CMMC Self-Assessment vs Third-Party Assessment: What Contractors Need to Know

With the November 10, 2025 effective date of the CMMC Final Rule, defense contractors must answer a critical question: what kind of level will we need to remain eligible for contracts?

The distinction between a self-assessment and a third-party assessment is not just about who signs off. It determines the level of evidence, documentation, and preparation required. Understanding the difference now will help your business avoid losing opportunities when contracting officers begin checking SPRS.

Self-Assessment: What It Is and What You Need

Self-assessments apply to Level 1 contractors handling Federal Contract Information (FCI) and to some Level 2 contractors that work with lower-risk Controlled Unclassified Information (CUI).

• Level 1 requires an annual self-assessment with an annual SPRS affirmation.

• Some Level 2 solicitations permit a self-assessment valid for three years, but contractors must still post an annual SPRS affirmation.

What you must provide and prepare:

• A completed NIST SP 800-171 DoD Assessment Methodology score.

• An accurate and current System Security Plan (SSP) describing how each requirement is implemented.

• A Plan of Action and Milestones (POA&M) for any gaps with assigned responsibilities and target dates.

• Evidence to support your claims such as policies, logs, screenshots, and training records.

Risks of under-preparing:
If your self-assessment is inaccurate or if you cannot provide evidence when asked, you may face a False Claims Act violation. Prime contractors may also review your documentation before awarding subcontracts.

Third-Party Assessment: What It Is and What You Need

For contractors handling more sensitive CUI, especially at CMMC Level 2 and all of Level 3, a C3PAO (Certified Third-Party Assessment Organization) must conduct your assessment.

• Level 2 third-party assessments are valid for three years, with an annual SPRS affirmation required.

• Level 3 requires a government-led assessment conducted by DIBCAC.

What you must provide and prepare:

• A detailed System Security Plan (SSP).

• Supporting artifacts for each of the 110 NIST SP 800-171 practices, showing actual implementation.

• A realistic POA&M for any remaining gaps.

• Staff available for interviews to confirm daily practices and responsibilities.

The cost of third-party assessments:
Independent industry estimates place many Level 2 third-party assessments in the tens of thousands of dollars, sometimes above $75,000. Total compliance programs can exceed six figures once preparation and remediation are included. Even more costly is failing the assessment. A failed review means reassessment fees, additional remediation costs, reputational damage, and lost opportunities if awards are delayed.

How FirstCall Federal Helps Contractors Prepare

At FirstCall Federal, we guide businesses through both paths with a structured readiness approach:

• Helping contractors prepare accurate self-assessments with defensible documentation.

• Running mock audits that simulate C3PAO reviews so you know what auditors will see.

• Providing gap analysis and remediation support to close both technical and process weaknesses before you spend money on an official assessment.

The Bottom Line

Self-assessments and third-party assessments both require more than a checklist. You must provide a complete SSP, a credible POA&M, and solid evidence that your controls are working. Contracting officers will not award, extend, or exercise options unless your required CMMC status and current annual affirmation are posted in SPRS.

Preparing ahead of time reduces costs and prevents the risk of failing an assessment, which can be far more expensive than doing it right the first time. FirstCall Federal is here to help you get there.