The CMMC Level 2 Self-Assessment Trap (And How to Avoid It)

The Gap Between What You Document and What Your Cloud Actually Does

A defense contractor submits their Supplier Performance Risk System (SPRS) score. They've documented 97 of 110 NIST SP 800-171 practices as "Met." They win a DoD contract. Eighteen months later, a C3PAO assessment discovers 34 practices are actually "Not Met." The company faces a potential False Claims Act exposure — not a compliance finding, a fraud allegation.

This is not a hypothetical. It is the pattern playing out across the Defense Industrial Base as CMMC Level 2 certification requirements tighten.

The problem isn't that contractors are lying. Most aren't. The problem is that CMMC Level 2 self-assessment requires technical precision that policy documentation cannot provide. When a compliance officer reviews a policy and marks a practice "Met," they're assessing intent. When a C3PAO examines your environment, they're assessing technical reality. Those two things are frequently different.

This post explains the structural reasons self-assessments drift from reality, what C3PAOs actually look for during assessments, and how to conduct a self-assessment rigorous enough to withstand third-party scrutiny.

SPRS Self-Assessment vs. C3PAO Assessment: What's Actually Different

Under the current CMMC framework, CMMC Level 2 has two paths: self-assessment (for contracts without critical programs or technologies) and third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) for contracts involving critical programs.

The SPRS self-assessment path lets companies self-report their NIST SP 800-171 compliance score directly into the DoD's Supplier Performance Risk System. The score ranges from -203 to +110, with each practice weighted by severity. Companies must affirm the score is accurate and create a System Security Plan (SSP) documenting their implementation.

A C3PAO assessment is a formal audit. Certified assessors spend days or weeks in your environment, examining configurations, interviewing personnel, reviewing evidence, and testing controls. They are looking at what your systems do, not what your documents say.

The conceptual gap is significant:

The distinction matters because most compliance programs are built around documentation workflows, not configuration management. You can have a perfect SSP and a broken cloud environment simultaneously.

Why Optimistic Self-Assessments Create Legal Risk

The False Claims Act (31 U.S.C. §§ 3729–3733) creates civil liability for contractors who knowingly submit false claims to the government. The Department of Justice has been explicit: inaccurate SPRS scores can constitute False Claims Act violations.

In 2021, Aerojet Rocketdyne settled for $9 million after a whistleblower alleged the company had misrepresented its cybersecurity compliance in government contracts. The company's compliance self-assessments didn't match technical reality.

The risk profile here is asymmetric. An overly conservative SPRS score costs you competitive positioning. An overly optimistic SPRS score creates potential fraud exposure. The conservative approach isn't just legally safer — it forces the remediation work that actually improves security posture.

Most contractors don't submit optimistic scores through malice. They submit them because:

1. The person reviewing practices is a compliance officer reading a policy document, not an engineer reading an IAM configuration
2. "Met" is interpreted as "we have a policy for this" rather than "the technical control is correctly configured and enforced"
3. No one has run a technical scan against the cloud environment to validate that the policy is actually implemented

What C3PAOs Actually Examine

Understanding C3PAO methodology is the fastest way to understand where self-assessments typically fail. Assessors follow the CMMC Assessment Process (CAP) and the NIST SP 800-171A assessment procedures. Here's what that looks like in practice for cloud environments.

Identity and Access Management (AC and IA Practices)

This is where the largest gap between documentation and reality typically lives.

AC.2.006 — Limit use of portable storage devices on external systems. IA.3.083 — Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

A C3PAO assessor examining IA.3.083 won't read your MFA policy. They will pull your cloud provider's IAM configuration. They will check:

• Which IAM users have console access
• Which of those users have MFA enabled vs. just configured
• Whether MFA enforcement is applied via policy (SCPs, conditional access, etc.) or merely recommended
• Whether service accounts with overprivileged roles are excluded from the MFA policy

The canonical gap example: IAM users with console access but no MFA enforced, documented as "Met" because the company has an MFA policy. Having a policy that says users should enable MFA is not the same as having a technical control that prevents console access without MFA. A C3PAO assessor will find every user who has bypassed the policy. You will fail IA.3.083 — regardless of what your SSP says.

Audit Logging (AU Practices)

AU.2.041 — Ensure that the actions of individual users can be traced to those users. AU.2.042 — Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

C3PAOs will examine your CloudTrail configuration (AWS), Activity Log (Azure), or Cloud Audit Logs (GCP). They will check:

• Whether management events are logged
• Whether data events are logged for S3 buckets or equivalent storage containing CUI
• Log retention period (NIST 800-171 implies 3 years; assessors often look for 1-3 years minimum)
• Whether logs are protected from deletion or modification
• Whether CloudTrail is enabled in all regions, not just your primary region

73% of defense contractor cloud environments have audit logging gaps — meaning either logging is disabled in non-primary regions, data events aren't captured, or log integrity protection is missing. Every one of those gaps is an AU practice failure.

Configuration Management (CM Practices)

CM.2.061 — Establish and maintain baseline configurations and inventories of organizational systems. CM.2.064 — Establish and enforce security configuration settings for information technology products employed in organizational systems.

