March 18, 2026 · Attestio Team

CMMC Self-Assessment Guide for Small Businesses: Start Here

You've heard about CMMC. You know it's coming (or already here). You're a small defense contractor — maybe 15, 50, or 100 employees — and you need to figure out where you stand. But hiring a consultant for $30K just to tell you how bad things are doesn't make sense when you don't even know if your contracts require Level 1 or Level 2.

This guide walks you through a complete CMMC self-assessment from scratch. No prior compliance experience needed. By the end, you'll have your SPRS score, a clear picture of your gaps, and a prioritized plan to close them.

Before You Start: Do You Actually Need CMMC?

Not every DoD contractor needs CMMC. Let's figure out your situation:

Check your contracts for these clauses:

  1. DFARS 252.204-7012 (Safeguarding Covered Defense Information) — If this is in your contract, you handle CUI and need CMMC Level 2.
  2. DFARS 252.204-7021 (CMMC Requirements) — This clause explicitly states your required CMMC level.
  3. FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems) — This is the baseline. If this is your only security clause, CMMC Level 1 (17 practices) may be sufficient.

If you're a subcontractor: Ask your prime contractor. CUI flows down — if they pass CUI to you, you need the same level of protection they do, and CMMC Level 2 likely applies.

Still not sure? Check the contract's DD Form 254 (if applicable) for CUI markings, or contact your Contracting Officer for clarification. When in doubt, prepare for Level 2 — it's a superset of Level 1, so you're covered either way.

Step 1: Define Your CUI Boundary

This is the most important step — and the one most small businesses skip. Your CUI boundary defines which systems, people, networks, and physical locations are in scope for your assessment.

What Goes Inside the Boundary

What Stays Outside

How to Shrink Your Boundary

Smaller boundary = fewer systems to assess = lower cost = faster compliance. Strategies:

Document it. Create a network diagram showing your CUI boundary, data flows (where CUI enters, moves within, and exits your environment), and a list of all systems and people in scope. This becomes part of your System Security Plan (SSP).

Step 2: Assess Yourself Against All 110 Practices

Now comes the actual assessment. You need to evaluate your implementation of each NIST 800-171 practice and score it.

The Three-Status Framework

For each practice, assign one of three statuses:

How to Evaluate Each Practice

For every single practice, ask yourself three questions:

  1. Is there a documented policy or procedure? (Many practices require written policy even if the technical control exists.)
  2. Is the technical control actually implemented? (Not "we plan to" — is it deployed and working today?)
  3. Can I prove it? (Screenshots, configuration exports, log samples, training records, signed policies)

If you can't answer "yes" to all three, the practice is NOT MET.

Working Through the Domains

Go domain by domain. Here's a condensed checklist for the highest-impact areas:

Access Control (22 practices): - [ ] User accounts are individually assigned (no shared accounts) - [ ] Role-based access control is implemented - [ ] Remote access requires MFA - [ ] CUI access is limited to authorized users only - [ ] Session timeouts are configured - [ ] Mobile device access to CUI is controlled and encrypted

Audit & Accountability (9 practices): - [ ] Audit logs are enabled on all CUI systems - [ ] Logs capture who did what, when - [ ] Logs are protected from tampering - [ ] Logs are reviewed regularly (automated alerts preferred) - [ ] Audit logs are retained for at least 90 days

Configuration Management (9 practices): - [ ] Hardware/software inventory exists and is current - [ ] Security baselines are documented and applied - [ ] Change management process exists - [ ] Unnecessary services are disabled - [ ] Software installation is restricted

Identification & Authentication (11 practices): - [ ] MFA is enabled for all accounts accessing CUI - [ ] Password policies meet complexity requirements - [ ] Passwords are stored encrypted - [ ] Default passwords are changed on all devices

Incident Response (3 practices): - [ ] Written Incident Response Plan exists - [ ] IR plan has been tested (tabletop exercise) - [ ] Incident reporting procedures are documented (including 72-hour DoD reporting)

System & Communications Protection (16 practices): - [ ] Network boundary protections (firewall) are in place - [ ] CUI network is segmented from general traffic - [ ] CUI is encrypted in transit (TLS 1.2+, VPN) - [ ] CUI is encrypted at rest (BitLocker, etc.) - [ ] FIPS-validated cryptography is used - [ ] DNS filtering or web proxy is configured

Step 3: Calculate Your SPRS Score

The Supplier Performance Risk System (SPRS) score is a number between -203 and 110 that reflects your current compliance level. Every DoD contractor handling CUI is required to submit an SPRS score.

