Level 1 and a limited slice of Level 2 contracts let you self-assess — you score your own controls and affirm the result in SPRS, no outside assessor involved. Most Level 2 contracts that involve Controlled Unclassified Information require a C3PAO: an accredited third-party assessor who reviews your evidence and issues the certification. Your contract or solicitation names the level and the assessment type, and that language — not a rule of thumb — is what decides which path you're on.
This is the question that trips up more small contractors than any other, and it costs real money when they guess wrong. Assume you can self-assess when the contract calls for a C3PAO and you've walked into a bid you can't win. Assume you need a $60,000 audit when a self-assessment would satisfy the requirement and you've talked yourself out of work you were qualified for. The good news: the answer isn't a mystery. It's written into the contract.
There are three real paths here, and only three. Level 1 self-assessment, Level 2 self-assessment, and Level 2 C3PAO certification. Once you can tell them apart and know where to look in your solicitation, the confusion evaporates. Let me lay out each one, the deadline that's tightening the whole picture, and the honest cost and timeline reality of the C3PAO path so nothing surprises you.
Before the details, here's the whole landscape on one screen. The level is set by the sensitivity of the information you'll handle, and the assessment type follows from the level and the specific contract.
| Path | Data it covers | Who assesses you | How often |
|---|---|---|---|
| Level 1 self-assessment | Federal Contract Information (FCI) | You — self-assessed, affirmed in SPRS | Annual |
| Level 2 self-assessment | Controlled Unclassified Information (CUI), limited programs | You — self-assessed against the 110 controls | Annual + affirmation |
| Level 2 C3PAO | CUI, most programs | An accredited third-party assessor (C3PAO) | Certification on a set cycle |
Notice what's doing the work here: the type of data pushes you to a level, and the specific contract tells you whether that level is met by a self-assessment or a C3PAO. Two Level 2 contracts can land on different assessment paths. That's why "which level am I?" is only half the question — you also have to read how that level gets verified for the award you're chasing.
Level 1 is the entry tier. It applies when your contract involves Federal Contract Information — information provided by or generated for the government under a contract that isn't intended for public release, but isn't the more sensitive CUI. Think basic contract data, not controlled technical drawings.
The bar here is a set of basic safeguarding requirements — the kind of hygiene most legitimate businesses already do in some form. You perform an annual self-assessment, and a senior official in your company affirms the result in SPRS. No third party, no certificate, no assessor on site. You attest to it yourself and you own that attestation.
Don't mistake "self-assessed" for "casual," though. The affirmation is a formal statement, and getting it wrong carries real consequences. Level 1 is lighter than Level 2, not weightless.
Level 2 is where Controlled Unclassified Information enters the picture, and it's built on the full 110 controls of NIST SP 800-171 spread across 14 families. This is the tier most defense subcontractors care about, because CUI is what flows down to them from primes.
A limited set of Level 2 programs allows an annual self-assessment rather than a third-party audit. When your contract lands here, you score yourself against all 110 controls using the DoD Assessment Methodology, land on an SPRS score, close gaps through a Plan of Action & Milestones where allowed, and a senior official affirms the result. It's the same rigor of implementation as the C3PAO path — the difference is who signs off on the verdict.
The mistake I see here is treating a Level 2 self-assessment as a lighter lift because no auditor shows up. It isn't. You're implementing and documenting the same 110 controls. The only thing you're saving is the third-party assessment fee — which matters, but doesn't change the security work in front of you.
This is the path most Level 2 CUI contracts land on, and it's the one people mean when they say "the CMMC audit." A C3PAO — Certified Third-Party Assessment Organization — is an accredited, independent outfit authorized to assess you against the 110 controls and issue a formal CMMC certification. They review your System Security Plan, examine your evidence, interview your people, and render a verdict you can't render for yourself.
The critical thing to understand: the C3PAO assesses what you've already built. They don't implement your controls, write your SSP, or fix your gaps. If you show up unprepared, they document that you're unprepared — and you pay full price for the privilege. Everything that determines whether you pass happens before the assessor arrives.
