The type of Cybersecurity Maturity Model Certification (CMMC) assessment your organization needs depends on your required certification level. The assessment guide for Level 1 and non-critical Level 2 contractors is relatively straightforward. Critical Level 2 assessments involve independent review by a C3PAO. Level 3 assessments are the most rigorous and are conducted by government officials.
Understanding these assessment types helps defense contractors plan effectively, build the right documentation, strengthen their security practices, and streamline their certification process. This overview explains what each assessment involves and how it supports your broader CMMC compliance strategy.
CMMC assessments overview
CMMC 2.0 introduces a tiered approach to evaluating the cybersecurity posture of the Defense Industrial Base (DIB). Each assessment type exercises a different level of oversight, depending on the sensitivity of the information you handle and your role in the DoD supply chain.
Whether you are preparing for a self-assessment, a C3PAO assessment, or a government-led review, understanding the process helps you stay aligned with cybersecurity standards required to protect sensitive information across your information systems.
Self-assessment
- Frequency: Every year
- Applicable to: Level 1 and some Level 2 contractors that manage CUI that is not critical to national security
What It Involves:
Organizations pursuing Level 1 certification or non-critical Level 2 certifications can perform self-assessments. This process requires an internal review of your security practices, ensuring controls are implemented according to the CMMC level security requirements.
A self-assessment team must have the required knowledge and expertise about CMMC Level 1 requirements and your organization’s security posture to conduct this assessment. They can use self-assessment tools provided by the DoD Chief Information Officer, including scoping and self-assessment guidance, to inform their evaluation.
1. Review of control implementation and documentation
During their assessment, the team will:
- review the System Security Plan (SSP), which outlines the specific security controls and practices the organization has implemented
- document whether each Level 1 requirement is fully, partially, or not met.
2. Creation of POA&M for any unmet requirements
Critical requirements will need to be remediated immediately before continuing. Any other requirements that are not fully implemented must be documented in a Plan of Action and Milestones (POA&M). This document will outline the specific steps, owners, and deadlines for completing remediation actions.
3. Signature of attestation of compliance
Once complete, a senior official must sign an attestation confirming the accuracy of the assessment and the organization’s compliance.
4. Submission in SPRS
The score and affirmation are submitted to the Supplier Performance Risk System (SPRS). This score helps the DoD evaluate contractor readiness and gauge risk when awarding contracts.
How to Prepare:
Successful self-assessments rely on accurate documentation, internal audits, and consistent risk management practices. You should maintain a complete SSP, perform periodic reviews of your controls, and ensure that authentication, safeguarding, configuration management, audit logging, and other core practices are functioning as intended.
Recommended reading
CMMC Level 1 Compliance: Requirements + Self-Assessment Guide
Read More
Third-party assessments
- Frequency: Every three years
- Applicable to: CMMC Level 2 contractors handling prioritized CUI
What It Involves:
Organizations that handle CUI critical to national security must complete an independent third-party assessment conducted by a Certified Third-Party Assessment Organization (C3PAO). Organizations must choose a C3PAO from the list of authorized assessment organizations provided by the Cyber AB.
This review evaluates whether your security measures and documentation meet the full set of NIST SP 800-171 Revision 2 requirements that support CMMC Level 2 certification.
The CMMC Level 2 assessment process is more comprehensive than self-assessments and broken down into four phases.
Phase 1: The Pre-Assessment
The C3PAO will review the SSP, validate scope, confirm availability of evidence, and make readiness determination if OSC should proceed to next phase.
Phase 2: Assess Conformity to Security Requirements
The C3PAO will conduct a detailed review of your cybersecurity practices and documentation, including the SSP, POA&M, access control policies, risk mitigation plan, incident response procedures, configuration management plan, separation of duties matrices, and evidence supporting each implemented control. They may conduct interviews, analyze logs, evaluate technical configurations, and review your vulnerability remediation history.
Following the review, the C3PAO provides preliminary findings to identify any gaps or issues. If any Level 2 requirements were partially implemented or not implemented, this report will include recommended corrective actions.
Phase 3: Complete and Report Assessment Results
The final results are entered into the CMMC Enterprise Mission Assurance Support Service (eMASS) and transmitted to SPRS. The C3PAO will then submit the final report along with SPRS score to the Cyber AB for review and the final certification decision.
Phase 4: Issue Certificate and Close out POA&M
During the final phase of a CMMC Level 2 certification assessment, the C3PAO issues a certificate of CMMC Status and closes out any POA&Ms that might exist.
This certification is valid for three years. During those three years:
- Organizations must continue to monitor and improve their cybersecurity practices by maintaining their POA&M.
