Is CMMC Level 2 self-assessment always an option?

No. Level 2 splits into two paths based on the sensitivity of the CUI involved in the contract. Less sensitive CUI can be verified via self-assessment. More sensitive CUI and most critical programs require C3PAO third-party certification. The contracting officer specifies which path applies in the solicitation.

How long does a C3PAO assessment take?

Expect two to six months of preparation plus the assessment itself, which is typically a two- to four-week engagement. Most organizations start engaging a C3PAO nine to twelve months before they need a certification in hand.

What does a C3PAO assessment cost?

CMMC Level 2 C3PAO assessments typically run $50,000 to $150,000 or more depending on scope, the number of sites, and the complexity of the environment. Small organizations with a tightly scoped CUI boundary fall at the low end; larger organizations with distributed environments pay significantly more.

What is the False Claims Act risk of self-assessment?

A self-assessment submitted to SPRS is a representation to the government. If the score is materially inaccurate, the organization and its officers face False Claims Act liability. Several defense contractors have settled FCA claims specifically tied to misrepresented NIST SP 800-171 scores — with settlements ranging from hundreds of thousands to tens of millions of dollars.

CMMC Self-Assessment vs C3PAO: When to Do Which, Costs & Timeline

Two paths to CMMC: when self-assessment works and when it does not

CMMC 2.0 allows two assessment paths for most contractors: self-assessment performed internally, and third-party assessment performed by a CMMC Third-Party Assessment Organization (C3PAO). Choosing — or being assigned — the right path depends on your CMMC level and the sensitivity of the information your contract involves. This page explains when each path applies, what each costs, how long each takes, and the risks that come with each.

When self-assessment is sufficient

CMMC Level 1: always self-assessment

Level 1 is always a self-assessment. The 17 practices from FAR 52.204-21 are fundamental cyber hygiene — things like limiting system access to authorized users, sanitizing media before disposal, and using malware protection. The DoD decided these controls are straightforward enough to verify internally. Organizations handling only Federal Contract Information (FCI) — the broad category of contract-related information that is not intended for public release — stay at Level 1 and self-assess annually.

CMMC Level 2: self-assessment for less sensitive CUI

Level 2 splits. Contracts involving less sensitive Controlled Unclassified Information (CUI) accept self-assessment. Contracts involving more sensitive CUI, critical programs, or certain categories of controlled technical information require third-party certification. The split is intentional: self-assessment keeps costs down for the long tail of defense suppliers, while third-party certification provides verified assurance where the stakes are highest.

The contracting officer tells you which path applies by pointing at DFARS 252.204-7021 and specifying the required level and assessment type in the solicitation. The decision is not yours to make.

CMMC Level 3: never self-assessment

Level 3 is government-led, conducted by the Defense Contract Management Agency's DIBCAC assessors. Level 3 requires a valid Level 2 C3PAO certification as a prerequisite. There is no self-assessment path at Level 3.

The self-assessment path: what it actually entails

Self-assessment is cheaper and faster than a C3PAO engagement, but it is not the low-effort option some contractors hope for. A credible self-assessment involves:

Scoping the environment — defining which systems, people, and processes handle FCI (Level 1) or CUI (Level 2) and therefore fall within the assessment boundary.
Documenting the System Security Plan (SSP) — a narrative description of how each required practice or NIST SP 800-171 requirement is implemented.
Collecting evidence — screenshots, configurations, policies, logs, and other artifacts supporting each requirement.
Scoring against the DoD Assessment Methodology — starting at 110 for Level 2 and subtracting 1, 3, or 5 points for each unmet objective.
Submitting to SPRS — entering the score in the Supplier Performance Risk System.
Affirming annually — a senior official signs an annual affirmation of continued compliance.

The DoD expects self-assessments to be conducted with the same rigor as a third-party assessment. It reserves the right to audit SPRS submissions and has already pursued False Claims Act cases against contractors who submitted inflated scores.

Self-assessment cost and timeline

The direct cost of a self-assessment is staff time. Organizations new to NIST SP 800-171 typically need 6 to 18 months to stand up controls, document them, and produce defensible evidence. Organizations already operating against NIST SP 800-171 can usually complete a self-assessment in 4 to 8 weeks once the control set is in place.

External consulting help is common. Expect $15,000 to $50,000 for a consultant-supported Level 2 self-assessment project, including SSP drafting, gap analysis, and evidence organization. Large environments with complex scope can run higher.

The C3PAO path: what it actually entails

A C3PAO assessment is a formal third-party engagement. Assessors from a Cyber AB-accredited C3PAO evaluate your organization against the same NIST SP 800-171 objectives a self-assessment uses, but with an independent, documented, and externally defensible methodology.

