The Question Every Defense Contractor Is Getting Wrong
If you handle Controlled Unclassified Information (CUI) under a Department of Defense contract, you have almost certainly heard conflicting advice about what your NIST SP 800-171 assessment actually needs to look like. Some contractors believe a quick internal review is all that is ever required. Others assume that CMMC is already mandatory and that a third-party audit is already knocking at the door. Neither picture is fully accurate, and the gap between perception and regulatory reality creates serious contract risk.
This post breaks down what the rules actually require today, when a NIST 800-171 self-assessment is sufficient, when a third-party assessment becomes mandatory, and how to make sure your organization is positioned correctly in either scenario.
The Baseline Rule: DFARS 252.204-7019 and the SPRS Requirement
The foundation of current DoD cybersecurity requirements for contractors is DFARS 252.204-7012, which mandates adequate security for covered defense information, and the more recent DFARS 252.204-7019, which requires contractors to conduct a self-assessment against all 110 controls in NIST SP 800-171 and submit a resulting score into the Supplier Performance Risk System (SPRS) before contract award.
Under this framework, a self-assessment is not optional. It is a contract eligibility requirement. If your SPRS score is not posted, you are not eligible for most DoD contracts that involve CUI. What the regulation does not currently mandate for most contractors, however, is that the assessment be conducted or validated by an independent third party. For now, the self-assessment model still governs the majority of the defense industrial base.
For a detailed look at how NIST SP 800-171 has evolved and what Revision 3 changes, read our post on NIST SP 800-171 Revision 3 and its implications for CUI protection.
What a Legitimate Self-Assessment Actually Requires
A common mistake is treating the self-assessment as a checkbox exercise. DoD's assessment methodology, published in NIST SP 800-171A and the DoD Assessment Methodology, is specific about what is required. The assessment must:
- Evaluate each of the 110 security requirements across 14 control families
- Assign point values according to the DoD scoring methodology (which begins at 110 and deducts points for each unmet control)
- Be documented and supportable — meaning you must be able to show your work if audited
- Be accompanied by a System Security Plan (SSP) describing the scope, environment, and status of each control
- Include a Plan of Action and Milestones (POA&M) for any controls not yet fully implemented
Submitting an inflated or unsupported score into SPRS is not simply a compliance gap — it is a potential False Claims Act liability. DoJ has pursued contractors under the Civil Cyber-Fraud Initiative specifically for misrepresenting SPRS scores. Understanding how to score correctly is not an administrative detail; it is a legal matter.
Our post on calculating your SPRS score correctly provides a practical walkthrough of the DoD scoring methodology. For a broader look at the documentation requirements that support any defensible assessment, see our guide to SSP and POA&M as critical components of a strong security program.
When Does a Third-Party Assessment Become Required?
This is where CMMC enters the picture. The Cybersecurity Maturity Model Certification program, now codified in the final CMMC rule published in October 2024, introduces mandatory third-party certification for contractors at certain risk levels. Here is how it breaks down:
CMMC Level 1 — Annual Self-Assessment
Contractors who handle only Federal Contract Information (FCI) and are not required to protect CUI fall under CMMC Level 1. Level 1 requires an annual self-assessment and affirmation by a senior company official. No third-party assessor is required.
CMMC Level 2 — Third-Party Assessment Required for Most
Contractors who handle CUI and are subject to NIST SP 800-171's full 110-control requirement fall under CMMC Level 2. For the vast majority of Level 2 contractors, a triennial assessment by an accredited C3PAO (Certified Third-Party Assessment Organization) is required. A limited subset of Level 2 contractors — those assessed by DoD as handling lower-priority CUI — may be permitted to self-attest at Level 2, but this determination rests with the contracting agency, not the contractor.
CMMC Level 3 — Government-Led Assessment
Level 3 applies to contractors supporting DoD's most critical programs. It requires a government-led assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and encompasses additional controls drawn from NIST SP 800-172.
CMMC requirements are being phased into contracts incrementally. Contractors should be evaluating their contract pipeline now to determine when CMMC clauses will apply to them. For a practical guide to what this means operationally, see our post on how to prepare for your CMMC audit.
