A magnifier glass representing the search for the type of CMMC assessment needed

The Cybersecurity Maturity Model Certification (CMMC) is a robust cybersecurity program designed to ensure that organizations across the Department of Defense (DoD) supply chain follow strong cybersecurity practices. Before pursuing certification, it’s important to understand which assessment level applies to your organization so you can plan the compliance process accordingly.

The challenge is that there isn’t a universally applicable set of rules to follow when choosing an assessment—the right type is determined on a case-by-case basis depending on several factors.

This guide will help you navigate this challenge by outlining all CMMC assessment tiers and the key details you should consider when determining which level applies to your organization.

CMMC levels at a glance

CMMC offers three certification levels:

  1. Level 1 (Foundational): Encompasses standard security hygiene and practices aimed at securing Federal Contract Information (FCI)
  2. Level 2 (Advanced): Aligns with NIST SP 800-171 to provide a more elaborate framework for protecting FCI and Controlled Unclassified Information (CUI)
  3. Level 3 (Expert): Encapsulates the most advanced security measures and practices aligned with NIST SP 800-172

Each certification level has a specific set of practices for ensuring the security of data based on its criticality. For clarity, here are a few examples of FCI and CUI:

Data Examples
FCI
  • Tender description
  • Pricing structure and details
  • Subcontractor information
  • Proposal responses
CUI
  • Technical data regarding products and services provided to the DoD
  • Engineering drawings and specifications
  • Research and development data
  • Personally identifiable information (PII) of parties involved in the contract or certain third parties

If you’re unsure which level you need, contracts and solicitations should help you decide.

If there is a specific DoD contract you wish to bid on, carefully read the request for proposal (RFP). Those will typically tell you which level of CMMC is required (and thus the one you should choose).”

Crystal Jackson

Besides contract requirements, you should consider your organization’s future growth and evolving cybersecurity risks. By ensuring scalability and flexibility, you can align your cybersecurity practices with long-term business goals and anticipate future contract needs. This proactive approach helps you avoid costly rework down the line while ensuring compliance as your organization grows.

Because of the differences in implementation and required levels of assurance, each CMMC level has a corresponding assessment type designed to ensure an adequate audit of the in-scope practices. CMMC assessors audit at the objective level, meaning they assess whether you’ve met the underlying purpose of each practice. A deeper understanding of each requirement helps ensure you're fully meeting these objectives.

{{cta_withimage27="/cta-blocks"}} | CMMC compliance checklist

An overview of the 3 CMMC assessment types

When pursuing CMMC compliance, you’ll need to undergo one of the following three assessment types:

  1. Self-assessment
  2. C3PAO assessment
  3. Government-led assessment

Below, we’ll cover the specifics of each assessment in more detail.

1. Self-assessment

You can conduct a self-assessment if you wish to achieve Level 1 or Level 2 CMMC compliance. For Level 1, you must perform an assessment against the 15 base-level practices across six areas:

  1. Access Control
  2. Identification and Authentication
  3. Media Protection
  4. Physical Protection
  5. System and Communications Protection
  6. System and Information Integrity

For a Level 2 self-assessment, you need to ensure effective implementation of the 110 practices derived from NIST SP 800-171 R2.

Seeing as it encompasses two levels, a self-assessment is best suited for organizations that manage FCI or non-critical CUI. The specific data you collect, process, and store will determine whether you need Level 1 or Level 2.

Either way, the self-assessment will include various activities, most notably:

  • Conducting interviews with staff at different organizational levels
  • Reviewing policies, processes, and IT systems
  • Testing and demonstrating the functionality of processes or systems

For CMMC Level 1, you’ll need to conduct annual self-assessments with accompanying affirmations of compliance. Self-assessments are conducted every three years for Level 2, though annual affirmation is still required.

2. C3PAO assessment

This assessment type is conducted by a CMMC Third-Party Assessor Organization (C3PAO). A C3PAO must be accredited by the CMMC Accreditation Body (CMMC-AB) to provide comprehensive reviews of defense contractors’ alignment with the prescribed practices and standards.

A C3PAO assessment can be performed instead of a self-assessment for Level 2 organizations. It’s mainly aimed at organizations that manage sensitive CUI and need greater assurance regarding practice implementation.

