Your CMMC Self-Assessment Checklist

Working as a contractor with the US Department of Defense (DoD) can provide lucrative short- and long-term opportunities for partnering companies. But it also requires strict adherence to multiple cybersecurity frameworks. The most recent of these, which has an ongoing roll-out, is the new Cybersecurity Model Maturity Certification (CMMC) framework. This framework is presided over by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD-A&S).

Compliance can be challenging, especially for newcomers to the Defense Industrial Base (DIB) sector. To get started on your journey toward compliance, read on for a CMMC self-assessment checklist.

Your CMMC Self-Assessment Checklist

Consistent, lucrative work with the DoD will only be available to companies that achieve “preferred contractor” status. And CMMC compliance is one of many hoops you’ll need to jump through for that because it proves that you’re protecting sensitive cases of information to the Defense Federal Acquisition Regulation Supplement (DFARS) specifications. In this guide, we’ll break down everything you need to know about CMMC assessment in two primary sections:

First, we’ll explain the CMMC self-assessment guides available from the OUSD(A&S), including differences between self- and full-assessments and scoring methodologies.

Then, we’ll explain the entire CMMC framework, including all its Levels, Domains, and Practices, to establish a clear checklist for your self-assessment and certification.

By the end of this blog, you’ll be well on your way to assessment, certification, and DoD preferred contractor status. But first, let’s address a significant consideration.

Is there Self-Certification for CMMC Compliance?

At present, there is no mechanism in place for companies to self-certify their compliance with CMMC. Self-assessment is a best practice that has no bearing on eventual DoD contractor status. This departure from prior compliance frameworks that inform the CMMC, such as NIST SP 800-171, codifies assessment methodologies for basic self-assessment. Even within that context, however, self-assessments only grant “low” confidence in assessed scores.

For CMMC, self-assessment is not required, nor can it grant any form of CMMC certification.

Nevertheless, the OUSD(A&S) encourages companies who need CMMC certification to self- assess before their full, third-party assessment. It’s a valuable tool to help companies gauge how much work is necessary to achieve full compliance. But this self-assessment will never lead to full certification in and of itself. For that, you’ll need to work with a qualified assessor (see below).

CMMC Assessment Methodologies and Guides

The CMMC doesn’t comprise unique controls that the OUSD(A&S) fabricated. Instead, it compiles controls and approaches from other frameworks formerly or still required for DoD contractors. As a result, much of its assessment methodology adapts or fully re-uses the methods from these other frameworks. For example, CMMC encapsulates all of NIST SP 800-171, and the assessment of these controls comes from NIST’s SP 800-171A.

From the CMMC Models and Assessment Guides page, stakeholders can download the current version of CMMC, published in March 2020 (CMMC Version 1.02), and two assessment guides:

• The CMMC Level 1 Assessment Guide Volume 1.10, published in November of 2020
• The CMMC Level 3 Assessment Guide Volume 1.10, also published November 2020

Levels 4 and 5 do not have assessment guides publicly available yet as companies are not yet expected to have these controls in place. No guide is presently available for Level 2 since it functions as a preparatory transition to the third level. Companies may use the Level 3 guide even at Level 1, as it includes Processes that are not measured at Level 1 (see below).

CMMC Assessment Criteria and Scoring Systems

In assessing a company’s implementation of the CMMC framework, an assessor (the company or a third-party) will set objectives for controls or practices to test and criteria based on the source (NIST protocols for NIST-based controls). Then, the assessor tests relevant software and hardware settings, examines procedures in real-time, and interviews individuals.

For all practices tested, there are three possible findings:

Met – The contractor is found to be meeting all requirements for the practice as laid out in the CMMC framework, and the assessor provides appropriate evidence to support this.
Not Met – The contractor does not meet all requirements for the practice as laid out in the CMMC framework, and the assessor describes the lack or flaws to support this.
Not Applicable – The contractor is exempt from implementing the practice, and the assessor must provide an explanation and documentation to support why this is the case.

In the case of a self-assessment, your company should produce accurate findings, even if they are all or mostly “Not Met” — hold yourself accountable the way an external assessor will. An honest assessment will allow your company to improve enough to meet official certification standards.

Also Read: Your Complete CMMC Assessment Guide

Who is Responsible for Full CMMC Assessments?

If self-assessment is merely a best practice and not a required scaffold on the way to full compliance, this begs the question: who conducts the actual assessment that will grant certification? The CMMC Accreditation Body (CMMC-AB) is responsible for giving third-parties clearance to assess companies and award CMMC certification.

There is more than one level of qualified assessor accredited by the CMMC-AB, but the most critical category to understand is Certified Third-Party Assessor Organizations (C3PAOs). These are cybersecurity service providers who, by passing rigorous CMMC-AB licensing exams and meeting other requirements, can certify that other companies are ready for DoD contracts.

