Learn why most DoD contractors must obtain a third-party CMMC Level 2 certification and why self-assessments are generally not an option.
The DoD has finally put an end to speculation. Most contractors will not be able to self-assess for CMMC L2—they will need a 3rd party certification.
With the release of the official CMMC Implementation Guidance Memo, we now have clear-cut instructions on whether DoD contractors can self-assess for CMMC and who will qualify for waivers.
For those defense contractors hoping to self-assess for CMMC Level 2, here’s the reality check: 70-75%+ of companies handling Controlled Unclassified Information (CUI) will require a third-party certification. Self-assessments will be the exception, not the rule.
Key Takeaways: What This Means for Your Business
-
CMMC Level 2 Self-Assessment? Not Happening for Most Companies.
-
If you handle CTI or other DoD-sensitive CUI, you must get third-party certification.
-
The only companies that can self-assess are those dealing with non-defense CUI.
-
-
Certification is the New Norm.
-
Third-party assessments by C3PAOs (Certified Third-Party Assessor Organization) will be required for almost all Level 2 contractors.
-
Companies need to ensure they are meeting NIST SP 800-171 now.
-
-
Waivers Are Extremely Rare.
-
Even if a waiver is granted for an entire contract, you still have to implement NIST SP 800-171.
-
Subcontractors can't apply for waivers—if a contract requires CMMC, you must comply.
-
CMMC Level 2 Self-Assessments Aren't Really a Thing
Many contractors held out hope that they would be able to self-assess for CMMC Level 2 instead of undergoing a full-blown third-party assessment. However, the DoD memo makes it crystal clear:
“CMMC Level 2 (Certification) is the minimum requirement when the planned contract will require the contractor (or subcontractors) to process, store, or transmit CUI categorized under the National Archive’s CUI Registry Defense Organizational Index Grouping.”
So, what does that mean for you? If your contract involves handling any of the following types of CUI, self-assessment is off the table—you will need a CMMC Level 2 certification assessment by a C3PAO:
- Controlled Technical Information (CTI)
- DoD Critical Infrastructure Security Information
- Naval Nuclear Propulsion Information
- Privileged Safety Information
- Unclassified Controlled Nuclear Information – Defense (UCNI-Defense)
(For a full list of categories, check the NARA CUI Registry.)
This means that most contractors handling CUI will need to undergo a third-party certification, not self-assess. The only companies that might be eligible for self-assessment are those dealing with CUI that falls outside of the Defense Organizational Index Grouping, such as tax information, archeological data, and other data types that are rare in the defense industrial base.
CMMC Level 2 Certification: The Reality for Most Contractors
For most defense contractors and subcontractors, CMMC Level 2 Certification is now the minimum standard. If your company processes technical data, engineering drawings, configuration management documentation, technical manuals, or anything with Distribution Statements B through F, you will need CMMC Level 2 Certification.
Want to know if your data qualifies as Controlled Technical Information (CTI)? Check out DoDI 5230.24 (PDF), which includes definitions and examples of CTI.
CMMC Waivers? Don’t Count on It.
If you were hoping to avoid CMMC certification through a waiver, we have more bad news. Waivers apply to entire contracts—not individual companies. And even if a contract receives a waiver, you still have to comply with NIST SP 800-171 requirements under DFARS 252.204-7012.
“Waviers are for Contracts, not Companies” - Jacob Horne
There are only ~6 people in the DoD that are able to approve waivers on a contract basis.
According to the memo:
- Waivers for CMMC Level 1? Not happening.
- Waivers for CMMC Level 2 Self-Assessment? Unnecessary—self-assessment is already the baseline.
- Waivers for CMMC Level 2 Certification? Rare and only for unique circumstances (e.g., increasing competition from non-traditional DoD contractors).
- Waivers for CMMC Level 3 Certification? Possible, but not if the contract involves both classified and unclassified information.
If you’re a cleared defense contractor, forget about waivers—they won’t apply to you.
Bottom Line: CMMC waivers are not a loophole for skipping compliance. Even if a waiver is granted, you are still required to meet the underlying NIST SP 800-171 security requirements.
What’s Next? Time to Prepare.
This memo is the final piece of evidence: Certification is coming, and you need to be ready.
The era of self-assessing for CMMC Level 2 is effectively over. If you handle defense CUI, you must get CMMC Level 2 Certification from a third-party assessor—no exceptions.
The upcoming 48 CFR CMMC rule will solidify these requirements in contracts by mid-2025.
What should you do now? Start with the CMMC Pathfinder Tool.
With the CMMC Pathfinder Tool, in 5 minutes or less, this free tool will give you a clear path from where you are now to CMMC confidence.
With this tool you'll learn:
- What level of CMMC you need
- What type of technical design you need
- Which version of Microsoft is ideal for you
- Whether or not you should have a Managed Service Provider
- How you should be preparing for your CMMC assessment
- Cost estimations for CMMC