If your organization undergoes a C3PAO assessment, you might obtain two types of Level 2 CMMC certificates:

  1. Conditional Level 2 Certificate
  2. Final Level 2 Certificate

A conditional certificate can be granted if your organization meets at least 80 percent (88/110) of CMMC Level 2 practices but still has gaps that must be remediated. In this case, you’ll need to submit a Plan of Action & Milestones (POA&M)—documents that outline how you plan to remediate the compliance gaps.

Your POA&M should include the following information about the identified gaps and remediation steps:

  • Practice reference for the identified gap
  • Description of deficiency
  • Plan of action and required resources
  • Remediation start and end dates
  • Milestones
  • Responsible parties
  • Status

After submitting your POA&M, you have 180 days to remediate all gaps. If successful, you’ll receive the Final Level 2 Certificate.

Much like Level 2 self-assessments, C3PAO assessments are conducted every three years. Still, you must submit annual affirmations of compliance to maintain your certification. Self-assessment results are entered into the Supplier Performance Risk System (SPRS), while C3PAO assessment results are submitted to the CMMC Enterprise Mission Assurance Support Service (eMASS) by the C3PAO.

{{cta_withimage22="/cta-blocks"}}  | The audit ready checklist

3. Government-led assessment

If you require the highest level of CMMC compliance, you’ll undergo an assessment performed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) under the Defense Contract Management Agency (DCMA).

This assessment is necessary for Level 3 certification, which aims at safeguarding critical CUI. It applies to organizations that process, store, or share CUI with non-government entities.

To obtain a Level 3 certificate, you must first complete a Level 2 certification. Then, you’ll need to implement an additional 24 practices derived from NIST SP 800-172. Some of the most notable Level 3 practices include:

  • Advanced threat awareness
  • Automated inventory
  • Bidirectional authentication
  • Supply chain risk plan

Implementing some of these practices might be resource-intensive, as they often require comprehensive documentation to prove their existence and effectiveness. Since your auditor will thoroughly examine the in-scope requirements, you’ll need to demonstrate full alignment with CMMC practices.

If you encounter compliance gaps, you can obtain a Conditional Certificate, much like for Level 2 certification. The requirements for receiving the Final Certificate are the same, so you must bridge any gaps within 180 days.

After you obtain a Level 3 certificate, it will be valid for three years, after which you will be audited again by DIBCAC. In the meantime, you must submit annual affirmations (including Level 2 affirmations).

It’s important to note that if you receive a Conditional Certificate, the three-year validity period starts from the date you receive it, not from when the Final Certificate is granted.

Streamline CMMC assessments with Vanta

CMMC assessments can be complex and laborious, given the detailed security practices involved. This is particularly true for smaller organizations that might be resource-constrained or lack the necessary in-house expertise.

While challenging, CMMC assessments can be structured and streamlined with the right tools and processes. One way to do it is by leveraging a trust management platform like Vanta that automates up to 50% of your CMMC workflows.

Vanta provides clear guidance and resources to help you complete the applicable assessment without guesswork or manual processes. Vanta provides:

  • Out-of-the-box support for all certification levels
  • Automated evidence collection supported by 375+ integrations
  • Automated gap assessments on a real-time dashboard
  • Centralized tracking and continuous monitoring of CMMC practices
  • Pre-mapped security controls aligned to NIST SP 800-171 and NIST SP 800-172
  • Prescriptive guidance across controls, policies, and documents to reduce ambiguity

You can also tap into Vanta’s partner network to find a reputable C3PAO that will help you make Level 2 assessments more streamlined and provide support throughout the process.  Schedule a custom demo of Vanta’s CMMC solution for more information and a personalized, hands-on experience.

{{cta_simple33="/cta-blocks"}} | CMMC product page

A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.

What are the CMMC assessment types—and which one do you need?

Written by
Vanta
Written by
Vanta
Reviewed by
Crystal Jackson
GRC Product SME

Looking to automate up to 50% of the work for CMMC?

A magnifier glass representing the search for the type of CMMC assessment needed

The Cybersecurity Maturity Model Certification (CMMC) is a robust cybersecurity program designed to ensure that organizations across the Department of Defense (DoD) supply chain follow strong cybersecurity practices. Before pursuing certification, it’s important to understand which assessment level applies to your organization so you can plan the compliance process accordingly.