The CMMC also partners with the C3PAOs to list and match them with companies seeking compliance. The best C3PAOs are those that will work with your company on all stages of CMMC compliance, from architecture planning through implementation, such as RSI Security.

CMMC Framework: Levels, Domains, Practices

Assessment is the final element of CMMC compliance. This guarantees to the DoD and other stakeholders that your company deserves contracts because it can keep protected data safe. Before a successful assessment grants certification, your company will need to implement all of the required controls across the CMMC Framework. As noted above, many of these come from other frameworks and regulatory documents, such as DFARS and NIST SP 800-171. These are informed by more baseline tests like NIST’s Cybersecurity Framework (CSF).

Many of the assessment methodologies and protocols are adapted from those of prior frameworks, and the same goes for much of the CMMC framework overall. For example, several “Domain” names are identical to analogous NIST “Requirement Families.”

What is unique about the CMMC, however, is the way it facilitates its implementation through a gradual progression of maturity, at five thresholds called “Maturity Levels.” Let’s take a closer look at each one before poring through all the controls across its various Domains.

CMMC Maturity Levels, Focuses, and Process Goals

Companies that are seeking DoD contracts will eventually need to implement all of the CMMC framework in its entirety, with the exception of exempt Practices. Luckily, this wide-scale adoption can happen in five successive steps, labeled Maturity Levels. Each level has a distinct focus and new Practices along with a distinct “Process Maturity” goal.

The breakdown of Maturity Levels and their respective focuses and goals are as follows:

• Maturity Level 1 – This level focuses on safeguarding Federal Contract Information (FCI), with 17 Practices for “basic cyber hygiene” and a Process Maturity goal of performance.
• Maturity Level 2 – This level focuses on transitioning to full FCI protection at Level 3, with 55 new Practices for “intermediate cyber hygiene” and Process Maturity requiring documentation.
• Maturity Level 3 – This level focuses on full implementation of NIST SP 800-171 and more, with 58 new Practices for “good cyber hygiene” and Process Maturity requiring management.
• Maturity Level 4 – This level focuses on protecting against Advanced Persistent Threats (APTs), with 26 new Practices that are “proactive” and Process Maturity requiring regular review.
• Maturity Level 5 – This level focuses on the most complex FCI and APT protections, with 15 new “Advanced” or “Progressive” Practices and a Process Maturity goal of ongoing “optimizing.”

Process Maturity measures the extent of institutionalization for all Practices across all personnel and departments at the company, a comprehensive measure that complicates the “Met” criteria.

CMMC Security Domains, Capabilities, and Practices

The entire framework of the CMMC is best understood through its 17 security Domains, which are roughly analogous to NIST SP 800-171’s Requirement Families. The Domains house 43 Capabilities, which are fleshed out across 171 Practices (similar to NIST’s Requirements).

In all, the interlocking matrix of Domains, Capabilities, and Practices breaks down as follows:

• Access Control (AC) – Four Capabilities and 26 Practices focus on limiting access to sensitive information through strict identification requirements, detailed below (IA).
• Asset Management (AM) – Two Capabilities and two Practices focus on identifying and monitoring physical and virtual assets essential to protecting sensitive data.
• Audit and Accountability (AU) – Four Capabilities and 14 Practices focus on audits conducted internally and externally to guarantee accountability across staff at all levels.
• Awareness and Training (AT) – Two Capabilities and five Practices focus on the schedule and contents of regular and special event training programs to ensure staff awareness.
• Configuration Management (CM) – Two Capabilities and 11 Practices focus on removing all vendor-supplied security settings to be replaced by more robust options.
• Identification and Authentication (IA) – One Capability and 11 Practices focus on building an identity and access management program to optimize access control.
• Incident Response (IR) – Five Capabilities and 13 Practices focus on the systematic response to hacks, attacks, and all cybersecurity incidents in real-time (see RE below).
• Maintenance (MA) – One Capability and six Practices focus on the schedule and protocols for both regular and special event maintenance of hardware and software.
• Media Protection (MP) – Four Capabilities and eight Practices focus on protecting media devices and removing traces of sensitive data prior to disposal, transport, etc.
• Personnel Security (PS) – Two Capabilities and two Practices focus on recruitment, hiring, onboarding, retention, promotion, demotion, and termination measures for staff.
• Physical Protection (PE) – One Capability and six Practices focus on physical and proximal protections for individual devices and workspaces connected to sensitive data.
• Recovery (RE) – Two Capabilities and four Practices focus on both short- and long- term efforts to mitigate the damage done by attacks and recover compromised information.
• Risk Management (RM) – Three Capabilities and 12 Practices focus on the efficacy of preventative threat and vulnerability management and overall risk mitigation strategies.
• Security Assessment (CA) – Three Capabilities and eight Practices focus on regular assessments to produce, analyze, and mobilize threat and cybersecurity intelligence.
• Situational Awareness (SA) – One Capability and three Practices focus on specific awareness thresholds and relevant training tailored to the company’s unique positionality.
• Systems and Communications Protection (SC) – Two Capabilities and 27 Practices focus on safeguarding points of communication in all internal and external networks.
• System and Information Integrity (SI) – Four Capabilities and 13 Practices focus on the overall efficacy and proper functioning of security architecture, free from known flaws.

