SPRS score, which must be submitted in the SPRS.

Image source: CMMC.com Requirement Explorer

5. Document UNMET requirements in POA&M (Level 2 only)

If your CMMC Level 2 self-assessment doesn’t achieve the maximum score of 110, record every NOT MET requirement in a POA&M. For each item, note the requirement ID, gap description, affected assets, interim/compensating measures, discrete remediation tasks, owners, resources, and target dates. 

To move forward, you must ensure you achieve a minimum score of 88 that’s required for Conditional Level 2 (Self) status and remember that certain requirements cannot be placed on a POA&M. You must update your SSP to reflect both current and planned implementation status of all requirements, then track remediation to completion. 

Plan to complete the POA&M closeout self-assessment within 180 days of the conditional status date to convert to Final Level 2 (Self).

6. Submit your results in SPRS

Finally, you must submit your self-assessment results, scores, and affirmations in SPRS. You must do so annually to maintain Level 1 certification. To maintain Level 2 (Self), you must submit results and a score at least every three years and the affirmation of compliance annually. 

Why CMMC self-assessments must be submitted to SPRS

Completing a self-assessment is not enough to achieve a valid CMMC status that will make your organization eligible for contract awards with a Level 1 (Self) or Level 2 (Self) requirement. You must also submit your results every three years and affirm compliance every year in the SPRS.

Why? The DoD and prime contractors use these self-assessment results and scores to inform their decision-making when acquiring or maintaining relationships with vendors and suppliers. While only the DoD has access to an organization's self-assessment information in SPRS, primes are responsible for verifying that subcontractors have a current CMMC status in SPRS. 

Completing a self-assessment and submitting these results in SPRS provides government sponsors as well as primes with increased assurance and confidence that the contractor actually meets CMMC Level 1 or 2 practices.

Using a CMMC self-assessment tool to streamline compliance

Implementing 15 controls and 54 assessment objectives for CMMC Level 1 and 110 controls and 320 assessment objectives for CMMC Level 2 to complete a self-assessment one time can be hard enough. But monitoring those controls, managing evidence, keeping policies and procedures up to date, and completing all the other activities to maintain CMMC compliance every year can add to the burden of maintaining certification.

That’s where a CMMC self-assessment tool like Secureframe can help make CMMC Level 1 and 2 compliance more manageable. 

With the right automation tool, you can:

• Conduct a gap assessment and map your existing controls to CMMC requirements 
• Track implementation status in real time
• Track and monitor your SPRS score in real time as you make progress and as your systems and control changes
• Automatically collect evidence and monitor controls via integrations with federal cloud environments and other tools in your tech stack
• Manage evidence and documentation, including SSP and POA&Ms, in one secure platform

By moving beyond manual spreadsheets and folders, you’ll not only simplify compliance to prepare for the deadline—you’ll also be better prepared for future self-assessments as well as third-party audits to maintain CMMC certification or achieve it at a higher level in the future.