Self-Assessment

A self-assessment in the CMMC context means your company evaluates its own cybersecurity practices against the required security controls without an external assessor. For CMMC Level 1, self-assessment is the standard path. For some Level 2 scenarios, self-assessment may also be permitted depending on the contract requirements.

Self-assessment doesn't mean casual or optional — you must rigorously evaluate each requirement, document your findings, calculate your SPRS score, and submit the results. A senior company official must affirm the accuracy of the assessment, creating personal accountability.

Why It Matters

Self-assessment reduces costs compared to third-party assessment, but it carries the same legal obligations for accuracy. Submitting a false or inflated self-assessment score to SPRS can trigger False Claims Act liability.