Adopting all 171 Practices up to the Process Maturity goals detailed above is challenging for all but the biggest and most well-funded IT departments. Just as with assessment, bringing in a third-party to help your company with implementation is the best way to get it done correctly.

Professional CMMC Compliance Advisory Services

Returning to where we began, it’s critical to understand CMMC self-assessment as one small step in a larger third-party assessment process rather than a direct route to compliance. If your company is hoping to secure DoD contracts and preferred status, self-assessment is not required, but it can be extremely helpful in understanding what controls you need to implement before an actual, CMMC-AB approved C3PAO (like RSI Security) runs a full assessment.

This CMMC self-assessment checklist is one of many CMMC resources and services that RSI Security provides to current and prospective DoD contractors. Our suite of CMMC compliance advisory services also includes comprehensive managed IT and security, with offerings tailored to the specific needs and means of your company. Our experts can help you build out security architecture up to DFARS standards, manage patchwork needed, and perform assessment. No matter where you are on your journey toward compliance, we can help — contact us today!

Download

---

---

Prepare for Certification With Clarity, Not Guesswork

CMMC 2.0 is reshaping how defense contractors protect sensitive data, and how they demonstrate compliance. For organizations across the Defense Industrial Base (DIB), the pressure to meet evolving requirements is increasing, especially as formal third-party assessments approach. A CMMC self-assessment removes much of the uncertainty from the process. Instead of reacting at the last minute, organizations can proactively evaluate their security posture, understand where they stand against CMMC requirements, and plan remediation with confidence.

In this guide, we explain how CMMC self-assessments fit into the broader certification process, what they can and cannot accomplish, and how to use them to uncover compliance gaps and accelerate readiness, without confusion or wasted effort.

What Is a CMMC Self-Assessment?

A CMMC self-assessment is an internal evaluation of your organization’s cybersecurity posture against the Cybersecurity Maturity Model Certification (CMMC) framework. It helps defense contractors determine whether required security practices are properly implemented before facing a formal assessment.

Under CMMC 2.0, self-assessments may be permitted for Level 1 organizations. However, they do not replace the independent third-party assessments required for Level 2 and Level 3 certification.

A self-assessment does not result in official certification. Instead, it provides internal visibility into your current controls, highlights compliance gaps, and identifies what must be addressed before an authorized third party conducts an assessment.

Can Organizations Self-Certify Under CMMC?

No. Under CMMC 2.0, organizations cannot self-certify.

Formal CMMC certification requires an assessment pathway defined by Department of Defense (DoD) rulemaking and enforced through contract language. While Level 1 organizations may be permitted to complete annual CMMC self-assessments, these reviews do not result in certification and are not valid for contracts that require Level 2 or Level 3 compliance.

A CMMC self-assessment is a readiness and gap-analysis tool, not an authorization mechanism. Organizations that confuse internal reviews with official credentials, or overstate their readiness, face significant risk once formal third-party audits begin.

 

Why CMMC Self-Assessments Still Matter

Even though they do not result in certification, CMMC self-assessments play a critical role in compliance preparation.

They enable organizations to proactively identify gaps against NIST SP 800-171 Rev. 2—the foundation of CMMC Level 2 requirements, while validating that policies, procedures, and technical controls are fully aligned. This early visibility reduces the risk of surprises during a formal assessment and helps teams allocate time and resources more effectively.

A CMMC self-assessment also provides a structured way to prioritize remediation, particularly when CMMC requirements are tied to near-term contract obligations.

When conducted correctly, self-assessments reduce uncertainty, improve audit readiness, and accelerate the path toward CMMC compliance.

What Is Evaluated During a CMMC Assessment?

CMMC does not reinvent cybersecurity, it formalizes the controls already required under NIST SP 800-171.

