The type of Cybersecurity Maturity Model Certification (CMMC) assessment your organization needs depends on your required certification level. The assessment guide for Level 1 and non-critical Level 2 contractors is relatively straightforward. Critical Level 2 assessments involve independent review by a C3PAO. Level 3 assessments are the most rigorous and are conducted by government officials.

Understanding these assessment types helps defense contractors plan effectively, build the right documentation, strengthen their security practices, and streamline their certification process. This overview explains what each assessment involves and how it supports your broader CMMC compliance strategy.

CMMC assessments overview

CMMC 2.0 aligns with NIST SP 800-171 and introduces a tiered approach to evaluating the cybersecurity posture of the Defense Industrial Base (DIB). Each assessment type exercises a different level of oversight, depending on the sensitivity of the information you handle and your role in the DoD supply chain.

Whether you are preparing for a self-assessment, a C3PAO assessment, or a government-led review, understanding the process helps you stay aligned with cybersecurity standards and the security measures required to protect sensitive information across your information systems.

Self-assessment

Frequency: Every year

Applicable to: Level 1 and some Level 2 contractors that manage CUI that is not critical to national security

What It Involves: Organizations pursuing Level 1 certification or non-critical Level 2 certifications can perform self-assessments. This process requires an internal review of your security practices, ensuring controls are implemented according to CMMC requirements and the supporting NIST publications.

A self-assessment team must have the required knowledge and expertise about CMMC Level 1 requirements and your organization’s security posture to conduct this assessment. They can use self-assessment tools provided by the DoD Chief Information Officer, including scoping and self-assessment guidance, to inform their evaluation. During their assessment, the team will review the System Security Plan (SSP), which outlines the specific security controls and practices the organization has implemented, and document whether each Level 1 requirement is fully, partially, or not implemented. Critical requirements will need to be remediated immediately before continuing. Any other requirements that are not fully implemented must be documented in a Plan of Action and Milestones (POA&M). This document will outline the specific steps, owners, and deadlines for completing remediation actions. 

Once complete, a senior official must sign an attestation confirming the accuracy of the assessment and the organization’s compliance. The score and affirmation are submitted to the Supplier Performance Risk System (SPRS). This score helps the DoD evaluate contractor readiness and gauge risk when awarding contracts.

How to Prepare: Successful self-assessments rely on accurate documentation, internal audits, and consistent risk management practices. You should maintain a complete SSP, perform periodic reviews of your controls, and ensure that authentication, safeguarding, configuration management, audit logging, and other core practices are functioning as intended.

Third-party assessments

Frequency: Every three years

Applicable to: CMMC Level 2 contractors handling prioritized CUI

What It Involves:

Organizations that handle CUI critical to national security must complete an independent third-party assessment conducted by a Certified Third-Party Assessment Organization (C3PAO). Organizations must choose a C3PAO from the list of authorized assessment organizations provided by the Cyber AB.

This review evaluates whether your security measures and documentation meet the full set of NIST SP 800-171 requirements that support CMMC Level 2 certification.

The CMMC Level 2 assessment process is more comprehensive than self-assessments. The C3PAO will conduct a detailed review of your cybersecurity practices and documentation, including the SSP, POA&M, access control policies, risk mitigation plan, incident response procedures, configuration management plan, separation of duties matrices, and evidence supporting each implemented control. They may conduct interviews, analyze logs, evaluate technical configurations, and review your vulnerability remediation history.

Following the review, the C3PAO provides preliminary findings to identify any gaps or issues. If any Level 2 requirements were partially implemented or not implemented, this report will include recommended corrective actions. The final results are entered into the CMMC Enterprise Mission Assurance Support Service (eMASS) and transmitted to SPRS. The C3PAO will then submit the final report along with SPRS score to the Cyber AB for review and the final certification decision.

Once approved, your organization receives CMMC Level 2 certification, valid for three years. During those three years, organizations must continue to monitor and improve their cybersecurity practices by maintaining their POA&M. A senior official must also affirm continued compliance with the specified security requirements after every third-party assessment and annually thereafter. Affirmations are entered electronically in SPRS.

How to Prepare: Preparation requires strong documentation, repeatable processes, and a mature cybersecurity environment. Internal testing, regular risk assessment practices, and continuous monitoring help demonstrate you are meeting the intent of NIST SP 800-171 controls. Maintaining your POA&M and keeping your SSP accurate are essential for a successful C3PAO review.

Government-led assessment

Frequency: Every three years

Applicable to: Level 3 contractors

Note: The DoD has now released updated guidance on Level 3 assessments in the CMMC Final Rule and accompanying assessment guide. While operational procedures may evolve during the phased rollout, the core requirements for government-led assessments are now more defined.

What It Involves:

DoD contractors seeking Level 3 certification, which involves handling the most sensitive Department of Defense information, will be subject to security assessments led by DoD assessors. These assessments are the most rigorous and evaluate all NIST SP 800-171 requirements along with the enhanced cybersecurity measures from NIST SP 800-172.

Organizations seeking this certification level must coordinate with the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) for a government-led assessment. This process typically begins with a pre-assessment meeting to discuss scope, timing, and process.

Like C3PAOs, government assessors will review key documentation, such as the SSP and POA&M. They will also conduct on-site evaluations including interviews and technical testing, and examine evidence like logs and configurations to verify that advanced security safeguards are implemented and effective.

Also like a C3PAO, government assessors may provide a preliminary report for addressing deficiencies before the final report is submitted to the Cyber AB for certification, which is valid for three years. To maintain compliance, organizations must continuously monitor systems, update their POA&M, and keep policies current.

The DoD assessor will enter the assessment information electronically into the eMASS, that will electronically transmit the assessment results into SPRS. A senior official from the organization must affirm continuing compliance with the specified security requirements after every DoD assessment and annually thereafter. Annual affirmations are entered electronically in SPRS.

How to Prepare: Level 3 readiness requires a mature cybersecurity program capable of defending against advanced cyber threats. This includes comprehensive documentation, strong incident detection and response capabilities, continual improvement practices, and demonstrated effectiveness of all controls. Preparing early and maintaining an accurate SSP and POA&M are critical for a successful government-led assessment.