CMMC Phase 1 is live and hundreds of DoW contracts now include CMMC requirements. If you’re a defense contractor handling Controlled Unclassified Information (CUI), you must submit a CMMC Level 2 self-assessment score to SPRS — or lose eligibility for new DoD contracts.

Most contractors have heard the phrase “Level 2 self-assessment” and assumed it means they can score themselves and move on. The reality is more complicated. Only a narrow slice of the Defense Industrial Base actually qualifies for self-assessment as a path to certification. For the rest — the vast majority — self-assessment is the first step toward a third-party assessment, not a substitute for one.

This guide answers the questions we hear on every compliance call: who qualifies, how the process works, what SPRS score you actually need, and what happens if your score doesn’t hold up.

What Is a CMMC Level 2 Self-Assessment?

A CMMC Level 2 self-assessment is an internal evaluation of your organization’s compliance with all 110 security controls in NIST SP 800-171. You assess each control yourself, calculate a score, and submit that score to the DoD’s Supplier Performance Risk System (SPRS).

Unlike a third-party assessment, no external assessor certifies your results. You do the work, a senior company official affirms the results annually, and the score lives in SPRS where DoD contracting officers can see it.

Self-assessment is not a certification. It’s a compliance attestation. The distinction matters because the legal consequences of a wrong score fall on you, not an auditor.

Who Actually Qualifies for Level 2 Self-Assessment?

This is the question most contractors get wrong. Most companies handling CUI assume they can self-assess their way to CMMC Level 2 certification. They can’t.

The DoD designed self-assessment as a path to certification for a small minority of contractors — specifically those that do not handle Controlled Technical Information (CTI) or other sensitive defense CUI categories. Per the DoD’s own projections, over 95% of CUI contractors will require a third-party assessment by a C3PAO (CMMC Third Party Assessment Organization).

If your work involves:

  • Technical drawings, specifications, or designs related to defense systems
  • Export-controlled information (ITAR/EAR)
  • Sensitive program data tied to DoD acquisitions

…you will need a C3PAO, not a self-assessment, to achieve certification.

If you’re unsure which category you fall into, check your contract. A DFARS 252.204-7021 clause specifies the required CMMC level. Your contracting officer or prime can confirm whether self-assessment suffices.

How Level 2 Self-Assessment Works: Step by Step

Whether you’re self-assessing as a certification path or as preparation for a C3PAO assessment, the process is the same.

Step 1: Define your scope. Identify every system, person, and process that stores, processes, or transmits CUI. Document this in your System Security Plan (SSP). The smaller you can make this scope, through a CUI enclave, the faster and cheaper compliance becomes.

Step 2: Run a gap analysis. Compare your current security posture against the 110 NIST SP 800-171 controls using the DoD’s assessment methodology from NIST 800-171A. Each control has associated assessment objectives — 320 total. Every objective under a control must be met for that control to count as satisfied.

Step 3: Gather evidence. Document how each control is implemented. Assessors look for policies, training records, system logs, and screenshots, not just your word. What you write in your SSP must match what your team actually does.

Step 4: Calculate your score. Start at -203 (the floor). Each control you meet fully adds points: 1, 3, or 5, depending on the control’s weight. A perfect score is 110.

Step 5: Create your POA&M. For any controls not yet fully met, document your remediation plan — what you’ll fix and by when.

Step 6: Submit to SPRS. Log your score, assessment date, scope, and SSP metadata in SPRS via the PIEE platform. Your affirming official must attest to the accuracy of the results — annually.

Step 7: Retain your records. Keep all evidence for at least six years. The DoD can ask for it.

Your SPRS Score: What It Means and What’s “Good”

SPRS scores range from -203 to +110. First-time assessments frequently produce negative scores — that’s normal and not disqualifying on its own. What matters is the trajectory and the accuracy.

The floor you need to know: A score of 88 or higher is the minimum threshold for conditional CMMC Level 2 certification in a C3PAO-led assessment. In addition to the 88 score, you must have met:

  • All Level 1 controls
  • All 3-point and 5-point controls (with one limited exception for partial FIPS encryption)
  • Several specific 1-point controls related to physical access and external connections

Any controls you haven’t met below this threshold require a Plan of Action and Milestones (POA&M) — and under CMMC, POA&Ms are only permitted for certain controls listed here

Many prime contractors require you to submit your SPRS score to them, and a low score, or no score at all, limits your competitive standing before a C3PAO even enters the picture.

