CMMC – Self Assessments for Subcontractors

Under the CMMC program, prime contractors that are required to meet Level 2 standards for handling Controlled Unclassified Information (CUI) typically must obtain a Final Level 2 (C3PAO) certification assessment. However, in limited cases, the Department of Defense (DoD) may make a risk-based decision to allow self-assessments based on the specific nature of the work and sensitivity of the CUI being shared.

For subcontractors, similar requirements apply. If a subcontractor handles the same CUI as the prime, they too must meet the Level 2 (C3PAO) assessment standard. A self-assessment will not suffice when the prime contractor is required to have a Level 2 (C3PAO) certification. This alignment ensures that both prime and subcontractors provide consistent protection for CUI across the entire supply chain.