- A senior official must also affirm continued compliance with the specified security requirements after every third-party assessment and annually thereafter.
- Affirmations must be entered electronically in the SPRS.
How to Prepare:
Preparation requires strong documentation, repeatable processes, and a mature cybersecurity environment. Internal testing, regular risk assessment practices, and continuous monitoring help demonstrate you are meeting the intent of NIST SP 800-171 Revision 2 controls. Maintaining your POA&M and keeping your SSP accurate are essential for a successful C3PAO review.
Recommended reading
How to Meet CMMC Level 2 Compliance Requirements + Checklist
Read MoreGovernment-led assessment
- Frequency: Every three years
- Applicable to: Level 3 contractors
What It Involves:
DoD contractors seeking Level 3 certification, which involves handling the most sensitive Department of Defense information, will be subject to security assessments led by DoD assessors. These assessments are the most rigorous and evaluate all NIST SP 800-171 requirements along with the enhanced cybersecurity measures from NIST SP 800-172.
These are broken up into three key stages.
Stage 1: Initiation
Organizations seeking this certification level must coordinate with the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) for a government-led assessment. This process typically begins with a pre-assessment meeting to discuss scope, timing, and process.
Stage 2: Interviews, Examination, and Testing
Like C3PAOs, government assessors will review key documentation, such as the SSP and POA&M. They will also conduct on-site evaluations including interviews and technical testing, and examine evidence like logs and configurations to verify that advanced security safeguards are implemented and effective.
Also like a C3PAO, government assessors may provide a preliminary report for addressing deficiencies before the final report is submitted to the Cyber AB for certification, which is valid for three years. To maintain compliance, organizations must continuously monitor systems, update their POA&M, and keep policies current.
Stage 3: Findings and Results
The DoD assessor will enter the assessment information electronically into the eMASS, that will electronically transmit the assessment results into SPRS. A senior official from the organization must affirm continuing compliance with the specified security requirements after every DoD assessment and annually thereafter. Annual affirmations are entered electronically in SPRS.
How to Prepare:
Level 3 readiness requires a mature cybersecurity program capable of defending against advanced cyber threats. This includes comprehensive documentation, strong incident detection and response capabilities, continual improvement practices, and demonstrated effectiveness of all controls. Preparing early and maintaining an accurate SSP and POA&M are critical for a successful government-led assessment.
Recommended reading
CMMC Level 3: All Requirements, Costs + Checklist
Read MoreFAQs
What is a CMMC assessment?
A CMMC assessment is a formal evaluation of an organization's cybersecurity practices to determine whether they meet the requirements for their designated CMMC level.
What type of CMMC assessment do I need?
The type of CMMC assessment you need depends on the level of certification required:
- CMMC Level 1: Requires an annual self-assessment by the organization. This is for companies that handle Federal Contract Information (FCI).
- CMMC Level 2: For organizations dealing with Controlled Unclassified Information (CUI), a third-party assessment by a C3PAO is required unless the contract allows for self-assessment under certain conditions.
- CMMC Level 3 (being finalized): Will require government-led assessments for high-stakes contracts with more stringent security needs.
You should verify the assessment type by reviewing your DoD contract or consulting with a contracting officer.
Can CMMC Level 2 contractors self-assess?
CMMC Level 2 contractors can self-assess in some cases. Under CMMC 2.0, the self-assessment option is available for non-prioritized acquisitions, meaning that organizations working with CUI on lower-risk contracts can conduct annual self-assessments. However, for prioritized acquisitions or contracts deemed high risk by the DoD, a third-party assessment conducted by a C3PAO is required. The contract or DoD agency will specify if a self-assessment or third-party assessment is applicable.
How does CMMC relate to DFARS and NIST SP 800-171?
CMMC Level 2 aligns directly with the NIST SP 800-171 security standards required by DFARS 252.204-7012. CMMC adds independent verification for certain contracts and provides a more structured certification process for DoD contractors and subcontractors across the DIB.
Does CMMC overlap with FedRAMP?
CMMC and FedRAMP both evaluate the implementation of security controls, but they apply to different federal environments. FedRAMP authorizes cloud service providers, while CMMC focuses on safeguarding FCI and CUI within the Defense Industrial Base.
What are the key takeaways for defense contractors?
Assessment type depends on the CMMC level your contract requires.
• Level 1 and some Level 2 assessments can be completed internally.
• Prioritized Level 2 and all Level 3 certifications require independent review.
• Maintaining an accurate SSP, POA&M, and risk management program is essential for success.
• Strong cybersecurity practices help protect sensitive information, reduce vulnerabilities, and strengthen national security.