Will Your SPRS Score Be Audited?

The short answer: yes, and that risk is increasing.

The DoD has two mechanisms for verifying self-assessment scores:

1. DIBCAC High assessments. The Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conducts spot-check assessments of contractors’ SPRS scores. If DIBCAC’s findings diverge significantly from your self-reported score, you have a problem.

2. Phase 2 alignment. Beginning November 10, 2026, the default will be that the majority of DoD contracts will require C3PAO-assessed CMMC Level 2 status. When your C3PAO assessment happens, their results go into SPRS alongside your self-assessment. Any discrepancy between what you claimed and what the C3PAO found is visible — to contracting officers, primes, and potentially the Department of Justice.

Think of it this way: CMMC creates a paper trail that connects your self-reported score to an eventual third-party audit. If you scored yourself 110 and the C3PAO finds you at 60, that gap has consequences.

The False Claims Act: The Real Stakes of an Inaccurate Score

Submitting an SPRS score you know to be inaccurate — or being reckless about its accuracy — is not a paperwork problem. It’s a legal one.

The False Claims Act (FCA) allows the government to recover three times the value of a contract plus civil penalties from contractors who submit fraudulent compliance claims. The CMMC final rule was explicitly designed to create accountability for self-assessed scores. Senior executives who sign affirmations are personally on the hook.

This is not hypothetical. The DoD has already used the FCA against contractors for NIST 800-171 compliance misrepresentations under prior DFARS clauses. CMMC’s annual executive affirmation requirement is designed to extend that accountability going forward.

The practical implication: your SPRS score needs to reflect your actual security posture, not your aspirational one. Score conservatively, document everything, and build your POA&M around real gaps, not theoretical ones.

Using Self-Assessment as Rehearsal for Your C3PAO Assessment

For the vast majority of contractors, self-assessment isn’t the finish line. It’s preparation.

The smartest way to approach your self-assessment is to conduct it exactly as an assessor would. That means:

  • Map evidence to each assessment objective, not just each control. C3PAOs evaluate 320 objectives across 110 controls. If a control has five objectives and you’ve only met four, the control is not satisfied.
  • Run mock interviews with your team. C3PAO assessors will talk to your staff — IT, HR, operations. If your people can’t explain how a control is implemented, the control isn’t effectively implemented.
  • Stress-test your SSP. Your SSP is the first document a C3PAO will request. What’s in it must match what you actually do. The most common assessment failure our partners report: the SSP and the practice are inconsistent.

Contractors who treat self-assessment as a box-checking exercise typically discover during their C3PAO audit that they’ve been failing controls they thought they’d met. That means a failed assessment, a restart, and another assessment fee.

Phase 2 Starts in November 2026

Phase 2 starts November 10, 2026. On that date, DoD contracting officers begin requiring C3PAO-assessed CMMC Level 2 status in applicable contracts. Phase 1 self-assessment attestations will no longer satisfy new contract requirements.

There are an estimated 118,000 companies that will need CMMC Level 2 certification. As of mid-2026, there are roughly 83 certified C3PAOs. C3PAOs are already booking 6 to 9 months out.

If you haven’t started your compliance journey, the math isn’t in your favor. Most contractors need 6 to 12 months from a standing start to be ready for a C3PAO assessment (although PreVeil’s VDI offers a path in 110 hours). Organizations that begin now — implementing controls, building documentation, conducting their self-assessment — have a path. Those that wait for a specific contract requirement may not.

How PreVeil Helps with CMMC Level 2 Compliance

PreVeil is trusted by more than 3,000  small and midsize defense contractors, and has been used by over 85 customers to achieve perfect 110/110 scores in CMMC assessments.

Three things make that track record possible:

1. Technology that covers the controls. PreVeil’s end-to-end encrypted Email and Drive platform supports 102 of the 110 NIST 800-171 controls — through a combination of inherited and shared controls. That’s not a claim; it’s documented in our Customer Responsibility Matrix and validated by C3PAOs.

