For CMMC Level 2, your compliance is verified one of two ways: a self-assessment you run and attest to, or a certification by an accredited third party — a C3PAO. You rarely choose between them; your contract assigns one. But the difference shapes your cost, your timeline, and your legal exposure. Here is how each path works.
The two paths — and why you usually don't pick
CMMC Level 2 is verified one of two ways, and the labels match: Level 2 (Self) and Level 2 (C3PAO). Both paths assess the same 110 NIST 800-171 controls and the 320 assessment objectives behind them. The only thing that changes is who does the verifying — and how far that verification is trusted.
As with your CMMC level, you don't choose between them — the contract does. The DFARS provision that names your required level also specifies the assessment type, and the program office sets it based on the sensitivity of the information involved.
One asymmetry is worth committing to memory: a C3PAO certification satisfies a self-assessment requirement, but a self-assessment does not satisfy a C3PAO requirement. A Level 2 (C3PAO) status is the universal one — it covers everything below it. Submit a self-assessment where the contract demanded certification, and you are simply ineligible for award.
What a self-assessment actually involves
A self-assessment is an internal evaluation. You assess your environment against the 110 requirements using the methods in NIST SP 800-171A, calculate your score under the CMMC Scoring Methodology, and enter that score into SPRS — followed by an affirmation from a senior official. It is valid for three years, with the affirmation renewed annually.
You can bring in outside help. A Registered Practitioner Organization (RPO) or consultant can prepare you and even work the assessment alongside you. It is still a "self-assessment," because your organization determines the results and your Affirming Official signs for them.
That signature is the catch. A self-assessment is not the easy option — it covers the same 110 controls and 320 objectives a C3PAO would check, and the affirmation behind it carries the same False Claims Act exposure. The only thing the self path removes is the independent reviewer, which means the full weight of getting it right sits with you.
What a C3PAO certification involves
A C3PAO — a Certified Third-Party Assessment Organization — is an independent assessor authorized by the CyberAB, the single accreditation body for the program. Its Certified CMMC Assessors (CCAs) follow the CMMC Assessment Process, which runs in four phases:
Pre-assessment. The C3PAO validates your assessment scope, reviews your System Security Plan, and confirms you are actually ready to begin.
Assessment. The team examines your evidence, interviews your people, and tests your controls against all 110 requirements.
Reporting. They score the result, run an internal quality-assurance review, and upload it to the CMMC instance of eMASS — which transmits your status to SPRS automatically.
Close-out. They issue your Certificate of CMMC Status and, where needed, manage the 180-day POA&M window.
A C3PAO cannot also be your consultant: the firm that certifies you is barred from having prepared you. That independence is the entire point — it is why a certification is trusted where a self-attestation is not. A Level 2 (C3PAO) status is valid for three years, with the same annual affirmation.
The three outcomes of a C3PAO assessment
A certification assessment ends in one of three places:
Final Level 2 (C3PAO) — every requirement MET or not applicable. Full certification.
Conditional Level 2 (C3PAO) — you scored at least 88, and your remaining gaps are all POA&M-eligible. You are certified and eligible for award, with 180 days to close the gaps and a closeout assessment to confirm.
No certification — fail even one high-value (3- or 5-point) requirement, and it cannot go on a POA&M, so the assessment yields no certificate. You remediate and reassess.
The third outcome is the one to plan against. A single unmet high-value control — FIPS-validated encryption, for instance — can sink an otherwise strong assessment.
Cost, time, and capacity: the real constraints
The two paths diverge sharply on cost. Industry estimates — not figures set by the rule — put a self-assessment in the low five figures, mostly internal effort, while a Level 2 C3PAO assessment runs from the mid five figures into six figures depending on your size and scope. In both cases, preparation and remediation usually cost more than the assessment itself.
Time is the harder constraint. A C3PAO engagement is a matter of months, not weeks — and that is before you book it. The pool of authorized C3PAOs is small relative to the thousands of firms the DoD expects to need certification (its own estimate is roughly 8,350 medium and large entities), so assessment slots carry real lead time. If certification is in your future, the scheduling problem alone is reason to start now.