The challenge is that there isn’t a universally applicable set of rules to follow when choosing an assessment—the right type is determined on a case-by-case basis depending on several factors.

This guide will help you navigate this challenge by outlining all CMMC assessment tiers and the key details you should consider when determining which level applies to your organization.

CMMC levels at a glance

CMMC offers three certification levels:

  1. Level 1 (Foundational): Encompasses standard security hygiene and practices aimed at securing Federal Contract Information (FCI)
  2. Level 2 (Advanced): Aligns with NIST SP 800-171 to provide a more elaborate framework for protecting FCI and Controlled Unclassified Information (CUI)
  3. Level 3 (Expert): Encapsulates the most advanced security measures and practices aligned with NIST SP 800-172

Each certification level has a specific set of practices for ensuring the security of data based on its criticality. For clarity, here are a few examples of FCI and CUI:

Data Examples
FCI
  • Tender description
  • Pricing structure and details
  • Subcontractor information
  • Proposal responses
CUI
  • Technical data regarding products and services provided to the DoD
  • Engineering drawings and specifications
  • Research and development data
  • Personally identifiable information (PII) of parties involved in the contract or certain third parties

If you’re unsure which level you need, contracts and solicitations should help you decide.

If there is a specific DoD contract you wish to bid on, carefully read the request for proposal (RFP). Those will typically tell you which level of CMMC is required (and thus the one you should choose).”

Crystal Jackson

Besides contract requirements, you should consider your organization’s future growth and evolving cybersecurity risks. By ensuring scalability and flexibility, you can align your cybersecurity practices with long-term business goals and anticipate future contract needs. This proactive approach helps you avoid costly rework down the line while ensuring compliance as your organization grows.

Because of the differences in implementation and required levels of assurance, each CMMC level has a corresponding assessment type designed to ensure an adequate audit of the in-scope practices. CMMC assessors audit at the objective level, meaning they assess whether you’ve met the underlying purpose of each practice. A deeper understanding of each requirement helps ensure you're fully meeting these objectives.

{{cta_withimage27="/cta-blocks"}} | CMMC compliance checklist

An overview of the 3 CMMC assessment types

When pursuing CMMC compliance, you’ll need to undergo one of the following three assessment types:

  1. Self-assessment
  2. C3PAO assessment
  3. Government-led assessment

Below, we’ll cover the specifics of each assessment in more detail.

1. Self-assessment

You can conduct a self-assessment if you wish to achieve Level 1 or Level 2 CMMC compliance. For Level 1, you must perform an assessment against the 15 base-level practices across six areas:

  1. Access Control
  2. Identification and Authentication
  3. Media Protection
  4. Physical Protection
  5. System and Communications Protection
  6. System and Information Integrity

For a Level 2 self-assessment, you need to ensure effective implementation of the 110 practices derived from NIST SP 800-171 R2.

Seeing as it encompasses two levels, a self-assessment is best suited for organizations that manage FCI or non-critical CUI. The specific data you collect, process, and store will determine whether you need Level 1 or Level 2.

Either way, the self-assessment will include various activities, most notably:

  • Conducting interviews with staff at different organizational levels
  • Reviewing policies, processes, and IT systems
  • Testing and demonstrating the functionality of processes or systems

For CMMC Level 1, you’ll need to conduct annual self-assessments with accompanying affirmations of compliance. Self-assessments are conducted every three years for Level 2, though annual affirmation is still required.

2. C3PAO assessment

This assessment type is conducted by a CMMC Third-Party Assessor Organization (C3PAO). A C3PAO must be accredited by the CMMC Accreditation Body (CMMC-AB) to provide comprehensive reviews of defense contractors’ alignment with the prescribed practices and standards.

A C3PAO assessment can be performed instead of a self-assessment for Level 2 organizations. It’s mainly aimed at organizations that manage sensitive CUI and need greater assurance regarding practice implementation.

If your organization undergoes a C3PAO assessment, you might obtain two types of Level 2 CMMC certificates:

  1. Conditional Level 2 Certificate
  2. Final Level 2 Certificate

A conditional certificate can be granted if your organization meets at least 80 percent (88/110) of CMMC Level 2 practices but still has gaps that must be remediated. In this case, you’ll need to submit a Plan of Action & Milestones (POA&M)—documents that outline how you plan to remediate the compliance gaps.

