CMMC Level 2 Self-Assessment: The Complete Guide (2026)

If your contracts touch Controlled Unclassified Information (CUI), CMMC Level 2 is the bar you have to clear — all 110 NIST SP 800-171 Revision 2 requirements. This guide walks a small contractor through the self-assessment in plain English: who can self-assess, who needs a third party, and exactly what the process looks like end to end.

Self-assessment vs. third-party (C3PAO)

CMMC Level 2 comes in two flavors, and your contract tells you which one applies:

Level 2 (Self-Assessment) — you assess your own environment annually and affirm it. Allowed only for a limited set of non-prioritized acquisitions.
Level 2 (C3PAO) — a Certified Third-Party Assessment Organization assesses you every three years. This is the path for the vast majority of contracts involving CUI.

Reality check for 2026: As CMMC Phase 2 takes effect (beginning November 10, 2026), third-party certification becomes mandatory for the great majority of CUI contracts — by most estimates, well over 90% of contractors handling CUI will need a C3PAO assessment rather than self-assessment. Either way, the self-assessment is the work you do first. You can't pass a C3PAO assessment you haven't already done yourself.

Why you self-assess regardless

Whether your contract allows self-assessment or requires a C3PAO, every path starts the same way: you assess yourself against the 110 requirements, generate a score, and document it. A C3PAO doesn't replace that — it verifies it. So the steps below are the foundation no matter which lane you're in. Doing them well is also how you avoid paying an assessor to discover problems you could have found for free.

The self-assessment, step by step

1. Scope your environment

Before anything else, define what's in scope: every asset that processes, stores, or transmits CUI, plus the systems that protect them. Get this boundary right and the assessment shrinks to something manageable; get it wrong and you'll either over-scope (wasting effort) or under-scope (failing the assessment). Categorize your assets — CUI assets, Security Protection Assets, Contractor Risk Managed Assets, and out-of-scope — and document the boundary.

2. Assess against all 110 requirements

Work through every NIST SP 800-171 requirement and determine, honestly, whether each is MET or NOT MET. There's no partial credit at the requirement level for most controls — it either is or isn't implemented. Our SPRS scoring guide explains the math.

3. Calculate your SPRS score

Start at 110 and subtract the weighted value (5, 3, or 1) of every NOT MET requirement, down to a floor of −203. That number is your SPRS score. Focus your remediation on the 5-point controls first — they move the number fastest.

Get your score in the next 10 minutes

Our free calculator runs all 110 requirements and shows exactly where you stand and what's costing you the most.

Calculate your SPRS score →

4. Document it in your SSP

You must have a System Security Plan describing how you meet each requirement (NIST 800-171 requirement 3.12.4). Without a current SSP, an assessment — self or C3PAO — cannot be completed. This is priority zero.

5. Build POA&Ms for the gaps — within the rules

You don't need every control implemented on day one, but the program limits what you can defer. Under the CMMC rule (32 CFR 170.17):

You must score at least 88 of 110 (80%) to be eligible for a conditional status with open POA&Ms.
Only 1-point requirements may go on a POA&M — with a single exception, SC.L2-3.13.11 (FIPS-validated cryptography). The 3- and 5-point controls generally cannot be deferred.
Open POA&Ms must be closed and verified within 180 days to reach final status.

Practically, this means the heavy controls have to be genuinely done — you can't paper over a 5-point gap with a plan.

6. Affirm in SPRS

Finally, a senior company official affirms in the Supplier Performance Risk System that the assessment is accurate, and re-affirms annually that you continue to meet the requirements. For C3PAO certifications the assessment itself recurs every three years, but the affirmation is yearly.

The whole path at a glance

Step	What you produce
Scope	Documented CUI boundary + asset categories
Assess	MET / NOT MET for all 110 requirements
Score	Your SPRS score (110 down to −203)
Document	System Security Plan (SSP)
Plan gaps	POA&M (1-point items only, +3.13.11), 180-day closeout
Affirm	Senior-official affirmation in SPRS, annually

Where to start today

Don't wait for an assessor to tell you what you already can find out for free. Score yourself, document it, and fix the heavy controls first. That's the foundation of a Level 2 self-assessment — and exactly what a C3PAO will expect to see if your contract requires one. Both tools are free and run in your browser.