The most common question on first-time CMMC calls is whether the organization can self-assess or whether a C3PAO is required. It is a simpler question than it appears. The applicable path is not a strategic choice — it is determined by what CUI you handle, what the contract says, and whether CMMC Phase 2 has taken effect for your specific procurement.
This article walks through the decision logic. It is aimed at defense subcontractors, primes, and their security leaders who need to understand the assessment-type question before committing to a preparation path. For the full engagement breakdown, see the realistic CMMC Level 2 timeline.
The short answer
For most defense subcontractors handling Controlled Unclassified Information after CMMC Phase 2 takes full effect (November 10, 2026, for new contracts containing the requirement):
- C3PAO assessment is required for the vast majority of CUI-handling contracts.
- Self-assessment applies to a narrow set of cases — primarily contracts covering only non-critical CUI, internal self-attestation for DFARS 7012 continuous compliance, and limited scopes explicitly authorized by the contracting officer.
If your target contract includes the standard DFARS 252.204-7021 clause requiring CMMC Level 2 certification at contract award, you are in C3PAO territory. The self-assessment question is effectively answered before the contract is signed.
The two assessment types, technically
CMMC Level 2 has two formal assessment types under the current rule:
Self-assessment is performed by the contractor itself, documented in an assessment report, and posted to SPRS (Supplier Performance Risk System). The contractor attests to compliance; DoD can audit the attestation but does not require a third party to validate it at time of certification. The assessor can be an internal team member who meets training requirements, or a contracted assessor that the contractor selects.
C3PAO assessment is performed by an accredited Certified Third-Party Assessor Organization, which is independent of the contractor. The C3PAO conducts the assessment, produces the Security Assessment Report, and issues the CMMC certificate if the assessment passes. The certificate is recorded with the CMMC Accreditation Body (Cyber AB) and posted to SPRS.
The technical work underlying both assessments is identical — 110 controls from NIST 800-171 Rev 2, assessed against the same CMMC Assessment Guide criteria. The difference is who confirms it.
Which applies to your contract
Five factors determine which assessment type applies:
1. The CUI category handled. CMMC Level 2 applies to CUI. Within CUI there are specific categories (CUI Basic, CUI Specified, and subcategories like CUI//SP-PRIV, CUI//SP-PROP, etc.). Some CUI categories — particularly those with specified safeguarding requirements — are more likely to trigger C3PAO assessment requirements.
2. The contract’s DFARS clauses. The specific clauses in the contract tell you what applies:
- DFARS 252.204-7012 requires NIST 800-171 compliance (the underlying control set) and a self-attestation. This has been in place for years, predates CMMC, and applies broadly.
- DFARS 252.204-7019 requires posting a self-assessment score to SPRS before contract award.
- DFARS 252.204-7020 requires authorizing DoD to conduct a higher-level assessment.
- DFARS 252.204-7021 requires CMMC Level 2 (or Level 3) certification at contract award, which under CMMC Phase 2 means C3PAO assessment.
A contract containing only 7012 + 7019 allows self-assessment. A contract containing 7021 requires C3PAO.
3. The CMMC Level required. Level 1 allows self-assessment universally. Level 2 splits between self-assessment and C3PAO based on the factors above. Level 3 requires DIBCAC assessment (a higher bar than C3PAO).
4. Whether CMMC Phase 2 is in effect for your procurement. CMMC Phase 2 begins November 10, 2026, and applies to new DoD contracts containing CMMC requirements. Contracts awarded before that date generally continue under pre-Phase-2 rules. Contracts awarded on or after that date are subject to the new rules, which expand C3PAO applicability substantially.
5. Flow-down from the prime. If your contract is a subcontract to a prime, the prime’s security requirements flow down to you. Many primes interpret CMMC requirements more strictly than the contracting agency would — requiring C3PAO certification of subcontractors even when the underlying DoD rule would permit self-assessment. Read your subcontract carefully.
The practical workflow
For a defense contractor trying to figure out which path applies to a specific opportunity:
Step 1. Read the contract (or RFP / solicitation) carefully. Look for DFARS clauses 7012, 7019, 7020, 7021. Note the CMMC Level specified (1, 2, or 3).
Step 2. Identify the CUI you will handle under the contract. If the contract clauses and the CUI together reference safeguarding requirements that map to CMMC Level 2, assume C3PAO assessment is required unless the contract explicitly permits self-assessment.
