The Two Paths to CMMC Compliance
One of the most common sources of confusion in the CMMC community is the question of assessment type. CMMC 2.0 allows for self-assessment in some cases and requires third-party assessment in others. The distinction matters enormously from a cost, timeline, and process standpoint.
Getting this wrong in either direction creates real problems. Assuming you qualify for self-assessment when your contract requires a C3PAO can block contract award. Pursuing an unnecessary third-party assessment wastes significant resources.
When Self-Assessment Applies
Level 1: Always Self-Assessment
All organizations at CMMC Level 1 (17 practices, basic FCI handling) use annual self-assessment with senior official affirmation submitted to SPRS. There is no option for third-party assessment at this level.
Level 2: Assessment Type
Level 2 introduces an important distinction. The DoD separates Level 2 programs into two assessment paths:
- Prioritized acquisitions: Programs supporting high-priority missions involving Controlled Unclassified Information (CUI). These require a third-party assessment conducted by a C3PAO every three years. In addition to the triennial assessment, organizations must still submit an annual affirmation and SPRS score update by an Authorizing Official (AO).
- Non-prioritized acquisitions: Programs with lower mission criticality. These allow organizations to perform a self-assessment, but still require annual AO affirmation and yearly SPRS submission confirming continued compliance.
The distinction often causes confusion because both paths involve yearly reporting requirements. The difference is that prioritized acquisitions add a recurring three-year C3PAO assessment on top of the annual check-in. Your contracting officer and the DFARS clauses included in the solicitation remain the authoritative source for determining which category applies to your contract.
When Third-Party Assessment Is Required
A C3PAO assessment is required for Level 2 prioritized acquisitions.
The assessment involves:
- A Lead Certified CMMC Assessor (LCCA), supported by one or more Certified CMMC Assessors (CCAs), conducting the evaluation against applicable practices
- An independent quality assurance review performed by a separate CCA to validate assessment consistency and accuracy
- Review of your SSP, policies, and supporting documentation
- Technical testing and interviews with personnel responsible for control implementation
- Production of an assessment report submitted to the eMASS database
The Self-Assessment Trap
Self-assessment sounds simpler. In some ways it is. But contractors who treat self-assessment as a lighter-weight compliance option tend to run into problems.
The practices required for Level 2 are the same regardless of whether you self-assess or use a C3PAO. The 110 controls of NIST SP 800-171 apply in full. The SSP requirements are the same. The senior official affirmation carries legal weight. Submitting an inflated SPRS score through self-assessment without actually implementing the controls is a path to False Claims Act exposure, not just a compliance risk.
Why Many Contractors Choose C3PAO Even When Self-Assessment Is Permitted
- Third-party certification is increasingly expected by primes evaluating their supply chain
- C3PAO-certified contractors have a competitive differentiator in contract competitions
- A third-party assessment validates your program before a self-assessment discrepancy creates a False Claims Act problem
- If your contract scope changes and prioritized acquisitions enter the picture, you are already certified
Fortreum Can Help with Both Paths
Whether you are preparing for a self-assessment and need gap analysis support, or pursuing a full C3PAO assessment, Fortreum’s CMMC practice covers both. We work with contractors at every level of readiness to build compliant programs and achieve the certification outcomes their contracts require.
Let us know how Fortreum can help you navigate the changing currents of cybersecurity. For more information, visit the Fortreum website or follow the company on LinkedIn at LinkedIn.com/company/fortreum.
Should you have questions about your FedRAMP, CMMC, cloud and cybersecurity readiness, please reach out to us at Info@fortreum.com or Contact Us at https://fortreum.com/contact/
