In 2026, defense contractors face a critical compliance milestone: the Cybersecurity Maturity Model Certification (CMMC). With Phase 1 implementation now underway (November 10, 2025, to November 9, 2026), organizations must understand the self-assessment process to maintain eligibility for Department of Defense contracts. This guide provides a clear, actionable roadmap for conducting your CMMC self-assessment.
Understanding CMMC Self-Assessment Requirements
A CMMC self-assessment is the formal process by which organizations evaluate their own cybersecurity posture against established DoD requirements. Unlike third-party certification assessments, self-assessments empower organizations to identify gaps and demonstrate compliance with certain CMMC levels.
According to 32 CFR § 170.16, Level 1 and some Level 2 contracts permit self-assessment. Organizations must submit their assessment results to the Supplier Performance Risk System (SPRS) and, when applicable, create a Plan of Action and Milestones (POA&M) for any unmet requirements.
CMMC Levels Overview
Before beginning your self-assessment, you must understand which CMMC level applies to your organization. Each level has distinct requirements and assessment pathways:
| CMMC Level | Requirements | Assessment Type | Focus Area |
|---|---|---|---|
| Level 1 | 15 practices | Self-Assessment | Federal Contract Information (FCI) |
| Level 2 | 110 practices | Self-Assessment or C3PAO Certification | Controlled Unclassified Information (CUI) |
| Level 3 | 110 + 24 enhanced practices | C3PAO Certification Required | Advanced Persistent Threats (APT) |
The 7-Step Self-Assessment Process
Once you know your required CMMC level, it's time to conduct your assessment. The process may seem overwhelming at first, but breaking it into systematic steps makes it manageable. Following this structured approach ensures you address all requirements and build a solid foundation for compliance. Here's how to navigate your self-assessment from start to finish.
Step 1: Determine Your Required CMMC Level
Your contract solicitation specifies the required CMMC level. Level 1 applies to organizations handling FCI, while Level 2 addresses CUI protection in accordance with NIST SP 800-171 requirements. Review your contract documents carefully to identify the applicable level.
Step 2: Define Your Assessment Scope
The CMMC Assessment Scope encompasses all assets in your environment that will be assessed. This includes systems that process, store, or transmit CUI, as well as security protection assets. Create detailed network diagrams and data flow maps to clearly identify your compliance boundary.
Minimize your scope by carefully limiting where sensitive data is processed and who can access it. This strategic approach reduces complexity and cost while maintaining security.
Step 3: Develop Your System Security Plan (SSP)
The SSP is a mandatory document that provides an overview of your security requirements and describes how controls are implemented. Your SSP must include:
- System boundaries and architecture
- Security control implementation details
- Roles and responsibilities
- Risk assessment results
- Incident response procedures
Step 4: Implement Required Controls
Address identified gaps by implementing necessary security controls. Key areas include:
- Access Control: Limit system access to authorized users and implement multifactor authentication. Enforce the principle of least privilege across all accounts.
- Incident Response: Establish procedures for detecting and reporting security incidents. Ensure your response protocols meet required timeframes.
- Media Protection: Protect and control CUI on all media types, including portable storage devices and mobile devices.
- Audit and Accountability: Create and protect audit logs that capture user actions and system events.
Step 5: Conduct a Gap Analysis
Evaluate your current security controls against CMMC requirements. The DoD provides assessment guides that outline specific objectives for each practice. Use NIST SP 800-171A assessment procedures to systematically review your controls through multiple evaluation methods.
Step 6: Train Your Personnel
Security awareness training is mandatory under CMMC. Ensure all personnel understand:
- Security risks associated with their activities
- Applicable policies and procedures
- How to identify and report potential threats
- Proper handling of CUI
Conduct role-based training for system administrators and managers, addressing their specific security responsibilities.
Step 7: Document and Submit Your Assessment
Use the assessment objectives from NIST SP 800-171A to evaluate each practice. Document your findings using one of three designations:
| Finding | Definition | Next Steps |
|---|---|---|
| MET | All assessment objectives satisfied | Continue monitoring |
| NOT MET | One or more objectives unsatisfied | Include in POA&M |
| NOT APPLICABLE | Practice does not apply | Document justification |
Submit your assessment score and POA&M (if applicable) to SPRS. Your score is calculated in accordance with the methodology outlined in 32 CFR § 170.24.
The Legal Stakes of SPRS Submissions
Submitting your self-assessment to SPRS is not a formality. Under the False Claims Act (FCA), inaccurate or inflated SPRS scores can expose your organization to serious legal liability.
The DOJ's Civil Cyber-Fraud Initiative, launched in 2021, uses the FCA as an enforcement tool against contractors who misrepresent their cybersecurity compliance. The FCA does not require intentional fraud. Reckless disregard for the accuracy of your submission is enough to trigger penalties.
| Contractor | Settlement Year | Amount | Violation |
|---|---|---|---|
| MORSE Corp | 2025 | $4.6M | Submitted false SPRS score (+104 vs. actual -142) |
| Health Net Federal Services | 2025 | $11.25M | Falsely certified TRICARE cybersecurity compliance |
| Raytheon / RTX | 2025 | $8.4M | Misrepresented compliance across 29 DoD contracts |
| Pennsylvania State University | 2024 | $1.25M | Inflated SPRS scores on DoD and NASA contracts |
The senior executive who signs your SPRS affirmation is personally accountable under 32 CFR § 170.22. Accuracy is not optional. A lower, honest score is always safer than a false high one.
Common Pitfalls to Avoid
Even well-intentioned organizations make predictable mistakes during self-assessment that can delay compliance or result in inaccurate findings.
-
Inadequate Scoping: Organizations often include unnecessary systems in their assessment boundary, increasing complexity and cost. Focus on minimizing your scope while maintaining security.
-
Poor Documentation: Draft policies or incomplete procedures do not satisfy CMMC requirements. Ensure all documentation is finalized and approved.
-
Ignoring Enduring Exceptions: Some systems (medical devices, test equipment) may qualify as enduring exceptions. Document these properly in your SSP.
-
Overlooking Third-Party Dependencies: If you rely on cloud service providers or managed service providers, verify they meet CMMC requirements and document this in your assessment.
Maintaining Compliance
CMMC compliance is not a one-time achievement. Implement continuous monitoring processes to:
- Review and update security controls regularly
- Conduct periodic internal assessments
- Address new vulnerabilities promptly
- Update documentation as your environment changes
Organizations achieving Conditional Level 2 (Self) status must close out their POA&M within 180 days to reach Final Level 2 (Self) status.
Moving Forward with Confidence
Conducting a thorough self-assessment positions your organization for DoD contract success while strengthening your overall cybersecurity posture. The process reveals vulnerabilities and guides strategic resource allocation. It also demonstrates your commitment to protecting sensitive information.
At Total Assure, we bring 30+ years of federal cybersecurity experience to help SMBs navigate CMMC compliance. Our enterprise-grade security solutions and hands-on GRC support ensure you meet DoD requirements without the enterprise price tag.
Ready to start your CMMC self-assessment? Contact Total Assure to learn how we can help you achieve compliance while protecting your DoD contracts. Our approach strengthens your security foundation for long-term success.
