This guide explains the steps to conduct and submit a CMMC Level 2 self-assessment. Get expert tips to avoid common pitfalls and earn your CMMC compliance. Also, get our free templates and interactive tool.

Preparing for CMMC Level 2 self-assessment

Preparing for a CMMC Level 2 self-assessment centers on a key factor: whether your self-assessment will stand on its own or be followed by a third-party audit. Level 2 applies to contractors that handle Controlled Unclassified Information, and many will face outside review rather than relying solely on self-assessment.

The distinction shapes how organizations approach compliance. A self-assessment may satisfy some contracts, although the requirements themselves remain unchanged. Demonstrating full implementation of NIST SP 800-171 controls, supported by a defensible System Security Plan and evidence, is essential. Treating self-assessment as rehearsal makes preparation more durable and transferable.

The DoD’s regulatory analysis projects that far more entities will complete third-party certifications than self-report, especially where higher-risk CUI is involved. These reviews are carried out by Certified Third-Party Assessment Organizations (C3PAOs). For contractors, this makes self-assessment less of a shortcut and more of a rehearsal for building an audit-ready compliance posture that can withstand government or prime contractor validation.

William McBorough, a CMMC Lead Assessor and Co-Founder of MCGlobalTech, notes that meeting the standard isn’t just about passing an audit but about maintaining compliance over time.

“Contractors often put in significant effort to prepare for their initial assessment with no plans for maintaining compliance,” McBorough says. “Since Level 2 aligns with NIST 800-171, it requires ongoing governance and continuous monitoring. CMMC also requires an annual attestation of compliance.”

How to conduct a CMMC Level 2 self-assessment step-by-step

A CMMC Level 2 self-assessment confirms that all 110 requirements of NIST SP 800-171 are implemented and documented. To conduct one, you define scope, run a gap analysis, collect and map evidence, create POA&Ms where permitted, calculate your score, and report results in the Supplier Performance Risk System (SPRS). 

The five steps will yield a defensible, audit-ready self-assessment:

1. Define your scope
   Start by identifying all systems, processes, facilities, and service providers that handle Controlled Unclassified Information (CUI) as defined in the NARA CUI Registry. For prime contractors and subcontractors, take special care to clarify which responsibilities cross company lines so that accountability is clear from the outset. Document this boundary formally in your System Security Plan (SSP) and keep supporting diagrams or asset inventories with version control.
   
   Contractors working only with Federal Contract Information (FCI) generally meet CMMC Level 1 requirements instead. Clearly distinguishing CUI from FCI early prevents over-scoping and helps align security controls to the correct CMMC level.
   
   McBorough says organizations often fail to understand how service providers affect their CUI scope. 
   
   “Service providers are one of the most common scoping blind spots I’ve seen,” he says. “If a managed service provider (MSP) has administrative access to systems that store, process, or transmit Controlled Unclassified Information (CUI), then those services are in scope. Yet many contractors overlook them, often because they assume the provider is ‘outside’ their environment, or worse, assume they are compliant simply because the vendor said so.”
   
   The solution? McBorough says to document responsibilities in the Shared Responsibility Matrix (SRM) or Customer Responsibility Matrix (CRM), and include the providers in your System Security Plan (SSP). Documentation should describe the provider’s role and level of access, which systems or data they interact with, and how their activities impact specific CMMC control requirements.
   
   “This level of transparency shows assessors that the contractor understands the full extent of their compliance boundary,” he says. “It also helps contractors hold providers accountable for their share of security responsibilities, which is often where gaps emerge during assessment.”
   
   
2. Run a gap analysis
   Next, compare your current cybersecurity practices against the 110 requirements in NIST SP 800-171. Use the Department of Defense’s assessment methods — “Examine, Interview, and Test” as defined in NIST SP 800-171A — to evaluate whether each control is fully implemented. Record which requirements are met, not met, or not applicable, and capture the findings in a gap analysis template to create a clear baseline.
   
   To conduct this step, you can use Strike Graph’s free CMMC gap analysis template or its free interactive self-assessment tool.
   
   
3. Gather evidence and remediation plans
   Once gaps are identified, gather the artifacts that demonstrate compliance. These may include approved policies, training records, system activity records, or screenshots. Each artifact should map directly to a specific requirement and assessment objective. 
   
   When you discover deficiencies, document them in a Plan of Action and Milestones (POA&M). POA&Ms may include only selected requirements listed in Title 32 of the Code of Federal Regulations (CFR), Section 170.21. To qualify for conditional Level 2 status, organizations must earn at least 80 percent of the points. You have 180 days to remediate and validate your open POA&M items, or your conditional status expires. Each closed item requires a documented POA&M closeout assessment confirming that the control is now considered “met.”
   
   
4. Get your score
   After addressing gaps, calculate your score using the DoD assessment methodology. You begin with 110 points. Subtract one, three, or five points for each unmet requirement, depending on severity. Keep an SSP that connects each control to supporting evidence, and score conservatively — overstated compliance can create problems during validation. 
   