Step 3. Check the contracting officer’s interpretation. Some ambiguous cases are resolved by the contracting officer — if the contract is unclear, ask. Written responses from the CO become part of your compliance rationale.
Step 4. Check for prime flow-down. If you are a subcontractor, the prime’s interpretation usually dominates. Request the prime’s specific requirement in writing before proceeding.
Step 5. If C3PAO is required, add 6–9 months of preparation plus 6–8 weeks of C3PAO engagement to your contract-readiness timeline. If self-assessment applies, the preparation is similar but the engagement window shortens.
When self-assessment genuinely applies
Self-assessment is not rare, but it is narrower than contractors often assume. It genuinely applies when:
- The contract does not include DFARS 252.204-7021 and there is no prime flow-down requiring CMMC Level 2 certification
- The CUI handled is CUI Basic without specified safeguarding controls and the contract allows self-attestation against NIST 800-171 Rev 2 baseline
- The procurement is a continuation of a legacy contract that pre-dates CMMC Phase 2 and has not been modified to include CMMC clauses
- The work is specifically scoped to exclude CUI handling — rare, but possible for support work adjacent to CUI-handling activity
For everything else, including most new contracts after CMMC Phase 2 takes effect, C3PAO assessment is the applicable path.
The cost and time implications
A common misconception is that self-assessment is dramatically cheaper or faster than C3PAO assessment. The reality is closer to the following:
Preparation cost is the same either way. Implementing 110 NIST 800-171 Rev 2 controls across 14 families — the architectural and operational work — is identical. Internal staffing costs, external advisory costs (if engaged), and technology costs (SIEM, EDR, policy management, etc.) do not change based on assessment type.
C3PAO engagement adds direct cost and time. A C3PAO engagement typically costs $20,000–$100,000+ depending on organization size and scope complexity, and adds 6–8 weeks of engagement time (planning, testing, reporting).
Self-assessment adds indirect cost. The assessor still needs to be someone trained in CMMC assessment methodology, and the self-assessment report still needs to pass scrutiny if DoD audits it later. Contractors who under-invest in self-assessment rigor sometimes find their score rejected or subject to remediation.
Net difference: C3PAO assessment costs 10–25% more than a rigorous self-assessment on a first-certification engagement. The gap is meaningful but smaller than many expect.
The strategic consideration
If you operate in the defense industrial base and anticipate multiple DoD contracts over the next three to five years, C3PAO certification is likely inevitable regardless of what your immediate contract requires. Most primes are moving toward requiring C3PAO certification of their subcontractors even when the underlying DoD rule would allow self-assessment.
Pursuing C3PAO certification once, maintaining it, and leveraging it across multiple contract bids is more efficient than self-assessing for each contract and discovering mid-engagement that a new opportunity requires C3PAO. The C3PAO certificate is valid three years with surveillance audits; the investment amortizes across the full contract pipeline.
For single-contract contractors without broader DoD revenue aspirations, self-assessment where it genuinely applies can be the cleaner path. But this describes a minority of the defense subcontractor population.
How we advise clients
For first-time CMMC engagements we walk through the contract or opportunity landscape and identify which assessment type applies based on the specific clauses and CUI categories. Where ambiguity exists, we help draft questions to the contracting officer to resolve it before preparation work begins.
The preparation work is roughly the same either way. What changes is the engagement backstop — the C3PAO booking, the scheduling, the evidence presentation. Engagements that are building toward C3PAO from day one do not waste effort; engagements that aim for self-assessment and then discover C3PAO is required often do.
When to engage
For contractors with a target DoD contract within 18 months, the assessment-type question should be resolved early in the preparation planning. Our CMMC practice starts every engagement with a contract-and-clause review to confirm the applicable path, then structures the preparation accordingly.
If you are at the contract-opportunity identification phase — you see an RFP, you are considering bidding, you need to understand what compliance is required — a 30-minute scoping conversation usually lands the answer. If you are already mid-preparation and uncertain whether your plan targets the right assessment type, it is worth confirming before the preparation goes further.
Related reading: CMMC Level 2 timeline: what 6 to 9 months actually looks like · What assessors actually look for at Level 2 · DFARS 252.204-7012 72-hour reporting gap