Do I need a C3PAO or can I self-assess for CMMC?

It depends on the data and the contract. If you only handle Federal Contract Information, Level 1 is a self-assessment. If you handle Controlled Unclassified Information, you are at Level 2, where the DoD program office decides whether your contract allows self-assessment or requires a C3PAO. Most CUI contracts require the third-party C3PAO assessment.

What score do I need to pass a CMMC Level 2 assessment?

You score against 110 controls with a maximum of 110 points. You need at least 88 points (80%) to pass, with remaining gaps eligible for a Plan of Action and Milestones (POA&M). A score of 88 to 109 earns a conditional certification, and you have 180 days to close out the POA&M items and pass a closeout assessment before the conditional status expires.

Is a CMMC self-assessment easier than a C3PAO assessment?

It is cheaper because there is no third-party assessment fee, but it is not easier technically. You measure against the same 110 controls using the same scoring methodology, and you submit an annual affirmation from a senior official. Self-assessment is only available for a narrow set of lower-risk CUI contracts — most CUI work requires a C3PAO.

CMMC Self-Assessment vs C3PAO: Which Path Do You Need?

Q: What is the difference between FCI and CUI in CMMC?

Federal Contract Information (FCI) is non-public information generated or received under a contract to deliver a product or service — it puts you at Level 1. Controlled Unclassified Information (CUI) is information the government specifically requires you to protect, such as technical drawings or security data — it puts you at Level 2 with all 110 NIST SP 800-171 controls.

The most expensive mistake in CMMC is assuming you can self-assess when your contract actually requires a third-party audit. The answer turns almost entirely on what kind of government data you touch and how sensitive your specific contract is. Here is how to figure out which path applies to you before you spend a dollar.

Start With the Data: FCI vs CUI

Everything flows from two data types.

Federal Contract Information (FCI) is non-public information you generate or receive under a contract to deliver a product or service — things like a delivery schedule or a non-public statement of work. If FCI is all you handle, you are at CMMC Level 1. Level 1 maps to the 15 basic safeguards in FAR 52.204-21, and it is satisfied by an annual self-assessment. There is no third-party fee, and you cannot use a POA&M to defer items — Level 1 has to be fully met.

Controlled Unclassified Information (CUI) is information the government requires you to protect — technical drawings, specifications, security data, anything marked CUI in your contract. If you handle CUI, you are at CMMC Level 2, which requires implementing all 110 controls in NIST SP 800-171 across 14 control families. Level 2 is where the self-assessment-vs-C3PAO fork lives.

The Level 2 Fork

Level 2 is not one path — it is two, and the DoD program office that owns your contract decides which one your contract requires:

Self-assessment Level 2. Allowed for a narrow band of contracts where the CUI is limited or considered lower-risk — what the rule frames as non-prioritized acquisitions whose CUI is not critical to national security. You assess yourself against all 110 controls, post your score to SPRS, and submit an annual affirmation from a senior official.
C3PAO Level 2. Required for the majority of CUI contracts. A Certified Third-Party Assessment Organization audits all 110 controls and issues your certification. This is the path most defense contractors handling CUI end up on.

The practical reality: if your contract involves CUI, plan for C3PAO unless the contract or program office explicitly tells you self-assessment is acceptable. Betting on self-assessment and being wrong means discovering it during source selection, which is the worst possible time.

A Simple Decision Tree

1. Do you handle CUI on this contract? No, only FCI → Level 1 self-assessment. Done. Yes → keep going.

2. Does the solicitation or program office specify the assessment type? It will, in the CMMC requirement. If it names a C3PAO assessment → C3PAO Level 2. If it permits self-assessment → self-assessment Level 2.

3. Unsure and it is a typical CUI contract? Assume C3PAO Level 2 and budget accordingly. Most CUI work lands here.

4. Is it a flagship or highly sensitive program? Some of the most sensitive programs require Level 3, which adds controls from NIST SP 800-172 on top of Level 2 and is assessed by the government itself (the DIBCAC), not a C3PAO.

Scoring: What Self-Assessment Actually Requires

Do not read self-assessment as easy. Whether you self-assess or hire a C3PAO, you score against the same 110 controls using the same methodology, where each requirement carries a point value and the maximum is 110. To pass, you need at least 88 points — 80% — with every remaining gap eligible for a Plan of Action and Milestones (POA&M).

If you land between 88 and 109, you can get a conditional Level 2 status, but the clock starts: you have 180 days to close out every POA&M item and pass a closeout assessment, or the conditional status expires. Some high-weight controls cannot be POA&M'd at all and must be fully met before you can pass. The honesty of your SPRS score depends on an accurate System Security Plan and a truthful accounting of what is genuinely implemented versus what you are still working on.

The SDVOSB Angle

Veteran-owned firms bidding DoD work are overwhelmingly in CUI territory, which means most SDVOSBs are on the Level 2 C3PAO path whether they have priced it in or not. The firms that get hurt are the ones who assumed self-assessment because it sounded cheaper, then found the C3PAO requirement buried in a recompete with no runway to schedule an assessment. Read the CMMC requirement in every DoD solicitation early, confirm the assessment type in writing, and treat C3PAO as your default planning assumption for any CUI work.

Quick Reference

|---|---|---|---|