   
5. Submit results in SPRS
   Finally, log in to the Supplier Performance Risk System (SPRS) portal to submit your results. Enter your score, assessment date, scope, POA&M completion date, and SSP metadata. Your affirming official must complete the required annual affirmation. Before submission, double-check all entries — errors can delay contract eligibility — and keep your supporting documents securely stored for at least six years in case of later review.
   
   

Using your self-assessment to prepare for a C3PAO audit

Use your self-assessment as a full rehearsal for a C3PAO audit. The same documentation, evidence, and scoring you build now should match what auditors will evaluate later. By matching your process with formal audit expectations, you lessen rework.

The process is:

• Gather evidence like you’ll show it to an auditor. Keep it clean, mapped to each control, and tied to the assessment objectives — Examine, Interview, and Test — from NIST SP 800-171A.
  
  
• Stress-test your remediation plan. Auditors will look not only for what’s implemented but also for how you do remediation. Be ready to walk through your POA&M and SSP.
  
  
• Practice interviews. Run mock Q&A sessions with your team. Auditors will ask staff about their roles, policies, and procedures. If your people can explain them clearly, you’ll build credibility fast.
  
  

The bottom line: don’t skimp. What you do in self-assessment will be the foundation for how you perform in a C3PAO audit and for your ongoing annual affirmation of compliance.

“Robust control monitoring and clean data organization can help ensure a smooth self-assessment review by governments or other third parties,” says Micah Spieler, Strike Graph’s Head of Product.

“By tying your self-assessment directly to controls that are monitored by continuous and automated evidence collection, your SPRS scores become increasingly defensible. If a third-party requests to see proof of your control operation, you can use this data structure to quickly produce evidence that reinforces the rating of the scores that you provided.”

How to submit a CMMC Level 2 self-assessment

Submit Level 2 self-assessment results through the DoD’s SPRS portal, accessed via the PIEE platform. Enter your score, scope, CAGE code(s), assessment level and type, assessment date, and — if applicable — your POA&M completion date. Your affirming official must also submit the required annual affirmation. Accuracy determines contract eligibility.

Before you log in, make sure your team and documentation are ready. The following steps outline what to prepare and how to avoid common submission errors.

• Get access: In PIEE, request the SPRS Cyber Vendor User role and confirm the correct CAGE code(s) appear under your account.
  
  
• Prepare your entries: Have your SSP title, version, and date, your scope statement, overall score, and any open POA&M items (with target completion dates) ready.
  
  
• Enter results in SPRS: Record the score, assessment date, Level 2 (Self) assessment type, scope, CAGE code(s), SSP metadata, and — if using POA&Ms — the projected completion date.
  
  
• Affirmation: Your affirming official submits the annual affirmation in SPRS; many teams do this immediately after filing results and then calendar the yearly renewal.
  
  
• Validate and retain: Recheck numbers against your SSP and evidence index; mismatches trigger scrutiny. Update SPRS when POA&M items close, and retain submission records and supporting evidence for at least six years.
  
  

Free templates and tools to help with CMMC Level 2 self-assessment

Free tools can simplify CMMC Level 2 self-assessments by helping small teams document, organize, and track compliance. The right resources reduce administrative work and make the process more consistent.

Strike Graph’s interactive CMMC self-assessment tool walks users through every requirement, organizes evidence, and generates a ready-to-share report. It transforms what could be a one-time task into a repeatable compliance process. It’s free for a limited time.

Strike Graph also offers these free CMMC templates:

• CMMC gap analysis template and example to help you analyze what you need to fix.
• CMMC POA&M template to show your remediation plan.
• CMMC SSP template and example to build your System Security Plan.
  
  

On the Strike Graph platform, much of the work is automated.

“All CMMC requirements in Strike Graph are satisfied by controls, and the operation of these controls is demonstrated through collected evidence that can be reviewed during a C3PAO,” says Micah Spieler, Head of Product at Strike Graph. “When organizations conduct their Level 2 self-assessments, their scores are tied directly into these control and evidence mappings, meaning that there is a clean audit trail from the score to the control to the evidence of operation.”  

Challenges in CMMC Level 2 self-assessment

Level 2 self-assessments require your time, organization, and focus. Many contractors struggle to extend governance beyond IT, scope the systems correctly, and compile complete, current evidence. Others misjudge effort or cost, inflate scores, or start too late — creating compliance gaps, audit delays, and reputation risks that could have been avoided.

Prepare to face and overcome frequent CMMC challenges:

• Governance beyond IT: Organizations may struggle with company-wide governance without the right focus and openness to change.
  
  “The organizations that succeed in CMMC are those that approach it as a business risk management program, rather than a set of IT tasks,” McBorough advises. “This requires governance structures, assignment of roles and responsibilities, and making compliance part of their organizational culture.”
  
  
• Proper scoping: Under-scoping and over-scoping both waste time and money. Experts recommend mapping out your CUI in detail before your self-assessment to avoid either problem. 
  
  
• Incomplete evidence: You need adequate, current artifacts — policies, logs, screenshots — tied directly to each practice. Make sure they reflect how systems and processes actually operate today.
  
