A contractor-led evaluation of whether implemented controls meet CMMC Level 2 requirements. The organisation scores its own environment and submits the result, so the quality of the evidence, scope, and interpretation directly affects whether the attestation is defensible.
Expanded Definition
CMMC Level 2 Self-Assessment is the contractor’s own evaluation against the Cybersecurity Maturity Model Certification Level 2 requirements, typically used to determine whether implemented practices protect Federal Contract Information and, in some cases, Controlled Unclassified Information. The assessment is not just a paperwork exercise. It depends on whether the organisation has correctly defined scope, mapped controls, and gathered evidence that shows those controls are actually operating.
Because this term sits at the intersection of compliance and operational security, it is often compared with control frameworks such as NIST SP 800-53 Rev 5 Security and Privacy Controls. In practice, the self-assessment is only as credible as the assets included, the evidence retained, and the assessor’s ability to interpret technical and administrative controls consistently. Definitions and expectations vary across contractors, especially where boundary setting and inherited controls are involved.
The most common misapplication is treating the self-assessment as a checklist-only filing, which occurs when teams score controls without validating evidence, asset scope, and exception handling.
Examples and Use Cases
Implementing CMMC Level 2 Self-Assessment rigorously often introduces documentation and validation overhead, requiring organisations to weigh faster certification readiness against the cost of evidence collection and continuous control mapping.
- A defence subcontractor inventories systems in scope, then documents where Controlled Unclassified Information is stored, processed, or transmitted before scoring controls.
- A security team validates multifactor authentication, logging, and access review evidence against NIST SP 800-53 Rev 5 Security and Privacy Controls rather than relying on policy language alone.
- A contractor excludes a managed service provider boundary from the assessment until it can prove which controls are inherited and which remain the contractor’s responsibility.
- An internal audit team uses the Ultimate Guide to NHIs to check whether service accounts, API keys, and other non-human identities are properly governed where they support in-scope systems.
- A programme lead re-scores the environment after a tooling change because access paths, logging coverage, and evidence sources changed enough to affect the self-attestation result.
For identity-heavy environments, the assessment often fails when machine credentials are omitted from scope even though they reach protected data paths.
Why It Matters for Security Teams
CMMC Level 2 Self-Assessment matters because it turns security posture into an auditable claim. If the evidence is weak, the organisation may overstate compliance, underestimate risk, or miss control gaps that only surface during customer review or a later government validation. That is especially important where human identity controls intersect with service accounts, automation, and other NHIs. NHIMG research shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, a reminder that assessment scope cannot stop at user accounts alone. The broader NHI problem also matters operationally: Ultimate Guide to NHIs reports that only 5.7% of organisations have full visibility into their service accounts, which creates a blind spot when those identities support CMMC-scoped systems.
Security teams use the self-assessment to expose whether controls are designed, implemented, and evidenced well enough to survive scrutiny. The most common failure mode appears after an incident, when an organisation discovers that its attestation covered policies rather than actual control operation, and the assessment becomes operationally unavoidable to repair trust and re-establish eligibility.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | ID.GV-1 | Governance clarifies roles and accountability for security assessments and attestations. |
| NIST SP 800-53 Rev 5 | CA-2 | Security assessments require planned evaluation of controls and documented results. |
| NIST SP 800-63 | IAL2 | Identity assurance concepts matter when account evidence and access scope are evaluated. |
| OWASP Non-Human Identity Top 10 | NHI governance is relevant where service accounts and API keys support scoped systems. |
Validate identity-related evidence for users and privileged accounts inside the assessment boundary.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org