CMMC Assessment Process & Maintaining Certification
Mastering the CMMC Assessment Process: What You Need to Know for 2025 and Beyond
Key Takeaways
The CMMC program involves three distinct levels with two main assessment types: self-assessments and independent third-party or government-led evaluations, as dictated by your contract.
Maintaining eligibility requires annual affirmations in the Supplier Performance Risk System (SPRS) by an appointed Affirming Official, alongside timely management of your CMMC certification’s lifecycle.
Plan of Action and Milestones (POA&Ms) are prohibited at Level 1 but permitted at Levels 2 and 3 with a strict 180-day timeline for resolution before Conditional Status expires.
As the Department of Defense (DoD) continues rolling out the Cybersecurity Maturity Model Certification (CMMC) program, understanding the assessment process becomes crucial for any organization handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) (CUI vs FCI Under 48 CFR Final Rule). Updated for the final CMMC program regulations and DFARS acquisition rule, this guide breaks down the essentials—from levels and assessment types to timelines and compliance obligations—to help you navigate CMMC effectively.
"Successful compliance is a continuous journey rather than a one-time milestone."
Decoding CMMC Levels and Assessment Types
CMMC streamlines cybersecurity assessments using three tiers that range in complexity and scrutiny. The type of assessment—self-assessment or third-party/government certification, is determined by what your solicitation or contract mandates. Here’s a quick overview:
| CMMC Level | Assessment Type | Conducted By | Frequency |
|---|---|---|---|
| CMMC Level: Level 1 | Assessment Type: Self-Assessment | Conducted By: Organization Seeking Assessment (OSA) | Frequency: Annually |
| CMMC Level: Level 2 | Assessment Type: Self-Assessment | Conducted By: OSA | Frequency: Every 3 years with annual affirmation |
| CMMC Level: Level 2 | Assessment Type: Third-Party Certification Assessment | Conducted By: Certified Third-Party Assessor Organization (C3PAO) | Frequency: Every 3 years with annual affirmation |
| CMMC Level: Level 3 | Assessment Type: Government-Led Certification Assessment | Conducted By: Defense Contract Management Agency’s DIBCAC | Frequency: Every 3 years with annual affirmation |
How Results Are Managed
Self-assessments: Organizations submit results directly in SPRS.
Third-party (C3PAO) and government (DIBCAC) assessments: Results get posted in the CMMC instance of eMASS and automatically reflected in SPRS. Contracting officers rely on SPRS data for award decisions.
Navigating the Six Core Steps in Your CMMC Assessment Journey
Step 1: Pre-Assessment Preparation
Start by clearly identifying the required CMMC level and assessment method specified in your contract. Define the scope by including all systems handling FCI/CUI, such as external service providers. Align with the relevant standards:
- Level 2 adheres to NIST SP 800-171 Revision 2 controls, guided by NIST SP 800-171A for assessment objectives. For detailed information on certification levels and requirements, see CMMC 2.0 Certification Levels & Requirements.
- Level 3 requires prior Final Level 2 certification plus 24 additional controls under NIST SP 800-172.
Adjust and document your System Security Plan (SSP), policies, diagrams, and inventories accordingly.
If you’re new to CMMC or want to understand how it contrasts with former regulations, check out our CMMC Primer.
Step 2: Conducting Your Self-Assessment (Levels 1 & 2 Self)
Perform an internal audit against the required controls—15 practices for Level 1; 110 for Level 2. Post your findings and status in SPRS and ensure your Affirming Official files an annual affirmation reflecting continuous compliance.
Step 3: Third-Party Certification Assessment (Level 2 C3PAO)
When mandated, engage an accredited C3PAO (Understanding the Role of C3PAOs in CMMC Compliance). The third party performs an independent evaluation, uploads results to the CMMC instance of eMASS, which informs SPRS automatically. If there are gaps, you may place permitted deficiencies in a POA&M.
Step 4: Government-Led Certification Assessment (Level 3 DIBCAC)
Defense Contract Management Agency’s DIBCAC reviews 24 select NIST SP 800-172 controls once you hold Final Level 2 status. Similar to the third-party process, results are submitted via eMASS, syncing with SPRS.
Step 5: Understanding CMMC Status Outcomes
Final Status signifies all required controls are met.
Conditional Status (only Levels 2 and 3) lets you proceed with contract awards if you put allowed shortcomings in a POA&M.
Level 1 does not permit Conditional Status; you must achieve Final Status to qualify.