Assessors will ask for your configuration baselines and then verify that deployed infrastructure matches them. In cloud environments, this means examining:

• Security group / firewall rules for overly permissive ingress (0.0.0.0/0 on sensitive ports)
• S3 bucket public access settings
• Encryption-at-rest configuration for storage services
• Whether infrastructure-as-code templates match deployed configurations

The gap: most contractors have configuration baselines documented in Word documents or spreadsheets, but no technical mechanism that enforces or even monitors conformance between the baseline and the live environment.

How to Conduct a Rigorous Technical Self-Assessment

A technical self-assessment that will hold up under C3PAO scrutiny has three components that purely documentation-based assessments lack.

1. Configuration Enumeration, Not Policy Review

For every NIST 800-171 practice in your SSP, identify the specific cloud configuration that implements it — not the policy that requires it.

For IA.3.083 (MFA), the evidence isn't your MFA policy. It's:

• An export of all IAM users with console access
• For each user, the MFA status
• A Service Control Policy or Conditional Access Policy showing MFA is enforced, not just recommended

For AU.2.042 (audit logging), the evidence isn't your logging policy. It's:

• A CloudTrail configuration export showing all-regions, all-events capture
• Log group retention settings showing compliant retention period
• CloudTrail log file validation enabled

Create a mapping table: Practice → Technical Implementation → Configuration Evidence → Who Can Produce It.

2. Automated Scanning Against 800-171 Controls

Manual configuration review is slow, error-prone, and leaves gaps. Cloud security posture management tools can scan your environment against 800-171 control mappings and surface misconfigurations automatically.

Run a full scan before you finalize your SPRS score. Treat every finding as a potential "Not Met" until you can technically demonstrate otherwise.

Common findings that surface in automated scans and invalidate self-assessments:

• CloudTrail disabled in us-east-2 while primary workloads are in us-east-1 — AU practice failure
• S3 bucket with CUI has public read enabled due to a misconfigured policy — AC practice failure
• EC2 instance in CUI boundary has IMDSv1 enabled — CM practice failure (allows SSRF-based credential theft)
• IAM users with AdministratorAccess and no MFA — IA practice failure
• Security Hub disabled — SC practice failure (AU.3.045 equivalent)
• KMS key rotation disabled for keys protecting CUI — SC practice failure

None of these are exotic findings. All of them appear regularly in cloud environments that have documented "Met" for the corresponding practices.

3. Gap-to-SPRS Score Mapping

Before submitting your SPRS score, map every open finding to its practice and recalculate. NIST SP 800-171 DoD Assessment Methodology assigns point values:

• Value 1 practices: -1 point if Not Met
• Value 3 practices: -3 points if Not Met
• Value 5 practices: -5 points if Not Met

The max score is 110. Most organizations with unexamined cloud environments are actually in the 40-80 range rather than the 90+ range they self-report. A rigorous technical assessment will produce a lower score — but that score will be defensible, and the gap analysis will tell you exactly what to remediate and in what priority order.

The Practices C3PAOs Find Most Often "Not Met"

Based on patterns across C3PAO assessments, these practices generate the most failures for organizations that self-assessed them as Met:

IA.3.083 — MFA for privileged and network access (the IAM misconfiguration problem above)

AU.2.042 — Audit log completeness and retention (the multi-region, data events, and retention problems)

CM.3.068 — Apply deny-by-default, allow-by-exception for system connections (security groups too permissive)

SC.3.177 — Employ FIPS-validated cryptography (encryption in transit using older TLS versions or non-FIPS cipher suites)

SI.2.217 — Identify and correct system flaws and vulnerabilities within defined timeframes (no patch management SLA documented and enforced)

AC.2.007 — Employ least privilege access (IAM roles with excessive permissions, no regular access review)

Building a Self-Assessment Process That Scales

The underlying problem with one-time self-assessments is that cloud environments change continuously. A configuration that's compliant today may not be compliant in 30 days after a developer deploys a new service, opens a security group, or creates an IAM role without MFA enforcement.

Continuous compliance monitoring — where cloud configurations are evaluated against 800-171 controls on an ongoing basis — is the only way to maintain an accurate SPRS score. This means:

1. Automated scanning of all cloud accounts in scope for CUI
2. Findings mapped to specific NIST 800-171 practices
3. Remediation SLAs that reflect the risk weight of each practice
4. An audit log of what changed, when, and by whom — not just a point-in-time snapshot

Continuous monitoring also means your next SPRS self-assessment and any C3PAO assessment can begin from a position of strength. You're not reconstructing your compliance posture from documentation; you have technical evidence of what your environment looked like at every point in time.

The Bottom Line

The CMMC Level 2 self-assessment trap is not a documentation problem. It's a configuration management problem. Organizations that treat compliance as a paperwork exercise will consistently self-report higher than their technical reality warrants — and the gap will be found, either by a C3PAO or by an incident.

A rigorous self-assessment starts with the question: can I produce technical configuration evidence for every practice I've marked Met? If the answer is no for any practice, the default should be "Not Met" until you can demonstrate otherwise.

That's the standard C3PAOs apply. Your self-assessment should apply the same standard.