CMMC Level 2 Self-Assessment vs. Certification: Which Do You Need?
"Level 2" isn't one requirement — it's two different paths with the same 110 requirements underneath. Get the wrong one and you either under-deliver on what your contract needs or pay for a C3PAO assessment you didn't have to. Here's the actual test.
The test: is your CUI in the Defense OIG?
The CMMC Level Determination guidance draws the line at one specific question: is the CUI you handle listed in the NARA CUI Registry's Defense Organizational Index Grouping (OIG)? If your CUI is in the NARA CUI Registry but not in the Defense OIG, Level 2 (Self-Assessment) is your minimum. If it is in the Defense OIG, Level 2 (Certification by a C3PAO) is your minimum — a self-assessment isn't sufficient.
If your environment touches CUI that meets more than one criterion, the highest applicable level governs. There's no averaging or picking the easier path — the strictest classification that applies to any of your CUI sets the floor for the whole determination.
A contract can raise your floor even if your data doesn't
The data-driven test above sets a minimum, but a prime contract or solicitation can require more. If the prime contract specifically requires a Level 2 (C3PAO) status, that's your minimum even if none of your CUI is in the Defense OIG.
The same logic extends one level further for subcontractors: if you're a subcontractor under a prime that itself must reach Level 3 (DIBCAC), your minimum as the subcontractor is Level 2 (Certification / C3PAO) — not Level 3. Level 3 targets the organization actually seeking that certification, not everyone beneath it in the supply chain.
If you land on Certification, Level 3 might be next
Level 3 (DIBCAC) is government-led and sits on top of Level 2, not beside it: it requires an existing Final Level 2 (C3PAO) status before you can even start, and any open Level 2 POA&M items have to be closed first. If Certification is your answer today, it's worth knowing that a future Level 3 requirement would build directly on it rather than starting over.
How to actually find out which one applies to you
In practice: check how your contract or your prime describes the CUI you're handling, ask your contracting officer or your prime's compliance contact if you're not sure, and don't assume Self-Assessment is always the lighter option — some primes require Certification even for CUI that wouldn't otherwise need it. Our level-determination wizard walks through this exact decision tree (data-driven level, then the contract floor, then the highest-applicable-level rule) and points you to the right starting page.
Key takeaways
- CUI in the NARA Registry but not the Defense OIG → Level 2 (Self-Assessment).
- CUI in the Defense OIG → Level 2 (Certification / C3PAO) — self-assessment isn't enough.
- A prime contract can require Certification even when your data alone wouldn't.
- A subcontractor under an L3 prime needs Level 2 (C3PAO), not Level 3, as their own minimum.
- Level 3 requires an existing Final Level 2 (C3PAO) status and a closed L2 POA&M first.
Know your score before you submit
Run a full 110-requirement self-assessment free — no account required to see your score.
Start free assessmentSources
- 32 CFR 170.23 (subcontractor flow-down)
- 32 CFR 170.18 (Level 3 prerequisites)
- DoD CIO — CMMC documentation
SentryNexus is a preparation and self-assessment tool. It does not connect to or submit anything to SPRS, and it is informational support only — not legal or compliance certification advice.