There is a misconception that self-assessment is an easy button. While most Level 2 organizations will require an assessment administered by a C3PAO organization, Level 1 and some Level 2 organizations are "only" required to self-assess.
Is a self-assessment less stringent, and does it require less effort of the organization seeking certification (OSC) than those that require a C3PAO Level 2 assessment? What is at stake if you get it wrong?
If you are a Level 2 organization, whether you are required to self-assess or undergo a C3PAO-administered assessment, the only real difference is who verifies your implementation. Think this is a job for the IT guy or gal? Think again. CMMC validates how CUI is safeguarded throughout the organization, despite the misleading name of the program.
In both assessment scenarios, the OSC must meet the same 320 objectives and produce the same artifacts, such as:
-
A current System Security Plan (SSP) that describes your security boundaries, the information environment, system connections, and how everything is tied to your policies and procedures.
-
Screen captures, diagrams, policies, and procedures
-
Plan of Action & Milestones (POA&M) to correct deficiencies, with real milestones and dates for remediation within 180 days.
- Evidence/artifacts will need to be stored for 6 years.
- A senior executive in the organization must affirm ongoing compliance and SPRS score.
Self-attestation isn’t an easy workaround; it simply allows you to act as your own assessor using the same criteria an assessor would cover. Get this wrong and you'll pay the price.
Unfortunately, some organizations have learned this the hard way.
Maintain Evidence at the Ready.
A self-assessment carries more risk to the OSC than if a C3PAO assesses you: your organization bears all the risk. C3PAOs are staffed with specially trained staff. Be informed: follow the same procedures that a C3PAO assessor would follow in the course of a certifying or mock assessment. The Level 2 Assessment Guide is here for your reference.
Keep in mind: at any time you may be required to produce evidence from your self-assessment to validate its accuracy. All artifacts will need to stored for 6 years.
An Expensive Lesson
Self-assessing without evidence is a quick path to a possible False Claims Act legal action. Penalties can stack up per violation and can easily reach millions of dollars. Many cases may also include damages and ongoing settlement obligations to remedy. There is even the possibility of the affirming official suffering civil prosecution.
A few examples so far;
-
$1.75M for failing to comply with cybersecurity requirements in an Air Force contract. Department of Justice
-
$8.4M for non-compliance with DoD cybersecurity requirements. Department of Justice
-
$11.2M in a TRICARE-related case where the company allegedly falsely attested to compliance with multiple controls described as the largest cybersecurity-related FCA settlement to date in 2025. (Gibson Dunn)
Courts and the DOJ are reinforcing that the FCA has teeth and carries significant consequences for anyone who does not uphold their end of the bargain.
Avoiding a False Claims Act
Here are some ways to avoid the fines and penalties.
-
Write a real SSP. Avoid a boilerplate or templated checklist. Describe your organization's boundaries, unique data flows, external connections, and how they tie into your policy and processes documents. Share HOW the requirement is implemented. Don't forget to keep the SSP up-to-date.
-
Consider engaging subject matter experts from outside the organization. Contract a C3PAO to run a mock assessment: they will work with your team, using the SSP to review your collected document package, interview staff, and test processes against your policies as if it was a real assessment, just without reporting the score. At the end you will have detailed insights into where your organization would not meet the requirements at the objective (most detailed) level. With that report, the OSC can quickly focus POA&M remediation efforts.
-
Build any POA&Ms with milestones you can meet, not an open-ended “to-dos” list. Also, detail resource estimates, and dates. You don't want any open POAM&s at the time of your assessment.
-
Don’t let your security posture drift. Reaffirm your ongoing compliance with monthly risk assessment meetings so your annul assessment is practically a non-event, and the senior executive in the organization can sign their name with integrity and less stress!
The Million-dollar Takeaway
Self-attestation doesn’t lower the bar for compliance. While a self-assessment at Level 1 has fewer requirements, they must be fully "met." Whether you self-assess at Level 2, or work with a C3PAO, you’re expected to meet the same requirements, just different assessors.
Reach out to us today to learn more about our Assessment Services!