Step 6: POA&M Closeout—A 180-Day Deadline
If you have Conditional Status, every POA&M must be fully addressed within 180 days from the status date. Closeouts are assessed by yourself (Level 2 self), C3PAO (Level 2 third-party), or DIBCAC (Level 3). Missing this deadline leads to expiration of your Conditional Status, affecting contract eligibility.
Affirmations and Staying Compliant Year-Round
Your responsibility doesn’t end after accreditation. Annual affirmations are mandatory for each covered information system and are submitted in SPRS by the designated Affirming Official. Ensure you keep your CMMC UIDs current to reflect any system modifications.
Maintaining your certification means tracking assessment schedules closely:
- Level 1 assessments annually.
- Level 2 assessments every three years with yearly affirmations.
- Level 3 assessments every three years with yearly affirmations.
And remember, if you use cloud services to manage CUI, verify your provider meets FedRAMP Moderate or an equivalent standard per DFARS.
"Non-compliance drops you from eligibility for DoD contracts, so keeping status and affirmations current in SPRS is non-negotiable."
Managing Flow-Down Requirements Across Your Supply Chain
Prime contractors must pass down appropriate CMMC requirements to subcontractors dealing with FCI or CUI. The table below illustrates minimum subcontractor levels relative to the prime contractor’s status.
| Prime Contractor Level | Minimum Subcontractor Level |
|---|---|
| Prime Contractor Level: Level 1 (Self) | Minimum Subcontractor Level: Level 1 (Self) |
| Prime Contractor Level: Level 2 (Self) | Minimum Subcontractor Level: Level 1 (Self) for FCI; Level 2 (Self) for CUI |
| Prime Contractor Level: Level 2 (C3PAO) | Minimum Subcontractor Level: Level 1 (Self) for FCI; Level 2 (C3PAO) for CUI |
| Prime Contractor Level: Level 3 (DIBCAC) | Minimum Subcontractor Level: Level 1 (Self) for FCI; Level 2 (C3PAO) for CUI |
The Roadmap to Full CMMC Rollout by 2028
The rollout of the acquisition rule begins November 10, 2025, and phases in the following way:
- Phase 1 (Nov 10, 2025): Introduction of Level 1 and Level 2 Self assessments.
- Phase 2 (+1 year): Start of Level 2 C3PAO certifications.
- Phase 3 (+2 years): Expansion of Level 2 C3PAO and introduction of Level 3 assessments.
- Phase 4 (+3 years, Nov 10, 2028): Complete implementation of CMMC requirements across all eligible DoD solicitations and contracts.
This phased approach provides some ramp-up time for organizations to adapt and achieve compliance progressively.
Common Questions About the CMMC Assessment Process
Frequently Asked Questions
How do I know if Level 2 requires Self-assessment or C3PAO?
Your contract solicitation explicitly states the assessment type. Early phases rely mostly on self-assessments for Level 2, but the government may require C3PAO certification if market conditions warrant. This approach shifts toward third-party assessments in later phases.
Is NIST SP 800-171 Rev 3 mandatory for my CMMC assessment?
Currently, only Revision 2 is used for official evaluations. While the DoD has shared guidance for Rev 3, any transition will come through future rulemaking. It’s wise to map Rev 3 internally, but certification hinges on passing Rev 2 criteria.
What is an annual affirmation, and who files it?
Each covered system must have an annual affirmation submitted in SPRS by the assigned Affirming Official, verifying your ongoing adherence to the required cybersecurity controls.
Where are my assessment results stored?
Self-assessment data are posted directly by your organization in SPRS. Assessments conducted by C3PAO or DIBCAC are submitted via the CMMC instance of eMASS, which feeds results into SPRS for contracting officials.
Can a POA&M be used to gain contract awards?
Only at Levels 2 and 3 under Conditional Status, with a requirement to remediate all findings within 180 days. For Level 1, POA&Ms are not allowed; you must hold Final Status.
Ready to Stay On Top of Your CMMC Obligations?
Tracking assessment dates, managing POA&Ms, and ensuring affirmations stay current can be complex. Our forthcoming collaborative compliance tool is designed to simplify this process, keeping your CMMC Status active and audit-ready with automated reminders and task management.
To simplify managing your CMMC assessments, POA&Ms, and affirmations, consider signing up for the CMMC Dashboard free trial. This tool helps you track your certification lifecycle and stay audit-ready with automated alerts.
Sign Up Now for Free Notifications
Navigating the CMMC assessment process can be challenging, but understanding the key steps and deadlines is your first step toward maintaining DoD contract eligibility. Stay proactive, keep your data current, and monitor your certification status closely to succeed in this evolving cybersecurity landscape.