Your POA&M should include the following information about the identified gaps and remediation steps:

  • Practice reference for the identified gap
  • Description of deficiency
  • Plan of action and required resources
  • Remediation start and end dates
  • Milestones
  • Responsible parties
  • Status

After submitting your POA&M, you have 180 days to remediate all gaps. If successful, you’ll receive the Final Level 2 Certificate.

Much like Level 2 self-assessments, C3PAO assessments are conducted every three years. Still, you must submit annual affirmations of compliance to maintain your certification. Self-assessment results are entered into the Supplier Performance Risk System (SPRS), while C3PAO assessment results are submitted to the CMMC Enterprise Mission Assurance Support Service (eMASS) by the C3PAO.

{{cta_withimage22="/cta-blocks"}}  | The audit ready checklist

3. Government-led assessment

If you require the highest level of CMMC compliance, you’ll undergo an assessment performed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) under the Defense Contract Management Agency (DCMA).

This assessment is necessary for Level 3 certification, which aims at safeguarding critical CUI. It applies to organizations that process, store, or share CUI with non-government entities.

To obtain a Level 3 certificate, you must first complete a Level 2 certification. Then, you’ll need to implement an additional 24 practices derived from NIST SP 800-172. Some of the most notable Level 3 practices include:

  • Advanced threat awareness
  • Automated inventory
  • Bidirectional authentication
  • Supply chain risk plan

Implementing some of these practices might be resource-intensive, as they often require comprehensive documentation to prove their existence and effectiveness. Since your auditor will thoroughly examine the in-scope requirements, you’ll need to demonstrate full alignment with CMMC practices.

If you encounter compliance gaps, you can obtain a Conditional Certificate, much like for Level 2 certification. The requirements for receiving the Final Certificate are the same, so you must bridge any gaps within 180 days.

After you obtain a Level 3 certificate, it will be valid for three years, after which you will be audited again by DIBCAC. In the meantime, you must submit annual affirmations (including Level 2 affirmations).

It’s important to note that if you receive a Conditional Certificate, the three-year validity period starts from the date you receive it, not from when the Final Certificate is granted.

Streamline CMMC assessments with Vanta

CMMC assessments can be complex and laborious, given the detailed security practices involved. This is particularly true for smaller organizations that might be resource-constrained or lack the necessary in-house expertise.

While challenging, CMMC assessments can be structured and streamlined with the right tools and processes. One way to do it is by leveraging a trust management platform like Vanta that automates up to 50% of your CMMC workflows.

Vanta provides clear guidance and resources to help you complete the applicable assessment without guesswork or manual processes. Vanta provides:

  • Out-of-the-box support for all certification levels
  • Automated evidence collection supported by 375+ integrations
  • Automated gap assessments on a real-time dashboard
  • Centralized tracking and continuous monitoring of CMMC practices
  • Pre-mapped security controls aligned to NIST SP 800-171 and NIST SP 800-172
  • Prescriptive guidance across controls, policies, and documents to reduce ambiguity

You can also tap into Vanta’s partner network to find a reputable C3PAO that will help you make Level 2 assessments more streamlined and provide support throughout the process.  Schedule a custom demo of Vanta’s CMMC solution for more information and a personalized, hands-on experience.

{{cta_simple33="/cta-blocks"}} | CMMC product page

A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.

Get started with CMMC

Start your CMMC journey with these related resources.

What you need to know about CMMC—from our Director of Government Strategy & Affairs Morgan Kaplan

Vanta’s director of US government strategy and affairs shares how current and future contractors for the DoD can get CMMC certified.

What you need to know about CMMC—from our Director of Government Strategy & Affairs Morgan Kaplan
What you need to know about CMMC—from our Director of Government Strategy & Affairs Morgan Kaplan
CMMC Checklist cover image

CMMC Checklist

This checklist will guide you through the steps to take to get CMMC certified and how to successfully implement and maintain the certification.

CMMC Checklist
CMMC Checklist
The nst 800 - 1717 logo on a yellow background.

The ultimate guide to NIST 800-171

Jumpstart your NIST 800-171 compliance with Vanta's complete guide to this legally required security standard.

The ultimate guide to NIST 800-171
The ultimate guide to NIST 800-171