CMMC Level 2 safeguards Controlled Unclassified Information (CUI) using the 110 requirements of NIST SP 800-171 Rev 2. Understanding the two assessment paths — and which one applies to your contracts — is critical to planning your compliance timeline.

Two Assessment Paths

Self-Assessment
Internal evaluation · SPRS score submission · Annual affirmation required · Organization conducts its own assessment against NIST SP 800-171
C3PAO Certification
Independent assessment · Accredited third-party organization · 3-year certification · Annual affirmations required

The DoD specifies the required assessment path via DFARS 252.204-7021. Check your contract requirements to determine which path applies.

Enforcement Timeline

PHASE 1
Through November 2026
Self-assessment is common for most Level 2 contracts. Organizations submit SPRS scores and affirm compliance annually. Many non-prioritized CUI contracts remain in this phase.
PHASE 2
November 2026+
C3PAO certification becomes required for applicable contracts. Third-party assessments expand to cover a broader set of Level 2 opportunities in the defense industrial base.
LATER PHASES
2027 and Beyond
Increasing enforcement across the DIB. Organizations without certification face growing exclusion from contract opportunities requiring CMMC Level 2.

Key Preparation Steps

STEP 01
Verify Requirement
Confirm whether your contracts require self-assessment or C3PAO certification by reviewing DFARS 252.204-7021 clauses in your solicitations and awards.
STEP 02
Scope Accurately
Identify all assets that process, store, or transmit CUI. Properly categorize CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, and Specialized Assets.
STEP 03
Gap Assess
Evaluate your current implementation against all 110 NIST SP 800-171 requirements. Document findings with evidence aligned to assessment objectives.
STEP 04
Remediate & Document
Close identified gaps with technical implementations and policy updates. Build defensible evidence packages including SSPs, POA&Ms, and supporting artifacts.
STEP 05
Engage C3PAO
When C3PAO certification is required, engage an accredited assessment organization early. Lead times for scheduling assessments continue to grow as demand increases.
STEP 06
Sustain
Compliance is not a one-time event. Maintain continuous monitoring, annual affirmations, and ongoing evidence collection to support your certification lifecycle.

Bottom Line

By late 2026, plan for C3PAO certification to remain competitive on the majority of Level 2 opportunities. Organizations that treat self-assessment as the permanent path risk losing contract eligibility as enforcement phases expand.

The time to prepare for third-party certification is now — not when Phase 2 arrives.

Get Started
Prepare for C3PAO certification.
Whether you need a gap assessment, remediation support, or full C3PAO readiness preparation, we can help you build a defensible compliance posture.
Let's Talk Compliance →
Aligned to: CMMC Model v2.1 · NIST SP 800-171 · 32 CFR Part 170 · DFARS 252.204-7012