CMMC 2.0 · Self-Attestation · DFARS 252.204-7021

CMMC 2.0 self-attestation — who can, who can't, and what the affirmation legally commits

Self-attestation is permitted for CMMC Level 1 and a narrow subset of designated Level 2 contracts. The annual executive affirmation is a legally significant statement under the False Claims Act — defensible only when backed by a current SSP, contemporaneous assessment evidence, and a published SPRS score.

The three things to get right before signing the affirmation

  • Confirm whether your contract permits self-attestation — most Level 2 work requires C3PAO certification.
  • Build the SSP, POAM, and SPRS score with documentation an assessor (or a DOJ investigator) can read on its own merits.
  • Treat the executive affirmation as a False Claims Act statement — only attest to what the evidence demonstrably supports.

01 — Eligibility

Who can self-attest, by CMMC level

Self-attestation eligibility is set by the contract — not by contractor preference. Verify against the solicitation clauses before assuming.

Level 1 (FCI)

Always self-attested

Annual self-assessment + executive affirmation in SPRS

Level 2 (CUI) — designated

Self-attestation permitted

Contract must be explicitly designated for self-assessment by the contracting officer. Typically lower-risk Level 2 work.

Level 2 (CUI) — standard

C3PAO certification required

Triennial third-party assessment by a Cyber AB-authorized C3PAO. Annual executive affirmation still required.

Level 3

Government-led assessment

DIBCAC or equivalent government assessment. Subset of NIST 800-172 enhanced controls in addition to all 110 Level 2 controls.

02 — The path

Six steps from assessment to signed affirmation

The order matters. Skipping the assessment workpapers or signing the affirmation before the SSP is current are both common — and both create False Claims Act exposure that an enforcement action will exploit.

01

Determine your applicable level

Read the contract clauses. DFARS 252.204-7012 alone signals Level 2 obligation under CMMC. The contracting officer specifies the required level on the solicitation. If unclear, ask the CO in writing — do not assume.

02

Run a NIST 800-171 self-assessment

Score every applicable control as IMPLEMENTED, PARTIAL, or NOT IMPLEMENTED. The result feeds your SPRS score. Document the assessment workpapers as you go — the contemporaneous evidence is what protects the attestation later.

03

Author the SSP and POAM

The SSP describes the system, boundary, and implementation status of each in-scope control. The POAM captures every gap, target date, and ownership. A weak or generic SSP is the most common failure mode at DoD spot check or at the inflection to C3PAO.

04

Submit the SPRS score

Calculate the score from the assessment results. Submit through SPRS with the basic, medium, or high assessment level designation per the DoD assessment guide. Contracting officers and primes see this score during shortlist evaluation.

05

Sign and submit the annual affirmation

A senior official — typically CEO, CISO, or equivalent — signs the executive affirmation in SPRS confirming the underlying claims. The affirmation is a legally significant statement; only sign what the evidence supports.

06

Maintain — re-attest annually

Re-run the assessment, update the SSP and POAM, recalculate the SPRS score, re-submit the affirmation every 12 months. Any material change in posture (boundary expansion, new CUI handling, control removal) triggers an interim update.

Legal exposure

The annual affirmation is a False Claims Act statement

The Department of Justice Civil Cyber-Fraud Initiative has publicly identified cybersecurity self-attestations as an enforcement priority. There have been settled cases involving contractors whose submitted SPRS scores materially overstated implementation. Treble damages plus per-claim penalties are on the table.

The defensive posture is contemporaneous evidence. Document the assessment workpapers, keep the SSP current, attest only to what the underlying evidence demonstrably supports. This page is not legal advice — engage qualified counsel for specific exposure analysis.

03 — Related

Where self-attestation connects

CMMC Level 2 (full)

If your contract requires C3PAO certification, start here.

NIST 800-171 compliance

The control catalog your self-assessment scores against.

CUI enclave architecture

Shrinking CUI scope is the highest-leverage move whether self-attesting or certifying.

04 — Questions

CMMC 2.0 self-attestation — frequently asked

Who can self-attest under CMMC 2.0?