How SPRS Scoring Works

You start at 110 (perfect compliance). For every practice that is NOT MET, you subtract its weighted value. The weights are defined in the DoD Assessment Methodology and range from 1 to 5 points per practice.

The weighting reflects risk impact:

Calculation Example

Let's say you assess yourself and find: - 75 practices are MET - 35 practices are NOT MET

If those 35 unmet practices have a total weighted value of 95 points: Your SPRS score = 110 - 95 = 15

A score of 15 means you have significant work to do, but you're not starting from zero. For reference: - 110: Full compliance (rare for first-time assessments) - 70-109: Strong posture, focused remediation needed - 30-69: Moderate gaps, structured remediation program needed - Below 30: Significant gaps, expect 6-12 months of work - Negative scores: Major security deficiencies, fundamental controls missing

Where to Submit Your SPRS Score

Submit your score at https://www.sprs.csd.disa.mil/. You'll need: - A CAGE code for your company - An ECA certificate (External Certification Authority) for the person submitting - Your assessment results and date - The name and title of the senior official affirming the results

Important: Your SPRS submission is a legal affirmation. Inflating your score can trigger False Claims Act liability. Be honest.

Step 4: Conduct a Gap Analysis

You've assessed yourself and calculated your score. Now turn your NOT MET list into an actionable plan.

Categorize Every Gap

For each unmet practice, document:

  1. Current state: What do you have today? (Even partial implementations count)
  2. Required state: What does full compliance look like?
  3. Gap: What's the delta between current and required?
  4. Remediation action: What specific steps close this gap?
  5. Resources needed: Technology, people, budget, time
  6. Estimated effort: Hours or days to implement
  7. Dependencies: Does this require another gap to be closed first?

Map Gaps to Projects

Group related gaps into remediation projects. Common clusters:

Step 5: Prioritize Remediation

You can't fix everything at once. Prioritize based on three factors:

The Prioritization Matrix

Priority 1 — Quick Wins (Low effort, high impact) These are the practices you can close in days with minimal cost: - Enable MFA on existing accounts (IA.L2-3.5.3) — many platforms support this natively - Enable audit logging (AU.L2-3.3.1) — often just a configuration change - Update password policies (IA.L2-3.5.7) — Active Directory or cloud identity settings - Enable disk encryption (SC.L2-3.13.16) — BitLocker is built into Windows Pro - Configure session timeouts (AC.L2-3.1.10-3.1.11) — GPO or cloud policy settings

Priority 2 — High-Value Controls (Moderate effort, high impact) These take more effort but address critical risks and high-weight SPRS items: - Deploy endpoint protection/EDR (SI.L2-3.14.2, 3.14.6) - Implement network segmentation (SC.L2-3.13.1, 3.13.5) - Set up centralized log management (AU.L2-3.3.5) - Deploy vulnerability scanning (RA.L2-3.11.2) - Write and test Incident Response Plan (IR.L2-3.6.1-3.6.3)

Priority 3 — Policy and Documentation (Moderate effort, required) These don't improve your technical security directly but are required for assessment: - System Security Plan development (CA.L2-3.12.4) - Security policies and procedures (multiple domains) - Configuration baselines documentation (CM.L2-3.4.1) - Training program documentation (AT.L2-3.2.1-3.2.3)

Priority 4 — Complex Projects (High effort, required) These require planning, procurement, and implementation cycles: - Cloud migration to GCC High (if needed) - FIPS-validated cryptography implementation (SC.L2-3.13.11) - Application whitelisting (CM.L2-3.4.8) - Full media protection program (MP domain)

The 80/20 Rule for CMMC

In practice, 80% of your SPRS score improvement comes from addressing about 20% of your gaps — specifically the 5-point practices. Focus there first.

If you can only do five things this month: 1. Enable MFA everywhere 2. Turn on audit logging 3. Enable disk encryption 4. Install endpoint protection 5. Start your System Security Plan

These five actions can improve your SPRS score by 25-40 points and establish a real security foundation.