For CMMC Level 2, assessments are based on two key standards:

• NIST SP 800-171 Rev. 2 – Defines the required security practices
• NIST SP 800-171A – Provides guidance on how to evaluate those practices
  

During an assessment, the evaluator, whether an internal team performing a self-assessment or a Certified Third-Party Assessment Organization (C3PAO), examines three categories of evidence:

1. Documentation – Policies, procedures, System Security Plan (SSP), and Plan of Action and Milestones (POA&M)
2. Objective Evidence – Screenshots, system logs, access configurations, asset inventories
3. Interviews & Demonstrations – Confirmation that documented controls are consistently applied
   

Each practice is scored as:

• Met – Fully implemented and supported by clear evidence
• Not Met – Missing, incomplete, or inconsistently applied
• Not Applicable – Out of scope with proper justification
  

Honest internal self-assessments are essential. Overstating readiness or inflating compliance can create significant risk when a formal assessment occurs.

Who Performs Official CMMC Assessments?

Official CMMC Level 2 assessments can only be conducted by Certified Third-Party Assessment Organizations (C3PAOs) authorized by The Cyber AB. These assessors follow strict guidelines to ensure independence, proper evidence handling, and impartiality.

If your organization works with an advisory or readiness partner, note that the same partner cannot serve as your assessor due to conflict-of-interest rules.

Always verify that any C3PAO is currently authorized and listed by The Cyber AB before engaging them for an assessment.

Understanding the CMMC 2.0 Framework

CMMC 2.0 streamlines the previous five-tier model into  distinct levels of cybersecurity maturity, each aligned with the type of information your organization handles and the associated risk of your contracts.

Level 1 – Foundational

• Designed for organizations managing Federal Contract Information (FCI) only
• Includes 17 practices focused on basic cyber hygiene
• Annual self-assessments are permitted

Level 2 – Advanced

• Applies to most Defense Industrial Base (DIB) contractors handling Controlled Unclassified Information (CUI)
• Aligns with 110 controls from NIST SP 800-171
• Requires a third-party assessment, unless the contract allows self-attestation

Level 3 – Expert

• Reserved for organizations supporting high-priority national security programs
• Incorporates NIST SP 800-172 controls to defend against advanced persistent threats (APTs)
• Assessed by government-led teams

For most contractors, CMMC Level 2 readiness is the primary goal, especially as more contracts are expected to include CMMC compliance requirements in 2026.

CMMC Domains and Practice Areas

CMMC Level 2 practices are organized into 14 cybersecurity domains, each covering critical aspects of information security for Defense Industrial Base (DIB) contractors. Key domains include:

• Access Control
• Audit and Accountability
• Configuration Management
• Identification and Authentication
• Incident Response
• Risk Management
• System and Information Integrity
• …and others
  

Each domain encompasses both technical safeguards and institutionalized processes. It is not enough to simply implement controls, you must also demonstrate that they are consistently applied and supported by repeatable documentation.

CMMC Self-Assessment Readiness Checklist

Use the following questions to guide your internal CMMC self-assessment:

If you are unsure about any item in the checklist, start your remediation efforts there to close gaps before a formal assessment.

Best Practice: Every finding in your self-assessment should be mapped to:

• A specific CMMC control
• The associated asset or system
• A designated owner responsible for remediation

Following this approach ensures that your self-assessment is structured, actionable, and audit-ready.

CMMC Readiness Is a Journey, Not a Checkbox

A CMMC self-assessment is not a one-time task. It is part of an ongoing process that strengthens the long-term maturity of your cybersecurity program.

To achieve full CMMC readiness, your organization should focus on:

• Clear, defensible documentation
• Technical controls that accurately reflect your environment
• Repeatable processes supported by consistent evidence
• Remediation tracking and POA&Ms tied to deadlines
• Independent assessment when required
  

CMMC compliance is more than passing an audit—it’s about establishing a sustainable cybersecurity posture that your team can maintain and defend under operational pressure.

How RSI Security Supports CMMC Preparation

RSI Security provides end-to-end support for organizations pursuing CMMC compliance, including:

• CMMC readiness assessments aligned to NIST SP 800-171
• Detailed gap analysis and prioritized remediation roadmaps
• Assistance developing and validating System Security Plans (SSPs) and Plans of Action and Milestones (POA&Ms)
• Ongoing vCISO advisory to strengthen governance and risk management
• Conducting official Level 2 assessments as a Certified C3PAO

With RSI Security, your organization doesn’t just prepare, it prepares responsibly. By combining AI-powered insights with human-led guidance, we help your team navigate the CMMC process with clarity, from initial self-assessment through full certification.

Let’s Build a Defensible Path to CMMC Certification

CMMC requirements are increasingly appearing in contracts, and timelines for compliance are accelerating. Whether your organization needs help conducting a CMMC readiness review or preparing for a third-party assessment, RSI Security provides the expertise and guidance to move forward with confidence.

Next Steps:

• Contact RSI Security to discuss tailored support for your compliance journey
  

With RSI Security, you’re not just preparing—you’re building a defensible, audit-ready cybersecurity program that stands up to formal assessments.

Download Our CMMC Checklist