CMMC Self-Assessment: Can DoD Contractors Do It?

Disclaimer: This article was originally published on June 6, 2023 and has since been updated for comprehensiveness. 

Defense contractors who handle Federal Contract Information (FCI) can do their own Level 1 assessment. Others can check their own security if they only handle less important information. 

If you work with the Department of Defense, cybersecurity rules can feel overwhelming. Many contractors wonder: "Can I assess my own compliance, or do I need to hire someone?" 

Intelligent Technical Solutions (ITS) has helped businesses follow these rules for over 20 years. Our team includes CMMC Registered Practitioners who know the certification process well. 

This article explains when you're allowed to assess yourself based on your CMMC level, how to do it, and whether you should get expert help. 

With expert insights from ITS Chief Security Risk Officer and CMMC Registered Practitioner Sean Harris, you'll learn answers to questions like: 

• Which CMMC Levels Let You Assess Yourself? 
• How Do You Do a CMMC Self-Assessment? 

By the end of your reading, you'll learn how self-assessment works and whether you can do it. 

What Type of Information Does CMMC Protect? 

The final CMMC rule uses three levels. Some levels let you self-assess, which can lower costs for smaller contractors. 

Your level depends on the kind of data you handle and whether that data is processed, stored, or sent on your company’s systems. 

CMMC protects two types of data: 

Federal Contract Information (FCI) 

FCI is basic data that the government gives you as part of a contract. It needs basic cybersecurity protection. 

Examples: emails, project documents, and performance reports 

Controlled Unclassified Information (CUI) 

CUI is more sensitive. If compromised, it could threaten national security and weaken DoD technological advantages and warfighting capabilities. For this reason, CUI needs stronger protection. 

Examples: personal information, export-controlled technology and software, and controlled technical information 

CUI can be further broken down into two categories: 

• Basic CUI – Standard CUI protected by the rules in the CUI Registry 
• Specified CUI – CUI that needs extra handling set by a law, regulation, or government-wide policy 

Agencies set the categories and mark CUI they share. If you create information for an agency, use your contract and the CUI Registry to decide and mark. If you are not sure, check the CUI Registry and 32 CFR Part 2002. 

Which CMMC Levels Let You Assess Yourself? 

Your certification level determines if you can do a self-assessment. 

 Level 1: Basic Safeguarding of FCI     

Level 1 is for businesses handling FCI. You need 17 basic security controls listed in FAR 52.204-21. These controls cover things like access management, responding to incidents, and user identification. 

You can get Level 1 certification by assessing yourself each year. You don't need an outside auditor. Your business reviews its own security practices annually. 

Level 2: Broad Protection of CUI   

Level 2 protects CUI and requires 110 security requirements from NIST SP 800-171. You must write down your security processes and prove they work consistently. 

Contractors with non-critical, non-defense CUI can do yearly self-assessments. However, this applies to very few contractors. Most defense contractors handle defense-related CUI, which requires certification. 

Contractors with critical CUI must be checked by a CMMC Third-Party Assessor Organization (C3PAO) every three years. This applies to most defense contractors. 

Read More: What Types of Businesses Need CMMC Compliance? 

 Level 3: Higher-Level Protection of CUI Against Advanced Persistent Threats     

Level 3 is for businesses handling CUI for the DoD's most important programs. This level protects against serious cyber threats. It requires a complete cybersecurity plan that covers goals, training, and resources. 

Government assessments happen every three years. You cannot assess yourself at this level. 

How Do You Do a CMMC Self-Assessment? 

A better question is: "Should you do it yourself?" 

That depends on your expertise. 

"It depends on whether you have the knowledge and cybersecurity skills to do it right," Harris says. Many contractors benefit from expert help. 

The Self-Assessment Process 

1. A senior company official must verify your compliance. You check every cybersecurity rule your business uses. 
2. You set clear goals for your cybersecurity practices. Then you review system settings across your IT environment. You look at written procedures and talk with staff members to make sure everyone follows the rules. 
3. You test your system. Testing is important; it proves what actually happens in your systems. 

The DoD provides complete guidance for contractors. The CMMC Assessment Guide from the Department of Defense's Chief Information Officer explains each requirement. These official resources cover how to assess, score, and report. 

After you finish, you report the results through the Supplier Performance Risk System (SPRS). A senior official from your company must confirm the results. 

Should You Get Expert Help? 

Professional help often makes the difference between passing and failing. Even when you're allowed to assess yourself, expert guidance helps make sure you do it right. 

CMMC specialists understand each requirement. They know common mistakes and how to avoid them. They find problems you might miss and suggest solutions. 

"Any organization that wants to work with the Department of Defense is going to be subject to CMMC," Harris explains. Getting it wrong means lost contracts and wasted time. 

Experts also help with paperwork. They know what evidence auditors want and how to organize it. 

Read More: CMMC Assessment vs. CMMC Audit: What’s the Difference? 

Ready to Get Started with CMMC Self-Assessment? 

Most contractors handling FCI qualify for Level 1 self-assessment. A few Level 2 contractors with non-defense data may also be eligible to assess themselves. If you handle critical CUI or defense information, you need third-party certification. 

Expert help makes the process smoother. Professionals can find problems in your security, give you expert solutions, and make sure everything follows the rules. 

Intelligent Technical Solutions (ITS) specializes in helping businesses with CMMC requirements. Our team includes experienced CMMC Registered Practitioners who provide extra help to make sure your assessment is accurate. 

Discover the benefits of proven cybersecurity expertise. Schedule a meeting with our experts to discuss your CMMC requirements. 

If you want to know more about CMMC compliance, check out these related articles from our Learning Center: 

• What CMMC Level Do I Need? A Step-by-Step Guide 
• What is the Difference Between CMMC and NIST 800-171? 

Frequently Asked Questions About CMMC Self-Assessment 

Q: What is a CMMC self-assessment? 

A: A CMMC self-assessment is when your company checks its own computer security instead of hiring an outside expert to do it. 

Q: Which businesses can perform CMMC self-assessments? 

A: Level 1 contractors handling Federal Contract Information can do yearly self-assessments. Most defense contractors require third-party certification. 

Q: How often must I complete a CMMC self-assessment? 

A: You must complete self-assessments every year. A senior company official confirms compliance and submits results through SPRS annually. 

Q: Do I need cybersecurity expertise to conduct a self-assessment? 

A: Yes, self-assessments require strong cybersecurity knowledge. Many contractors hire CMMC consultants because if they make mistakes, they can lose their contracts.