The Practical Difference Between Self-Assessment and Third-Party Assessment
Beyond the regulatory trigger, there are meaningful operational differences between conducting a self-assessment and undergoing a third-party assessment.
A self-assessment is conducted by your own personnel or with the help of a compliance consultant who assists you in evaluating your environment. It gives you control over timing, scope framing, and remediation sequencing. The risk is that internal bias — whether intentional or not — can lead to scoring errors that inflate your apparent posture. These errors can be catastrophic if DIBCAC or a contracting officer scrutinizes your submission.
A third-party assessment conducted by an accredited C3PAO is independent, structured around a formal assessment plan, and results in a certification that carries regulatory weight. It is more demanding in terms of preparation, documentation, and resource investment — but it provides a defensible, credible record of compliance that a self-assessment cannot replicate.
Whether you are pursuing self-assessment or preparing for a C3PAO engagement, our team provides CMMC, CUI, and DFARS compliance services designed to close gaps before an assessor finds them.
Common Self-Assessment Errors That Create Contract Risk
In working with defense contractors across the manufacturing, aerospace, and technology sectors, we consistently see the same categories of self-assessment failures:
- Scoring controls as fully implemented when a POA&M exists. If a control has open remediation items, it does not score as fully met under the DoD methodology.
- Scoping the assessment too narrowly. If a system processes, stores, or transmits CUI — or provides security protection for such a system — it is in scope. Excluding assets to simplify the assessment is a common and risky mistake.
- Conflating documentation with implementation. A policy that describes a control does not satisfy the control unless the described practice is actually in place and operating effectively.
- Failing to reassess after significant changes. System changes, personnel changes, and new services can change your compliance posture. Assessments are not one-time events.
- Not having a qualified reviewer check the math. SPRS scoring involves specific point deductions that are easy to miscalculate.
For more on the self-assessment errors that put SPRS scores at risk, see our post on 5 self-assessment errors that result in inflated SPRS scores and contract risk.
What the Rules Require: A Practical Summary
- All DoD contractors with CUI obligations must conduct a NIST SP 800-171 self-assessment, document results in an SSP and POA&M, and submit a score to SPRS. This is a current, active obligation.
- CMMC Level 1 contractors must self-assess annually and have a senior official affirm compliance. No C3PAO required.
- CMMC Level 2 contractors will generally require a triennial C3PAO assessment as CMMC clauses are phased into contracts. Some may qualify for self-attestation at agency discretion.
- CMMC Level 3 contractors require a DIBCAC-led government assessment and must also meet NIST SP 800-172 requirements.
The transition period matters. Even before CMMC clauses appear in your specific contracts, your SPRS score and the documentation behind it are already being evaluated by contracting officers. Getting this right now — not after a contract dispute arises — is the only defensible posture.
Our federal and SLED risk assessment services are designed to give contractors an independent, expert-supported view of where they actually stand against NIST SP 800-171, before that assessment comes from a contracting officer or DIBCAC.
Should You Bring in Outside Help for a Self-Assessment?
Engaging an outside compliance consultant to support your NIST 800-171 self-assessment does not make it a third-party assessment in the regulatory sense. What it does is reduce the risk of scoring errors, documentation gaps, and scope blind spots that create liability. A consultant working alongside your team can stress-test your control implementations, validate your SSP, and help you build a POA&M that demonstrates credible forward progress rather than indefinite deferral.
If you are uncertain whether your current self-assessment methodology would hold up to scrutiny, that uncertainty is itself a signal worth acting on. Our regulatory vCISO services provide ongoing expert oversight for contractors who need consistent, senior-level compliance guidance without the cost of a full-time hire.
Take the Next Step Before Your Contracting Window Closes
The line between a compliant SPRS submission and a False Claims Act exposure is thinner than many contractors realize. Whether you need to validate an existing self-assessment, prepare for an upcoming C3PAO audit, or understand where your program stands today, Cleared Systems can help. Request a quote to speak with our team about your current NIST SP 800-171 posture and what it will take to keep your contracts protected.