Step 6: Build Your Plan of Action & Milestones (POA&M)

Your POA&M is a formal document that tracks every unmet practice, your plan to fix it, and your timeline. Under CMMC 2.0, you can have open POA&M items at the time of assessment — but with strict conditions:

POA&M Template

For each item, document:

Field Description
Practice ID e.g., AC.L2-3.1.5
Practice Description Employ least privilege
Current Status Partial — admin accounts not restricted
Planned Actions 1. Audit admin accounts 2. Create standard user accounts 3. Implement PAM solution
Milestone 1 Audit complete — April 15
Milestone 2 Standard accounts created — May 1
Milestone 3 PAM deployed — June 15
Responsible Party IT Manager (name)
Resources Required PAM tool license ($2,400/yr), 40 hours labor
Risk if Delayed Excessive admin access increases breach risk
Completion Date June 15, 2026

Step 7: Prepare Your Documentation Package

When it's time for assessment (self or C3PAO), you'll need these documents ready:

Required Documents

  1. System Security Plan (SSP) — Your most important document. Describes your CUI boundary, system architecture, data flows, and how you implement each of the 110 practices. This is what assessors read first.

  2. Plan of Action & Milestones (POA&M) — Tracks unmet practices and remediation plans.

  3. Network Diagram — Shows your CUI boundary, network segments, data flows, and connections to external systems.

  4. Hardware/Software Inventory — Every device and application in your CUI boundary.

  5. Security Policies — Written policies covering each domain (Access Control Policy, Incident Response Policy, etc.).

  6. Evidence Artifacts — Screenshots, configuration exports, log samples, training records, and other evidence proving implementation. Organize these by practice ID.

Documentation Tips

Common Self-Assessment Mistakes

Mistake 1: Scoring yourself too generously. If a practice is partially implemented, it's NOT MET. Partial credit doesn't exist in CMMC. Being honest now saves you from failing a C3PAO assessment later (or worse, False Claims Act issues).

Mistake 2: Ignoring inherited controls. If you use M365 GCC High, Microsoft handles many controls — but you need to document this. Your SSP should clearly state which controls are inherited from your cloud provider and which you're responsible for.

Mistake 3: Forgetting about people and process. CMMC isn't just technical controls. Practices about training (AT), personnel screening (PS), and incident response (IR) are about people and processes. A locked-down network with untrained staff is still non-compliant.

Mistake 4: Not involving leadership. A senior official must affirm your SPRS score. They need to understand what they're signing. Involve leadership early — they're accountable.

Mistake 5: Doing it alone. Self-assessment doesn't mean isolation. Use frameworks, templates, platforms, and peer communities. The CMMC-AB marketplace lists Registered Practitioner Organizations that can help without conducting your full assessment.

Your 30-Day Quick-Start Plan

Week 1: Foundations - Identify your CMMC level requirement (check contracts) - Define your preliminary CUI boundary - Gather your team (IT, leadership, contract managers)

Week 2: Assessment - Walk through all 110 practices - Rate each as MET or NOT MET - Calculate your preliminary SPRS score

Week 3: Analysis - Categorize gaps by priority (quick wins first) - Estimate remediation costs and timelines - Draft your POA&M

Week 4: Action - Implement Priority 1 quick wins (MFA, encryption, logging) - Begin System Security Plan draft - Present findings and plan to leadership

Take the Next Step

A self-assessment is your starting point, not your finish line. But it's the most important step — because you can't get where you're going if you don't know where you are.

📋 Take our free CMMC Self-Assessment Quiz — get your estimated SPRS score in 10 minutes, with a gap summary and recommended next steps.

📖 Download the free CMMC Survival Guide

🛡️ Get the CMMC Starter Kit ($129) — SSP template, POA&M tracker, gap assessment, and all 110 controls mapped to plain-English actions.

— includes assessment worksheets, SPRS scoring templates, and a domain-by-domain checklist.

🚀 Get the CMMC Starter Kit ($129) — SSP templates, POA&M tracker, policy templates, gap analysis worksheets, and evidence collection guides. Everything you need to go from self-assessment to assessment-ready.

Attestio helps small defense contractors achieve CMMC compliance without the six-figure consulting bills. Built for companies with fewer than 200 employees. Learn more at attestio.ai.

Ready to Simplify Your CMMC Compliance?

Attestio helps small defense contractors navigate CMMC requirements with guided self-assessments, automated evidence collection, and plain-English guidance.

Get Started Free →