One of the most expensive misunderstandings in CMMC is assuming you need a third-party assessor when you might be able to self-assess — or assuming you can self-assess when your contract actually requires certification. Whether you need a self-assessment or a C3PAO certification comes down to your level and the data you handle. Here's how to tell.
The short answer, by level
| Level | Who assesses | Cadence |
|---|---|---|
| Level 1 (FCI) | You — self-assessment | Annual self-assessment + affirmation |
| Level 2 — lower-risk CUI* | You — self-assessment | Annual self-assessment + affirmation |
| Level 2 — standard CUI | C3PAO — third party | Triennial certification + annual affirmation |
| Level 3 | DIBCAC — government | Government-led assessment |
*Only a subset of Level 2 contracts permit self-assessment; most CUI work will require a C3PAO as Phase 2 of the rollout ramps up. The contract is the authority.
What a C3PAO actually is
A C3PAO (Certified Third-Party Assessment Organization) is an organization accredited by the Cyber AB to perform official CMMC Level 2 assessments. If your contract requires certification, a C3PAO reviews your environment against all 110 controls and, if you pass, your certification is recorded. They set their own fees — see what CMMC costs for ranges.
Self-assessment is not the easy path
This trips people up: a self-assessment uses the exact same standard as a C3PAO assessment. Both check the same 110 NIST SP 800-171 controls against the same 800-171A assessment objectives. The difference is who verifies and attests — not how high the bar is. Self-assessing saves you the assessor fee; it does not lower the requirements.
The annual affirmation (and why it has teeth)
Both paths end with a senior company official affirming compliance in SPRS — at assessment time and every year after. That affirmation is a formal attestation. If you affirm compliance you don't actually have, you've created False Claims Act exposure. See the annual affirmation for what you're signing.
What you need either way
Whichever path your contract dictates, the prerequisites are identical:
- A scoped boundary — know what's in and out (asset scoping).
- A current System Security Plan (required by control 3.12.4 — no SSP, no assessment).
- A POA&M for gaps not yet closed.
- An SPRS score that reflects your real implementation.
Self-assess first — for free
Whether you'll end up self-assessing or hiring a C3PAO, the first move is the same: score yourself honestly against all 110 controls and find your gaps.
Run your free SPRS self-assessment →How to decide your path
- Read the clause. The solicitation states your required CMMC level and assessment type. That's the authority — not a vendor's sales pitch.
- Identify your data. FCI-only tends toward Level 1; CUI means Level 2. Confirm with scoping.
- Assume C3PAO for CUI unless told otherwise. Most Level 2 CUI work trends toward certification as the phases advance — plan for it.
- Do the free work now. The SSP and SPRS score are required for both paths, so start them today.
Self-assessment vs C3PAO — frequently asked
Can I self-assess for Level 2?
Sometimes — a subset of lower-risk CUI contracts allow it. Most Level 2 CUI work requires a C3PAO as the rollout phases in. Your contract decides.
Is self-assessment cheaper?
Yes — you avoid the C3PAO fee. But the standard, the controls, and the documentation are identical, so the readiness cost is the same.
Do I still need an SSP if I self-assess?
Yes. A current SSP is required either way (control 3.12.4); without it no assessment can be completed.
Who signs the affirmation?
A senior company official, in SPRS, at assessment time and annually — with real accountability attached.
Start where it's free
No matter which path your contract requires, begin with the work that's identical and free: calculate your SPRS score, then draft your SSP.