What Does It Mean to Self‑Attest to CMMC Level 2?

by | Dec 31, 2025 | CMMC, Microsoft Government, Uncategorized | 0 comments

What Does It Mean to Self‑Attest to CMMC Level 2?

As the Department of Defense (DoD) moves toward full implementation of CMMC 2.0, many defense contractors are asking a critical question: What does it actually mean to self‑attest to CMMC Level 2?

If your organization handles Controlled Unclassified Information (CUI), Level 2 is where you live — and understanding when self‑attestation applies (and what it requires) is essential.

This article breaks it down in plain language.

What CMMC Level 2 Covers

CMMC Level 2 represents the “Advanced” tier of the DoD’s cybersecurity framework. It applies to companies that create, store, process, or transmit CUI as part of fulfilling DoD contracts.

Level 2 is built directly on the 110 security controls in NIST SP 800‑171, which cover everything from access control to incident response.

When Self‑Attestation Is Allowed

Here’s the part that causes confusion: not all Level 2 contractors are allowed to self‑attest.

According to DoD guidance, self‑assessment is only permitted for “non‑prioritized acquisitions” — contracts that involve lower‑risk CUI and do not require a third‑party assessment.

Most Level 2 contractors will eventually need a third‑party certification, especially once Phase 2 of the rollout begins. But during the early phases of CMMC 2.0, some organizations may still qualify for self‑attestation.

What Self‑Attesting Actually Means

If your contract allows it, self‑attesting to CMMC Level 2 means your organization:

1. Performs an Internal Assessment

You evaluate your environment against all 110 NIST SP 800‑171 controls, documenting evidence for each requirement.

2. Scores Itself Using the DoD Assessment Methodology

This produces a weighted score that must be submitted to the Supplier Performance Risk System (SPRS).

3. Maintains an SSP and POA&M

You must have a System Security Plan (SSP) and Plan of Action & Milestones (POA&M) that accurately reflect your environment and any gaps.

4. Submits an Annual Affirmation

A senior company official must sign an annual affirmation stating that the organization meets the requirements — a legally binding statement.

Even when self‑assessment is allowed, the DoD may still perform a DIBCAC audit to verify your claims.

Why Self‑Attestation Carries Risk

Self‑attestation is faster and less expensive than a third‑party audit, but it comes with real accountability:

  • False claims can trigger False Claims Act liability.
  • The DoD can audit you at any time.
  • Your SPRS score must match your actual security posture.

In other words, self‑attestation is not a shortcut — it’s a formal declaration that your organization is truly compliant.

Final Thoughts

Self‑attesting to CMMC Level 2 is possible, but only for a narrow set of contracts. For most organizations handling CUI, a third‑party assessment will eventually be required. Still, understanding the self‑assessment process — and preparing for it — is a smart move no matter what your contract requires.