How to decide what to do now
Four moves:
Read the contract. The DFARS 7025 provision tells you whether you face Self or C3PAO. Do not guess, and do not assume your prime's requirement is yours.
If C3PAO is coming, aim there once. Because a C3PAO status satisfies a self-assessment requirement too, you don't need to do both — certify, and you've covered every Level 2 obligation you could face.
Do a readiness assessment first. Engage an RPO for a gap assessment before the formal one — but not the firm you'll hire to certify you, since one firm can't do both.
Name your Affirming Official early. Whichever path you're on, someone senior signs — and on a self-assessment, that signature stands alone. Build the evidence that lets them sign honestly.
Key Takeaways
Two paths, one standard. Level 2 (Self) and Level 2 (C3PAO) both assess the same 110 controls and 320 objectives — only the verifier differs.
You don't choose; the contract does. The DFARS 7025 provision and the program office assign the path based on the information's sensitivity.
A C3PAO status is universal. It satisfies a self-assessment requirement; a self-assessment does not satisfy a C3PAO requirement.
Self isn't "easier." The affirmation carries the same False Claims Act exposure — a C3PAO simply adds an independent reviewer, and a buffer on your personal liability.
Start now if certification is coming. C3PAO capacity is limited and lead times run months; a readiness assessment with an RPO is the right first step.
FAQ
Do I get to choose between a self-assessment and a C3PAO? No. The contract specifies which one you need, through the DFARS 252.204-7025 provision, and the program office sets it based on the sensitivity of the information involved. You cannot substitute one for the other — a self-assessment will not satisfy a contract that requires C3PAO certification.
Is a self-assessment cheaper and easier than a C3PAO? Cheaper and faster, yes — but not easier in substance. A self-assessment covers the same 110 requirements and 320 objectives, and the senior-official affirmation behind it carries the same False Claims Act exposure. What you save in cost, you absorb in personal accountability for getting it right.
Does a C3PAO certification also count as a self-assessment? Yes. A Level 2 (C3PAO) status satisfies a Level 2 (Self) requirement for the same scope. The reverse is not true: a self-assessment never satisfies a contract that requires C3PAO certification.
How long does a C3PAO assessment take? Plan in months, not weeks. The active assessment itself is typically a matter of days, but quality-assurance review, eMASS submission, and — most of all — booking an authorized C3PAO add significant lead time, given limited assessor capacity.
Can the consultant who prepared me also certify me? No. A C3PAO is prohibited from assessing an organization it also consulted for. Use an RPO or consultant to prepare, then engage a separate, CyberAB-authorized C3PAO for the formal assessment.
SOURCES
All primary. Verified as of June 2026.
32 CFR Part 170 (eCFR): § 170.16 (Level 2 self-assessment and affirmation — score entered in SPRS, triennial, annual affirmation); § 170.17 (Level 2 certification — C3PAO uploads to the CMMC instance of eMASS with automated transmission to SPRS; three-year validity; 180-day POA&M closeout; a Level 2 (C3PAO) status satisfies Level 2 (Self)); Subpart C / § 170.9 (the Accreditation Body, C3PAO authorization, ISO/IEC 17020:2012, CCA/CCP credentialing via the CAICO); § 170.21 (POA&M eligibility, score ÷ requirements ≥ 0.8); § 170.24 (scoring). Update trigger: amendment, or Rev 3 incorporation.
CMMC Assessment Process (CAP) v2.0 (CyberAB, cyberab.org). The four-phase C3PAO assessment process (pre-assessment, assessment, reporting, close-out); assessment team roles; eMASS submission and Certificate of CMMC Status.
DoD CIO — CMMC Assessment Guide, Level 2 (dodcio.defense.gov/CMMC). Custom terms (Conditional vs Final status, POA&M closeout assessment); MET / NOT MET / NOT APPLICABLE scoring of the 110 requirements.
NIST SP 800-171A Revision 2. The examine / interview / test assessment methods and the 320 assessment objectives.
Federal Register 89 FR 83214 (Oct. 15, 2024). DoD estimate of ~8,350 medium and large entities requiring Level 2 (C3PAO) certification. Note: cost and timeline ranges cited in the article are industry estimates, not figures set by the rule.
