CMMC Self-Assessments and C3PAO Certifications
- mike08242
- Dec 18, 2025
- 3 min read
Understanding Annual and Triennial Assessment Requirements
The Cybersecurity Maturity Model Certification (CMMC) program establishes standardized requirements for assessing and validating the cybersecurity posture of organizations within the Defense Industrial Base (DIB). Despite the formalization of the program in regulation, confusion remains regarding when a self-assessment is sufficient and when an independent assessment conducted by a Certified Third-Party Assessment Organization (C3PAO) is required.
A consistent interpretation of the CMMC framework is as follows:
All organizations subject to CMMC are required to conduct a self-assessment annually.C3PAO assessments are an additional requirement conducted on a three-year cycle when mandated by contract.
These requirements are cumulative rather than substitutive.
Scenario 1: When a CMMC Self-Assessment Is Sufficient
A self-assessment is sufficient only when the applicable contract explicitly permits it.
CMMC Level 1
Applies to contracts governed by FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems https://www.acquisition.gov/far/52.204-21
Requires implementation of 17 basic safeguarding requirements
Assessment is conducted by the contractor
Self-assessment is required annually
Results must be submitted to the Supplier Performance Risk System (SPRS) https://www.sprs.csd.disa.mil/
Regulatory Basis:
32 CFR §170.15(b)(1) – Level 1 assessment requirements
https://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-D/part-170/section-170.15
CMMC Level 2 (Self)
A self-assessment at Level 2 is permitted only when:
The contract designates CMMC Level 2 (Self), and
The organization does not handle, store, process, or transmit Controlled Unclassified Information (CUI)
Requirements include:
Annual self-assessment against NIST SP 800-171 Rev. 2 https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
Annual SPRS submission
Annual senior official affirmation
Regulatory Basis:
32 CFR §170.15(b)(2) – Level 2 self-assessment criteria
DFARS 252.204-7020 – NIST SP 800-171 assessment and SPRS reporting https://www.govinfo.gov/content/pkg/CFR-2022-title48-vol3/pdf/CFR-2022-title48-vol3-sec252-204-7020.pdf
Contractors should note that self-assessment does not reduce compliance obligations. Inaccurate or unsupported attestations may expose organizations to enforcement actions, including liability under the False Claims Act. DOJ has reinforced that cybersecurity misrepresentations can create False Claims Act exposure through its Civil Cyber-Fraud Initiative. See DOJ’s October 2021 announcement:
Scenario 2: Assessment Requirements Following CMMC Level 2 Certification
Achieving CMMC Level 2 certification through a C3PAO does not eliminate the requirement for annual self-assessments.
Certification Cycle Overview
Year 0
Independent assessment conducted by an authorized C3PAO
Assessment performed using NIST SP 800-171A assessment procedures https://csrc.nist.gov/publications/detail/sp/800-171a/final
Certification issued and valid for three years
Years 1 and 2
Contractor must continue to:
Conduct annual self-assessments
Submit results to SPRS
Provide annual senior management affirmations
Document and remediate material system or scope changes
Year 3
Reassessment by a C3PAO is required to renew certification
Regulatory Basis:
32 CFR §170.17(a)–(c) – Triennial certification and annual affirmation requirements https://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-D/part-170/section-170.17
Annual self-assessments are a prerequisite for maintaining certification validity between third-party assessments.
Annual Assessments and Contractual Application
During the phased rollout of CMMC, C3PAO certification requirements are applied on a contract-by-contract basis.
Only contracts explicitly requiring CMMC Level 2 (Certified) mandate a C3PAO assessment
This designation is determined by the Department of Defense based on programmatic risk
Regulatory Basis:
32 CFR §170.3 – Phased implementation and contract applicability https://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-D/part-170/section-170.3
Once Phase 3 of CMMC implementation is complete:
C3PAO certification will be required for all contracts designated as CMMC Level 2
This expansion does not alter the requirement for annual self-assessments.
Common Misinterpretations and Risk Considerations
A frequent misinterpretation is the assumption that CMMC certification suspends assessment obligations for three years. This is incorrect.
Failure to conduct annual self-assessments, maintain accurate scope definitions, or document system changes may result in:
Certification renewal failures
Contractual non-compliance
Increased scrutiny during audits or investigations
Annual self-assessments are a continuous compliance requirement and a foundational element of the CMMC program.
Conclusion
CMMC assessment requirements follow a consistent structure grounded in regulation:
Annual CMMC self-assessments are mandatory for all organizations subject to CMMC
C3PAO assessments are required every three years when specified by contract
Certification supplements, rather than replaces, annual self-assessment obligations
Organizations should plan for CMMC as an ongoing compliance program aligned with regulatory expectations rather than a one-time certification exercise.
Primary References
32 CFR Part 170 – CMMC Program Rule https://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-D/part-170
FAR 52.204-21 https://www.acquisition.gov/far/52.204-21
DFARS 252.204-7012 https://www.acquisition.gov/dfars/252.204-7012
DFARS 252.204-7020 https://www.acquisition.gov/dfars/252.204-7020
NIST SP 800-171 Rev. 2 https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
NIST SP 800-171A https://csrc.nist.gov/publications/detail/sp/800-171a/final
SPRS Portal https://www.sprs.csd.disa.mil/
Comments