CMMC Certification and Self-Assessment: What Contractors Need to Know

The Department of Defense (DoD) treats the protection of sensitive data as a mission-critical priority; an uncompromising stance rooted in the critical national security implications at stake. Protecting that information can be the difference between a safe and stable country and one that has its vulnerabilities exposed. As such, a set of security regulations known as CMMC certification is required for any contractor or subcontractor that engages in business with the DoD. However, some of these contractors are permitted to perform a self-assessment while others must undergo a third-party assessment. At Agile IT, we like to explore the “why?” behind things like this, and that is precisely what we will do today.

What Is CMMC Certification?

CMMC certification stands for Cybersecurity Maturity Model Certification and refers to the certifications required by the DoD before any contractor or subcontractor can do business with them. This certification validates the contractor’s ability to safeguard sensitive information and comply with the strict requirements established by the DoD.

Depending on the nature and sensitivity of the data that they handle, some contractors can simply perform a self-assessment to meet their CMMC requirements, while others must have a third party do the assessment. The dividing line between the two revolves around the level of security that is necessary to keep the information safe and protected. After all, certain types of government data and information are far more sensitive than other types.

What Is CMMC Self-Assessment?

Simply put, a CMMC self-assessment is just what it sounds like, an assessment of one’s ability to meet the CMMC compliance. While it is referred to as a self-assessment, many organizations still opt to bring in a specialized partner to help them determine their actual level of preparedness.

A self-assessment is acceptable for organizations that handle Level 1 or Level 2 data provided that the data does not directly pertain to matters of national security. It involves reviewing internal cybersecurity practices to ensure that they are up to date and adequate for protecting against the potential of a cyber-attack. It also involves submitting paperwork attesting to the preparedness of the organization to protect itself against the possibility of a cyber-attack or other threat.

Key Differences Between CMMC Certification and Self-Assessment

There are specific differences between being CMMC certified and having performed a self-assessment. These differences matter when thinking about the levels of data and information that one might be permitted to handle for the Department of Defense. Among the differences are:

Self-Assessment; Not Certification

• Required for: Low-risk contracts with the DoD such as those with Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) which is not deemed critical to national security.

• Verification Standards: Self-assessment/internal review

• Frequency of Assessment: Once per year

• Aligned With: FAR Clause 52.204-21

• Reporting Requirements: Must maintain internal documentation and submit affirmation of findings to Supplier Performance Risk System (SPRS).

CMMC Certification

• Required for: Any sensitive unclassified information such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

• Verification Standards: An assessment must be conducted by a CMMC Third-Party Assessment Organization (C3PAO) and a Certified Assessor.

• Frequency of Assessment: Once every 3 years; Also, an affirmation of continued compliance is required annually.

• Aligned With: NIST SP 800-171 R2 and CMMC 2.0

• Reporting Requirements: The C3PAO reports directly to the DoD via Enterprise Mission Assurance Support Service (eMASS) & Supplier Performance Risk System (SPRS).

As you can see, CMMC certification requires a higher bar of regulation and conformity to meet its standards. This is necessary to ensure the protection and maintenance of some of the most sensitive documents that the Department of Defense handles. It is for the benefit and protection of the entire country, and we should all be grateful that such standards exist.

Who Needs CMMC Certification vs. Self-Assessment?

The difference between a contractor that requires CMMC certification versus one that can do a self-assessment is huge. It boils down to the type of data that they handle routinely, and there are specific guidelines for the various levels of data that one might interact with. For example, those who require full CMMC certification include the following:

• Contractors that work with high-risk DoD projects

• Any organization or contractor that deals with data that requires Level 2 or Level 3 CMMC compliance

• Any contractor dealing with controlled unclassified information (CUI)

On the other hand, those who simply must perform a self-assessment include:

• Contractors and companies that deal with data that only require Level 1 CMMC compliance

• Certain contractors and companies that handle data that require Level 2 CMMC compliance

It is essential to understand the difference so that you know which level of compliance you must submit prior to taking on any DoD projects.

Steps to Complete a CMMC Self-Assessment

Let us imagine a world in which you are only required to complete a CMMC self-assessment to handle the data that the DoD has provided to you. If that is the case, then you will need to follow these steps to complete that assessment:

• Define your Scope and Assess Requirements: Identify all assets such as people, technology, facilities, and external service providers that process, store, or transmit FCI. The best way to define security requirements is by looking at documents and artifacts, talking to people to understand how they carry out practices, and testing certain tools or processes to see if they perform as expected.

• Review and Understand FAR Clause 52.204-21. The security standards used in conjunction with CMMC Level 1 are known as FAR Clause 52.204-21, and you should note any security measures that you already have in place to help keep data safe and protected. You might need to update your procedures and policies if they have fallen behind the CMMC Level 1 standards.

• Conduct an Internal Assessment and Document Review – Do you have and have you maintained all relevant documents pertaining to the security of the information you hold for the DoD? Conduct an internal review and ensure that this is the case. Proper documentation is a must to move forward with any additional DoD contracts. This information can be used to clarify that you conducted the self-assessment and be helpful in noting any findings that you uncovered. Note that POA&Ms are not permitted in CMMC Level 1 and all 15 requirements must be “MET” for contract award.

• Submit the Results of Your Self-Assessment– It is required to submit the results of your self-assessment, along with an affirmation from a senior company official to the DoD on an annual basis.

What Happens if I Skip Certification or a Self-Assessment?

This is not a spot that you want to put yourself in, ever. Skipping a certification or self-assessment that you were supposed to have done could jeopardize your ability to keep contracts and/or win future contract awards with the Department of Defense, not to mention the potential financial and legal ramifications that could leave your organization struggling. You certainly don’t want to take a chance on any of that and should follow all reporting guidelines to maintain your security standards.

Ready to Tackle CMMC? Let’s Get It Done—Together.

Whether you need a full CMMC certification or are just starting a self-assessment, Agile IT is your trusted partner every step of the way.

Don’t let uncertainty, documentation hurdles, or compliance roadblocks slow you down. Reach out to us today and tell us where you’re getting stuck—whether it’s scoping, implementing controls, or submitting to SPRS.

Our team of experts will help you confidently navigate the entire process, from defining your scope to passing your assessment. Protecting sensitive government data isn’t just a requirement—it’s a responsibility. Let us help you meet it with clarity, speed, and assurance.

Connect with an Agile IT Expert Today. Let’s make your compliance journey a success.