  
• Inflated scoring: Don’t overstate compliance. Score conservatively and back it with evidence. Guided scoring tools keep results realistic and defensible.
  
  
• Misjudged costs: Many contractors underestimate the effort involved in achieving and maintaining compliance. Others overspend on consultants, expecting them to “deliver” certification. The reality is that the heavy lifting still happens internally.
  
  “The biggest cost misjudgment I see is contractors thinking they can buy their way out of the problem with a consultant,” says Strike Graph CEO Justin Beals. “They'll pay $50K-$100K for a firm that shows up with pre-built templates — generic SSPs, cookie-cutter policies, standardized procedures — and calls it ‘consulting.’ "
  
  

Beals adds: “But here's what actually happens: the consultant spends their time explaining the templates to you, then the real work begins. You still have to roll out all 110 controls across your organization. You still have to build the evidence collection infrastructure. You still have to train your staff and maintain everything ongoing. The consultant didn't eliminate the work — they just gave you a start and left.”

• Compliance time crunch: Many companies wait until a contract requires certification to begin preparation.
  
  “Companies that underestimate Level 2 rigor typically wait until they have a specific contract requiring certification, then discover the C3PAO assessment process takes 4-6 months minimum—and that's after you've actually implemented everything,” Beals warns.
  
  “If you're 6 months out from losing contract eligibility and you're just starting POA&M remediation, you're in a business-critical situation. I've seen contractors lose rebid opportunities, get dropped from prime contractor qualified vendor lists, or have to turn down new work because they can't meet certification timelines.”
  
  
• Reputation risk: A failed or delayed audit doesn’t just affect one contract — it can damage your standing with prime contractors and DoD program offices.
  
  “In the defense industrial base, word travels fast,” says Beals. “If you're known as the subcontractor who couldn't get certified and delayed a prime's program timeline, that damages relationships that took years to build. Taking Level 2 seriously from the start— treating self-assessment as if a C3PAO is watching — protects your certification timeline and your business relationships.”
  
  
• Working with traditional consultants: Many consulting firms rely on boilerplate templates and fail to go deep enough.
  
  “My big gripe with traditional consulting is they rarely take the time to understand your organization,” says Beals. “They don't learn your tech stack, your operational constraints, or your business processes. They just drop templates and move on. What you need is security that's carefully crafted to be both efficient for your organization and effective at meeting compliance outcomes.”
  
  He adds: “Strike Graph's approach is fundamentally different because Verify AI learns your actual environment and validates controls based on how you really work, not how a template says you should work.”
  
  

That difference in approach — embedding automation and evidence verification from the start — is what helps companies sustain compliance long after certification.

Easiest way to streamline CMMC Level 2 compliance

The fastest road to CMMC compliance is a centralized, automated platform. Strike Graph brings every core task — scoping, gap analysis, remediation tracking, evidence collection, and scoring — into the same workflow.

The result is more than saved time; it’s confidence. Whether you’re maintaining self-assessment status or preparing for a C3PAO audit, you’ll spend less energy managing compliance and more on mission-critical work — and preparing to win contracts faster.

For a limited time, we’re offering a free CMMC self-assessment toolkit and CMMC implementation guide.

And if you’re looking for something more? Schedule a Strike Graph demo today to streamline your CMMC compliance.

FAQ on CMMC Level 2 self-assessments

What are DFARS 252.204-7012, 7019, and 7020, and how do they relate to CMMC?
These DFARS clauses require contractors to safeguard Controlled Unclassified Information (CUI) and report cybersecurity compliance in the Supplier Performance Risk System (SPRS). They’re not prerequisites for CMMC Level 2 but share many of the same requirements and reporting workflows.

Who are DCMA and DIBCAC, and what do they do?
The Defense Contract Management Agency (DCMA) and the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) oversee compliance verification across the defense supply chain. They may review your self-assessment or C3PAO audit results for quality assurance and consistency.

What is eMASS, and how does it relate to SPRS?
The Enterprise Mission Assurance Support Service (eMASS) is a DoD system that manages cybersecurity authorization packages. CMMC results go into SPRS, not eMASS, but keeping documentation consistent across both systems helps if your package is reviewed by the government.

What’s the NARA CUI Registry?
The NARA CUI Registry defines categories of Controlled Unclassified Information (CUI) and explains how it must be handled. Contractors working only with Federal Contract Information (FCI) generally fall under CMMC Level 1, while those handling CUI fall under Level 2.

How does FedRAMP fit into CMMC compliance?
If your systems rely on cloud or hosting providers, verify they hold appropriate FedRAMP authorization. Using FedRAMP-approved vendors helps ensure your CUI is protected under equivalent federal standards.

What are the Cyber AB and CMMC Ecosystem Marketplace?
The Cyber AB is the official CMMC Accreditation Body that authorizes Certified Third-Party Assessment Organizations (C3PAOs) and practitioners. Its CMMC Ecosystem Marketplace lists accredited C3PAOs and Registered Practitioners you can work with.