CMMC Assessment Checklist
If you think you are ready for a CMMC assessment, use this resource to test where you actually are before contacting a professional.
.jpg?ext=.jpg)
Should I Conduct a CMMC Self-Assessment in 2025?
As publication of 48CFR continues to loom large in the CMMC ecosystem, organizations in the Defense Industrial Base are asking if they need a third-party self-assessment or if they should conduct a self-assessment. Yes! A self-assessment is currently required by DFARS 252.204-7012 for all existing contracts.
What does 32CFR say?
The four-phase rollout of CMMC in 32CFR part 170.3(e)(1) through(4):
Phase 1 – all contractors with level 1, 2 & 3 CUI conduct a self-assessment and report score to SPRS.
Phase 2 – all new contracts with level 2 CUI will require a 3rd CMMC assessment and reported to SPRS.
Phase 3 – all existing level 2 CUI contracts (awarded prior to phase 2) exercising options or extensions will require a 3rd CMMC assessment and reported to SPRS.
Phase 4 – all level 3 CUI contracts will require a 3rd CMMC assessment with results reported to SPRS, and a DIBCAC assessment of level 3 (NIST SP 800-172) controls.
Caveat to all phases: The DoD may choose to add the CMMC 3rd-party assessment requirement to any applicable contracts prior to CMMC implementation, as needed.
What does this mean for your organization?
If you find that a little hard to decipher, here is some help. When 48CFR publishes, phase one of the CMMC rollout will begin. Each phase will last 12 months and follow each other sequentially.
During phase one, you MUST conduct a self-assessment to maintain your DoD contracts. But remember the caveat from above.
Many sub-contractors are already learning, prime contractors can require a 3rd party assessment as soon as possible even though 32CFR says you just have to conduct your self-assessment. Yes, several prime contractors are already asking this of their supply chains.
What is your best path forward for CMMC?
First, if you have contracts with CUI, you must be conducting annual self-assessments.
Second, if you plan to bid on any contract containing CUI in FY2026, conduct your self-assessment and get a score into SPRS before the request for proposal is release.
Third, if you want to differentiate your bids in 2026, consider being an early adopter, become CMMC level 2 compliant and get your 3rd-party CMMC certification now. The current DFARS 252.204-7024 “The Contracting Officer will consider SPRS risk assessments during the evaluation of quotations or offers received in response to this solicitation…”
Lastly, getting a CMMC level 2 now or next year not only differentiates your organization from contractors with only a self-assessment, but it also has the added benefits of:
- Avoiding the large demand for assessments when phase two begins
- Demonstrate your organization is a leader in your industry
- Burn down the risk of not being able to win contracts due to delays in getting your 3rd party assessment
Is a self-assessment this year good enough? Maybe, but for most organizations the risk of waiting may be too high and place current and future contracts at risk.
Can we help you with any of your CMMC questions? Contact us today.