What are the CMMC assessment types—and which one do you need?
CMMC assessment types determine who evaluates your environment, how results enter SPRS, and whether your organization can bid on certain DoD work.
This guide covers:
- The three assessment pathways under CMMC 2.0
- A decision table by level and contract
- Final vs. conditional outcomes and POA&M rules
Related guides:
GIF via GIPHY
Key takeaways
- Level 1 uses annual self-assessment only.
- Level 2 may allow self-assessment or require C3PAO certification—contract decides.
- Level 3 requires C3PAO (final Level 2) plus DIBCAC for Level 3.
- Booking the wrong assessment type is a common eligibility mistake.
CMMC assessment types overview
| Type | Performed by | Typical level |
|---|---|---|
| Self-assessment | Organization | Level 1; some Level 2 |
| C3PAO certification assessment | Authorized third party | Level 2; prerequisite for Level 3 |
| DIBCAC assessment | DCMA Defense Industrial Base Cybersecurity Assessment Center | Level 3 |
All paths rely on accurate scope and defensible evidence.
Which assessment do you need?
| If your contract says… | You likely need… |
|---|---|
| CMMC Level 1 | Annual self-assessment + SPRS |
| CMMC Level 2 (self allowed) | Self-assessment with senior affirmation |
| CMMC Level 2 (C3PAO required) | C3PAO certification assessment |
| CMMC Level 3 | C3PAO final L2 + DIBCAC L3 assessment |
When in doubt, ask the contracting officer or prime’s security team before scheduling assessors.
Assessment outcomes and POA&M
Assessments may result in:
- Final certification at the target level
- Conditional status with a limited POA&M (commonly 180-day closure where permitted)
- Not met requiring remediation and re-assessment
Self-assessments carry the same affirmation obligations—false attestation creates legal and business risk.
Prepare for any assessment type
SecureSlate standardizes evidence collection so you are ready for self-assessment, C3PAO, or DIBCAC reviews.
FAQ
Can we switch from self-assessment to C3PAO later?
Yes—many organizations self-assess internally then pursue C3PAO when contracts require certification.
How often are assessments repeated?
Level 1: annual self-assessment. Level 2: affirmation annual; certification assessment commonly every three years. Level 3: includes triennial DIBCAC cycles per program rules.
Disclaimer (legal note)
Assessment requirements are defined by DoD policy and your contract. Verify before scheduling.
Need compliance without the complexity?
SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.
No credit card required
