CMMCDocs.comHome / Glossary / Self-Assessment
Self-Assessment
Also known as: CMMC self-assessment
A NIST SP 800-171 assessment conducted by the contractor themselves, without a C3PAO or DIBCAC. Permitted for CMMC Level 1 and a subset of Level 2 contracts.
A self-assessment is a NIST SP 800-171 assessment conducted by the contractor's own personnel (or a hired consultant), rather than by an authorized C3PAO or by DIBCAC. Self-assessments produce a SPRS score that is posted by the contractor and affirmed annually by a senior official.
Under CMMC 2.0, self-assessment is permitted at: (1) CMMC Level 1 in all cases, and (2) CMMC Level 2 only for the subset of contracts the DoD designates as 'non-prioritized.' The vast majority of Level 2 contracts (those tied to prioritized acquisitions) require a third-party assessment by a C3PAO.
Self-assessment does not mean less rigor. The same NIST SP 800-171 requirements apply, the same evidence must exist, and the same documentation is required. The only difference is who conducts the assessment. Crucially, the senior official affirming a self-assessment in SPRS bears personal False Claims Act exposure for any inaccuracies.
Stop Googling. Start working.
CMMCDocs has all 110 NIST SP 800-171 Rev 2 requirements built in — with the language, the templates, and the evidence vault you need. Spin up a free demo workspace and click around the way an assessor would.
Get my demo account