Welcome to ITS! Learn more about our strategic partnership with Digital Seattle!

Can You Perform a CMMC Self-Assessment?


Compliance with security regulations is one of the most challenging parts of the business.  

Not only are there a lot of guidelines such as the NIST (National Institute of Standards and Technology) security standards, FTC (Federal Trade Commission) Safeguards Rule, SOC (security operations center) compliance standard, and now, CMMC or Cybersecurity Maturity Model Certification. Each has different requirements and assessments. Sometimes, it involves an external and authorized party. But some certifications can be gained through self-assessments. We will determine whether that applies to the Department of Defense’s CMMC framework. 

We sat down with Sean Harris, our CMMC expert at Intelligent Technical Solutions (ITS) and an experienced CMMC Registered Practitioner (RP), to get his insight on the CMMC framework and assessment. In this article, we’ll cover: 

  • The CMMC 2.0 framework 
  • Whether your business can perform a CMMC self-assessment, and 
  • How to perform a self-assessment. 

Understanding the CMMC 2.0 Framework 

Let’s start the discussion by understanding CMMC 2.0, the 2021 iteration of the CMMC framework. 

“CMMC is the Cybersecurity Maturity Model Certification, and it’s essentially something that the Department of Defense (DoD) put together for the DIB or the Defense Industrial Base, which are all the vendors that help assist the Department of Defense,” said Harris. 

Businesses that need a CMMC certification provide a product, parts of it, or a service to the DoD. It is necessary because they handle two types of sensitive government information known as: 

  • Federal contract information (FCI)  

FCI is any data or information provided or generated by the government as part of a contract. Examples include process documentation, email exchanges, performance reports, and general contract information. Although not highly sensitive, these are not intended for public release and must still be protected under specific cybersecurity guidelines. 

  • Controlled unclassified information (CUI) 

CUI is any information created or possessed by the government. It requires special procedures and safeguards to access or disseminate. Under this are personally identifiable information (PII), intellectual property, source codes, and more. This type of information may threaten national security when compromised, so they require more stringent protection.

Schedule a Meeting

The end goal of CMMC is to protect these data amid the rising volume of threats and attacks targeting government organizations and their partners. And with CMMC 2.0, the task was made easier for all businesses by: 

  1. Compressing the framework from five levels to three; 
  2. Reducing costs, which is particularly beneficial for small businesses; 
  3. Improving the CMMC assessment ecosystem; and 
  4. Aligning cybersecurity and federal requirements and other standards. 
what is cmmc 2.0?

Can you do a CMMC self-assessment? 

The simple answer is yes, but only to a specific level. In fact, self-assessment became possible with the introduction of CMMC 2.0. Let’s briefly go through the different CMMC 2.0 levels to understand this further. 

  • Level 1 (Foundational Cybersecurity) 

The foundational level applies to businesses that handle FCI. It aligns with the 17 controls found in FAR 52.204-21 or the Basic Safeguarding of Covered Contractor Information.  

Businesses must implement the most basic cybersecurity practices to ensure FCI protection. And certification can be achieved through an annual self-assessment. 

  • Level 2 (Advanced Cybersecurity) 

The advanced level aims to protect CUI and is aligned with the 14 levels and 110 security protocols under NIST SP 800-171.  

Businesses must document their efforts to achieve CMMC 2.0 Level 2 maturity. They must also perform and follow these processes as they are written. The documented process must also be repeatable for the business. 

Requirements for certification differ depending on the type of CUI the business handles. Those that possess non-critical CUI must conduct annual self-assessments. On the other hand, those that handle critical CUI must be assessed by a CMMC Third Party Assessor Organization (C3PAO) every three years. 

  • Level 3 (Expert Cybersecurity) 

The expert level of CMMC 2.0 is required for businesses that handle CUI for DoD’s highest-priority programs. The focus is to reduce the volume and risk from advanced persistent threats (ATP). It requires businesses to establish and maintain a comprehensive cybersecurity plan. The plan should detail cybersecurity goals, missions, implementation, resourcing, training, and stakeholder involvement. 

Currently, there is no finalized list of protocols, but the DoD said that it would be based on NIST SP 800-171 plus a subset of NIST SP 800-172. 

As for certification, it can be achieved through government-led assessments conducted every three years. 

levels of CMMC 2.0

How to Conduct a Self-Assessment 

Now, you know that if your business falls under Level 1 or a subset of Level 2 that doesn’t handle critical information, you can perform a self-assessment. But should you do it on your own? And how exactly is it done? 

To answer the first question, Harris said, It’s a matter of if you have the expertise and the cybersecurity know-how to do it right. So, if you’re confident in your cybersecurity knowledge and skills, you can perform a self-assessment. 

The assessment involves having a senior company official verify your business’ compliance.  It scrutinizes every relevant cybersecurity protocol the business employs for FCI or CUI protection. This is done through a series of tasks that include setting objectives for cybersecurity practices, reviewing system settings, examining procedures, and interviewing members. 

Fortunately, the DoD released a complete guide on CMMC self-assessment for businesses like yours. 

Want Expert Assistance for Your Self-Assessment? 

CMMC is necessary because of the increasing cyberattacks geared toward government agencies and contractors. These attacks can pose significant threats to the entire nation, so businesses that handle sensitive data must comply with these stringent guidelines. 

For those handling FCI and non-critical CUI under levels 1 and 2, self-assessments were made possible in CMMC 2.0. However, these should be done if you have expert knowledge and skills in cybersecurity.  

If you want that extra assurance, don’t hesitate to call an expert team like Intelligent Technical Solutions (ITS). We specialize in providing enterprise-level IT solutions that include cybersecurity and compliance programs. Meet our experts to learn more about CMMC, or download our CMMC 2.0 guide to get started with your certification. 

You can also check out these other CMMC and compliance content in our learning center: 

Schedule a Meeting