A typical C3PAO engagement runs:

C3PAO selection — choose from the published list of accredited C3PAOs. Look at their experience with organizations your size, their assessor availability, and their readiness review services.
Contracting and scoping — the C3PAO defines the scope of the assessment, the timeline, and the logistics.
Pre-assessment readiness review (optional but common) — a formal mock assessment that identifies gaps before the real assessment begins. This is typically a separate engagement.
Evidence collection and document review — two to four weeks of the C3PAO reviewing your SSP, policies, procedures, and evidence artifacts.
Assessment execution — one to three weeks of on-site or virtual assessor work including interviews, observations, and control testing.
Scoring and findings — the C3PAO scores each of the 110 objectives and issues one of three results: Met (full certification), Conditional (score of 88+ with a POA&M and 180-day remediation window), or Not Met (below 88, no certification).
Close-out (if Conditional) — once the POA&M items are closed within 180 days, a close-out assessment converts the Conditional into full certification.

Certification from a C3PAO is valid for three years, with annual affirmations required each year between full assessments.

C3PAO cost and timeline

A Level 2 C3PAO assessment typically costs $50,000 to $150,000, with larger or distributed environments running well above that range. The cost is driven primarily by assessor time, which scales with scope. A single-site small business with a tightly bounded CUI enclave can come in under $50,000; a multi-site defense prime can pay several hundred thousand.

On timeline: plan for 9 to 12 months from the decision to engage a C3PAO to a certification in hand. That accounts for readiness work, scheduling (C3PAO assessors are in high demand as enforcement ramps), the assessment itself, and any POA&M remediation.

Readiness reviews are a separate cost — typically $20,000 to $75,000 — and are strongly recommended. Going into a formal C3PAO assessment without a readiness review often means learning about gaps the expensive way.

How to decide

For most organizations, there is no decision to make — the contracting officer tells you which path applies. But where you do have latitude (for example, when you are preparing in advance of a contract being awarded), consider:

Contract eligibility. If you want to be competitive on contracts that require C3PAO certification, you need C3PAO certification. A self-assessment does not let you bid on those contracts.
Customer expectations. Some primes require their subcontractors to hold C3PAO certification even when the prime itself could self-assess, because they want independent verification across their supply chain.
False Claims Act exposure. Self-assessments are government representations. Organizations that are uncertain about their NIST SP 800-171 posture may prefer the defensibility of a third-party assessment.
Budget and timeline. Self-assessment is cheaper and faster. For organizations where a Level 2 self-assessment is genuinely acceptable, it is the rational choice.

How this fits into your CMMC program

The self-assessment vs C3PAO decision shapes everything downstream: your budget, your hiring plan, your vendor selection (C3PAOs, readiness consultants, tooling), your evidence rigor, and your internal audit cadence. Organizations that assume "we'll just self-assess" and then discover a key contract requires C3PAO certification are typically 9 to 18 months away from being bid-eligible on that contract. That timeline is rarely recoverable in a tight competition.

The defensive move is to run your program as if C3PAO certification is coming, even if you start on the self-assessment path. Your evidence quality, SSP rigor, and POA&M hygiene will all be better — and if the path changes, you are ready.

Common mistakes

Treating self-assessment as a lighter bar. The assessment methodology is identical. Self-assessment is cheaper because you skip the C3PAO fees, not because the work is smaller.
Inflating the SPRS score. Every over-scored objective is a potential False Claims Act exposure. Conservative scoring is the safe posture.
Waiting to engage a C3PAO. Assessor availability is the constraint. Organizations that wait until a contract requires certification typically cannot schedule in time.
Skipping the readiness review. A formal readiness review surfaces problems when you can still fix them cheaply. A failed C3PAO assessment is a much more expensive way to find the same gaps.
Ignoring the 180-day POA&M window. Conditional certifications revoke automatically if POA&M items are not closed. Track closures like a deadline because that is what they are.
Forgetting the annual affirmation. Between C3PAO assessments, a senior official must affirm continued compliance each year. Missing an affirmation lapses your certification.

How episki helps

episki supports both CMMC assessment paths. For self-assessments, the platform drafts your SSP, tracks your SPRS score in real time, and produces the evidence package a DoD audit would expect. For C3PAO engagements, episki provides a scoped assessor portal — your C3PAO gets read-only access organized by assessment objective, which cuts assessor billable hours substantially. POA&M items are tracked with 180-day countdowns and owners so conditional certifications do not lapse. Start a free trial to see your current readiness posture.

CMMC Self-Assessment vs Third-Party (C3PAO)