Understand the reality behind CMMC Level 2 self-assessment myths. Contractors should prepare for certification early to avoid compliance issues.
There’s rumor floating around the DIB: once the CMMC acquisition rule hits, you’ll get a full year to self-assess at Level 2. No pressure. No audits. Just check the boxes, save some money, and revisit certification in 12 months during phase 2.
Well, that’s not how we’re reading the policy, and you shouldn’t either. Let’s unpack what’s actually written in the rule using these three publications that come straight from the DoW’s mouth:
- 32 CFR 170, the program rule that went into effect at the end of 2024.
- January 2025 DoW memo providing clarifying guidance
- July 2025 DoW memo that further clarifies January’s guidance
What the Rule Actually Says about CMMC Level 2 Self-Assessments
Here’s the key passage in 32 CFR 170.3(e): when the CMMC rule becomes effective on November 10, 2025, we enter Phase One of a four-year rollout. Each phase will last one year.
In Phase One, the DoW intends to allow Level 1 and Level 2 self-assessments for applicable contracts. That’s where the myth gets its footing.
But that same section also says the DoW may require a Level 2 C3PAO certification instead of a self-assessment at its discretion.
That’s the critical word: discretion.
The rule doesn’t say, “No certification requirements allowed in contracts during Phase One.” It says most contracts will be based on self-assessments, not all. If there were a blanket moratorium on certifications, the DoW wouldn’t need to monitor how PMs use their discretion. You don’t need to monitor something that can’t happen.
So… Who Has Discretion over CMMC Self-assessment Requirements?
Program managers have discretion to include CMMC status requirements or rely on existing DFARS 7012 requirements. That’s straight from the rule’s preamble and reinforced in a January 2025 DoW memo. That memo gives PMs a guide for determining whether Level 2 certification is required.
And here’s the important part:
If your contract involves sensitive CUI such as Controlled Technical Information, Naval Nuclear Propulsion Information, or Unclassified Controlled Nuclear Information (UCNI), the memo says certification is the minimum requirement.
In other words, if you handle certain kinds of CUI, PMs are encouraged (and arguably expected) to require Level 2 certification—even in Phase One.
The July Memo Affirms the DoW’s Stance on CMMC Self-Assessments
The July 2025 memo simply reminds acquisition teams not to jump ahead of the phased rollout in a way that hurts competition. But it reaffirms that some contracts can require higher assessments early.
Translation: discretion still applies.
What About the Prime Contractors?
Even if your government customer doesn’t require certification early, your prime contractor might.
Big primes like Lockheed Martin, Raytheon, or Northrop Grumman manage massive, complex supply chains full of sensitive CUI. They’re not going to wait until 2026 to start reducing risk.
Once certifications are allowed in Phase One—and they will be—primes can (and likely will) flow down certification requirements to their subs.
If you're a sub, don’t assume you’ll hear about this from the government. You’ll likely find out when a prime updates its supplier requirements and you’re suddenly non-compliant.
Questions You Should Be Asking
You don’t need to panic—you need to assess your risk. Ask yourself:
- Will this program involve sensitive CUI categories?
- Is my DoW customer cybersecurity-conscious or conservative?
- Is this contract in a high-risk mission area (e.g., space, aviation, nuclear, missile defense)?
- Am I a subcontractor for a prime with strict flow-down requirements?
If the answer to any of those is yes, don't bet on a self-assessment grace period. You’re betting against the policy as it’s written and how it’s likely to be interpreted.
What Should Contractors Do Now?
Here’s the guidance we’re giving every client:
Stop repeating the myth. There’s no blanket delay on certifications in Phase One. Discretion exists, and DoW provided a clear rubric pointing to certification for some CUI.
Build to certify, not just to self-assess. If you aim for certification, you’ll meet self-assessment standards by default. The reverse is not true.
Engage your customer and your prime in writing. Ask them what they intend to require and when. Don’t assume. Confirm.
Build a real timeline, with real-world constraints. Account for internal delays, backlogs, and scheduling friction. If your plan only works if everything goes right, it doesn’t work.
Watch your option years. You might not get hit by a new RFP, but an option mod could trigger new requirements sooner than you think.
Document your posture. If you go the self-assessment route, keep a record of the rationale and customer guidance. It won’t save you a contract, but it will help explain your decisions internally.
Bottom Line: Don’t Build on a Rumor
CMMC is the DoW’s answer to years of weak enforcement. It’s not just a suggestion, it’s the teeth.
Believing there’s a universal one-year grace period for self-assessments requires ignoring the policy, the memos, and how real-world program managers think. Phase One can and sometimes will include CMMC Level 2 Assessment Requirements.
If you prepare for certification now, you keep your options open.
If you wait on a “grace period” that was never guaranteed, you could find yourself locked out by a customer, by a prime, or by the calendar.
It’s better to be ready early than to risk contracts on a game of broken telephone with the Department of War.
Cut through the confusion and make your way to CMMC compliance in only 7 steps.
.jpg)
