How to Conduct a CMMC Self Assessment

CMMC-self-assessment


If you’re a small business working with the Department of Defense (DoD), you’re probably required to follow CMMC 2.0—a cybersecurity framework built around NIST SP 800-171.

For many organizations, the first step is a CMMC self assessment. But what does that really involve? And how do you make sure it holds up under scrutiny?

This guide breaks it down in plain English.

What Is a CMMC Self Assessment?

A CMMC self assessment is a formal process where you evaluate your own cybersecurity controls against the requirements in NIST SP 800-171.

Under CMMC Level 1, this is required annually. For CMMC Level 2, a self-assessment may be allowed if your contract does not involve critical national security information.

If you qualify, you’ll submit your score to the Supplier Performance Risk System (SPRS) and maintain evidence of compliance.

Who Can Perform a Self Assessment?

You can conduct a self-assessment if:

  • Your contract only requires CMMC Level 1
  • You’re required to meet Level 2, but the DoD has allowed self-attestation
  • You do not handle information deemed critical to national security

You should confirm this in your contract and any attached DFARS clauses like 252.204-7012 and 252.204-7021.

What You’ll Be Measured Against

CMMC Level 1

This includes 17 basic cybersecurity practices from FAR 52.204-21, such as:

  • Using antivirus
  • Requiring strong passwords
  • Limiting access to authorized users

CMMC Level 2

This includes the full set of 110 controls from NIST SP 800-171 Rev. 2, including:

  • Access control
  • Incident response
  • Encryption of data at rest and in transit
  • Audit logging

Download the Tools You’ll Need

To conduct an accurate self-assessment, download and study the following:

  • NIST SP 800-171A – Contains the official assessment objectives
  • DoD Assessment Methodology – Shows how each control is scored
  • SPR Score Template – Provided by the DoD to calculate your self-assessment score (starts at 110)

Build Your System Security Plan

An SSP explains how your business implements each control in NIST 800-171. It should include:

  • Network and data flow diagrams
  • Descriptions of IT systems and environments
  • Security responsibilities and roles
  • Details of any inherited controls (e.g. from cloud providers like Microsoft GCC High)

An SSP is required—even if you think all your controls are already in place.

Create a Plan of Action and Milestones

If there are gaps in your compliance, document them in a POAM. This should include:

  • Which controls are not yet implemented
  • What you plan to do to fix them
  • Deadlines and responsible staff

You can submit your score with open POAM items, but not for certain critical controls (like MFA or FIPS-validated encryption).

Submit Your SPRS Score

You must submit your self-assessment results to the Supplier Performance Risk System (SPRS). You’ll need:

  • Your overall score (out of 110)
  • Date of your self-assessment
  • Your CAGE code
  • POAM close-out date (if applicable)

Access to SPRS is through the Procurement Integrated Enterprise Environment (PIEE). Be sure someone on your team has access to submit.


If you’re a small business working with the Department of Defense (DoD), you’re probably required to follow CMMC 2.0—a cybersecurity framework built around NIST SP 800-171.