CMMC 2.0 permits self-attestation in two cases: (1) CMMC Level 1 — applied to all FCI-handling contractors annually, and (2) a narrow subset of CMMC Level 2 contracts where the DoD program office has explicitly designated the contract as eligible for self-assessment (typically lower-risk Level 2 work with no Critical Acquisition designation). For most Level 2 work involving CUI, third-party certification by a Cyber AB-authorized C3PAO is required — self-attestation is not an option.

What is the annual affirmation and who signs it?

The annual affirmation is a written attestation by a senior official — typically the CEO, CISO, or equivalent — confirming that the contractor's CMMC posture is and remains compliant. It is submitted through the Supplier Performance Risk System (SPRS) and is required annually for both self-assessed contractors AND contractors holding C3PAO certificates. The affirmation is a legally significant statement: it can trigger False Claims Act exposure if the underlying claims are knowingly false or made with reckless disregard for truth.

When does CMMC 2.0 self-attestation become mandatory on contracts?

Phased implementation under the DoD final rule began in 2025. Phase 1 (self-assessment under DFARS 252.204-7021) is in effect for in-scope solicitations. Phase 2 (C3PAO certification for the Level 2 work that requires it) began rolling into new contract awards in 2026 and continues through 2028. If your contract references DFARS 252.204-7012 or 252.204-7021, you are inside the implementation window. The contracting officer specifies the required CMMC level on each solicitation.

What is a SPRS score and how does it relate to self-attestation?

The Supplier Performance Risk System (SPRS) score is the quantitative result of your NIST SP 800-171 self-assessment — calculated from a starting score of 110 minus weighted deductions for each unimplemented control. A perfect implementation is 110. A score below 88 typically indicates major gaps. SPRS scores are visible to DoD contracting officers and prime contractors managing flowdowns; a low or stale score is a meaningful procurement signal that often disqualifies firms from shortlists.

What documentation supports a defensible self-attestation?

At minimum: (1) a current System Security Plan (SSP) describing the boundary, system, and implementation status of all in-scope controls; (2) a Plan of Action and Milestones (POAM) for any controls not fully implemented, with target dates; (3) the underlying assessment workpapers showing how each control was evaluated; (4) inherited-control documentation from cloud or platform providers; (5) the SPRS score calculation and submission record; and (6) the signed senior-official affirmation. A "self-attestation binder" with all of this is what survives a DoD spot check.

What is the False Claims Act exposure for a bad self-attestation?

Significant. The Department of Justice has publicly identified cybersecurity self-attestations as a Civil Cyber-Fraud Initiative enforcement priority, and there have been settled cases involving contractors who submitted SPRS scores that materially overstated implementation. Treble damages plus per-claim penalties are on the table. The exposure is not theoretical — the safe-harbor logic is: only attest to what you have evidence to support, document the evidence contemporaneously, and update the SSP and SPRS score whenever posture changes materially.

Can a contractor go from self-attestation to C3PAO certification later?

Yes — and many should. Contracts that today fall under self-attestation may be re-categorized as requiring C3PAO certification on re-competition, especially as Phase 3 of CMMC implementation expands the universe of contracts requiring third-party assessment. Contractors who treat self-attestation as the long-term posture often discover at solicitation time that the work they want has migrated to C3PAO-required. Building toward a defensible C3PAO posture from the outset is the higher-leverage move.

How does MacTech help with self-attestation?

Three ways. (1) Readiness scan — score your current posture, identify gaps, produce a prioritized remediation backlog. (2) SSP and POAM authoring — assessor-readable documentation in the format the C3PAO expects (so the same package supports a future Level 2 upgrade without rework). (3) Trust Codex — living evidence-to-control crosswalk that keeps the underlying claims continuously defensible, not just on the day the affirmation is signed. We treat self-attestation as the same engineering problem as C3PAO certification, scaled down — because the legal exposure under the False Claims Act is identical either way.

Build self-attestation evidence the way you would for a C3PAO

The legal exposure is the same either way. The deliverable difference is just whether a third party signs off. MacTech builds the SSP, POAM, and evidence binder to assessor-quality so the package travels — to a DoD spot check today or a C3PAO upgrade tomorrow.

Run a readiness scanTalk to MacTech