That's exactly why the smart money goes into preparation. Audit-ready documentation, a complete SSP, evidence organized to the control — that's what turns a C3PAO assessment from a gamble into a formality. The assessment is the audit. Your job is to make the audit boring.
Here's the moving piece that's tightening all of this. November 10, 2026 begins Phase 2 of the CMMC rollout, when Level 2 C3PAO third-party certification becomes a required condition of award on applicable DoD contracts — not a phased-in expectation you can defer, but a gate you either clear or lose the bid.
And the pressure is already here. Self-assessment and SPRS affirmation requirements are showing up in solicitations right now, ahead of the Phase 2 date. So the practical reality is two-track: you likely need a self-assessment posture in place today, and if your contracts point toward the C3PAO path, that work has to be underway well before November — because, as you'll see next, the assessor calendar is the real constraint.
Let me give you the honest numbers, because vague reassurance helps no one plan. For a small contractor, a Level 2 C3PAO certification assessment commonly runs $30,000 to $100,000. The spread is wide because it's driven by two things you partly control: the size of your assessment scope, and how audit-ready your documentation is when the assessor walks in.
On timing, plan for an 8 to 12 week lead time just to get on the calendar — and longer when demand spikes. The reason is simple supply: there are fewer than 100 authorized C3PAOs for the entire defense industrial base. Tens of thousands of contractors, under a hundred assessors. Do that math and you see why "we'll schedule it when we're ready" is a plan that fails on availability alone.
Two levers move both numbers in your favor. First, scope CUI into a small enclave so the assessor is reviewing six machines instead of forty — assessment time scales with scope, and so does the bill. Second, walk in with the paperwork already done so the C3PAO is verifying your work, not waiting on it. For the full dollar breakdown behind these figures, see CMMC compliance cost for small business. And before anything else, get a baseline: the free SPRS score calculator tells you where you stand against the 110 controls in about two minutes.
Both paths run on the same 110 controls and the same documentation: a System Security Plan, the 20 required policies, a POA&M, and your SPRS score. The CMMC Level 2 DIY Compliance Kit is all of it, editable and built for a small shop — so you either finish your self-assessment or walk into your C3PAO audit already prepared instead of paying an assessor to wait on you.
A self-assessment is one you perform on your own network and submit yourself — you score your controls, affirm the result in SPRS, and no outside party grades you. A C3PAO assessment is performed by a Certified Third-Party Assessment Organization: an accredited, independent assessor comes in, reviews your evidence against the controls, and issues a CMMC certification. Which one applies is set by your contract, not by your preference.
No. Level 1 covers Federal Contract Information and is met with an annual self-assessment against a smaller set of basic safeguarding requirements, affirmed in SPRS by a senior official. There is no third-party assessor at Level 1 — you attest to it yourself.
Level 2 splits into two paths. A limited set of Level 2 programs allows an annual self-assessment, but the majority of Level 2 contracts that involve Controlled Unclassified Information require a C3PAO third-party certification. Your contract or solicitation names the level and the assessment type — that language is the deciding factor, not a general rule of thumb.
For a small contractor, a Level 2 C3PAO certification assessment commonly runs $30,000 to $100,000, driven mostly by the size of your assessment scope and how audit-ready your documentation is when the assessor arrives. That figure is the assessment itself — it does not include the internal work and remediation you do beforehand, which is where walking in prepared saves the most money.
Plan on an 8 to 12 week lead time just to get on the calendar, and longer during the crunch. There are fewer than 100 authorized C3PAOs for the entire defense industrial base, so assessor availability — not your readiness — is often the real bottleneck. Booking early is the only reliable way to avoid missing an award window.
November 10, 2026 begins Phase 2 of the CMMC rollout, when Level 2 C3PAO third-party certification becomes a required condition of award on applicable DoD contracts rather than a phased-in expectation. Self-assessment and affirmation requirements are already appearing in solicitations now, so the certification path needs to be underway well before that date given the assessor backlog.