2. Documentation that holds up under scrutiny. Our Compliance Accelerator includes a pre-filled SSP with language validated by real assessors, policy documents, POA&M templates, and 1:1 support from our compliance team. As Paul Miller from Virtra put it after using PreVeil’s documentation: “The prefilled documents halved the time we spent on the SSP and gave us a starting place to make sure we addressed everything.”

3. Partners who know the process. Our Preferred Partner Network includes C3PAOs, Registered Practitioners, and MSPs – all with direct CMMC assessment experience and deep knowledge of the PreVeil platform.

If your organization needs to get compliant and you don’t know where to start, schedule a free compliance call with our team.

Frequently Asked Questions: CMMC Level 2 Self-Assessment

Do I need to submit a CMMC Level 2 self-assessment right now?

If your contracts include a DFARS 252.204-7021 clause or you handle CUI, yes. Phase 1 began November 10, 2025. Contractors must have a current SPRS score to remain eligible for new DoD contracts. If you don’t have one on file, you need one.

What’s the difference between a CMMC Level 2 self-assessment and a C3PAO certification?

A self-assessment is an internal evaluation you conduct and attest to. A C3PAO certification is a formal third-party audit conducted by a Cyber AB-accredited assessment organization. Most companies handling CUI need the C3PAO path. Self-assessment is a certification path only for a small subset of contractors who don’t handle CTI or sensitive defense CUI.

What SPRS score do I need to keep bidding on contracts?

There’s no universal floor for competitive eligibility — prime contractors set their own minimums. For conditional CMMC Level 2 certification through a C3PAO, you need at least 88. A score of 110 is required for final certification.

Can I do the self-assessment myself, or do I need to hire a consultant?

You can do it yourself, but only if you have the internal expertise to accurately evaluate all 110 controls against all 320 assessment objectives. Many small contractors hire a Registered Practitioner or consultant to guide the first assessment. PreVeil’s Preferred Partner Network lists vetted consultants who know the CMMC framework.

We submitted an SPRS score two years ago. Do we need to redo it?

SPRS scores must be updated at least every three years. But if your security posture has changed significantly with new tools, new team members, or new processes, your score may no longer reflect reality. An outdated or inaccurate score creates legal exposure under the False Claims Act. Review it annually alongside your executive affirmation.

What score do I need on my self-assessment to move to a C3PAO audit?

Technically, you can begin a C3PAO assessment at any score. Practically, you need a score of 88 or higher to qualify for conditional certification. If you score below 88, you cannot achieve conditional status and may need to remediate before your C3PAO assessment is worth the investment.

My prime contractor is asking me to prove compliance. What exactly do they need?

Most primes want to see a current SPRS score — typically not older than three years — and confirmation that a senior executive has submitted the annual affirmation. Some primes also request your SSP or a summary of your POA&Ms. Check directly with your prime or contracting officer for their specific requirements.

What happens if my SPRS score doesn’t match my C3PAO assessment results?

Significant discrepancies between your self-assessed score and C3PAO findings are visible in SPRS. They can trigger scrutiny from DIBCAC, raise red flags with prime contractors, and in cases of knowing misrepresentation, create False Claims Act exposure. Score conservatively and back every control with documented evidence.

Can we use a POA&M to cover unmet controls in a self-assessment?

For self-assessment purposes, yes — you document gaps in your POA&M and include a projected remediation date. For C3PAO certification, POA&Ms are only permitted for 1-point controls, and you must close them within 180 days. POA&Ms are not permitted for 3- or 5-point controls.

How long will it take us to be ready to submit a Level 2 self-assessment?

It depends on your starting point. Organizations using a compliant platform and documentation framework can be ready in as few as 6 to 8 months. Most SMBs starting from scratch need 12 to 18 months to reach a score worth submitting. The longer you wait, the narrower the window before Phase 2.

Does PreVeil help me achieve a passing SPRS score?

PreVeil supports 102 of the 110 NIST 800-171 controls through inherited and shared controls. Our Compliance Accelerator provides a pre-filled SSP, policy documents, and POA&M templates validated by C3PAOs. Over 85 PreVeil customers have achieved 110/110 scores on their C3PAO or DoD assessments. Learn more about how PreVeil supports CMMC compliance.

Reviewed by Noël Vestal, PMP, CCA, CMMC RP. Noël is PreVeil’s Compliance Officer and a Certified CMMC Assessor with over 15 years in DoD IT program management.