Can I Self-Assess for CMMC Compliance?

One of the most common questions defense contractors ask is:

The answer depends on the type of information your organization handles. If your contracts or deliverables include Controlled Unclassified Information (CUI)—especially marked with Distribution Statements B through F—you cannot self-assess. You must undergo a CMMC Level 2 certification by a Certified Third-Party Assessor Organization (C3PAO).

Why Distribution Statements Matter

According to DoDI 5230.24, any document marked with Distribution Statements B–F is considered Controlled Technical Information (CTI), a subset of CUI. Here's what each statement means:

• Statement B – “Distribution authorized to U.S. Government agencies only.”

• Statement C – “Distribution authorized to U.S. Government agencies and their contractors.”

• Statement D – “Distribution authorized to the Department of Defense and U.S. DoD contractors only.”

• Statement E – “Distribution authorized to DoD Components only.”

• Statement F – “Further dissemination only as directed by the controlling DoD office.”

If your contract requires you to handle or generate documents with these markings, you are dealing with CTI and therefore CUI. This triggers the requirement for CMMC Level 2 Certification.

Self-Assessment vs. Certification

The Department of Defense has clarified that self-assessments are the exception, not the rule. Most contractors handling CUI—especially CTI—must obtain third-party certification.

Here's the breakdown:

• ✅ CMMC Level 2 (Self-Assessment): Only allowed for contractors handling non-defense CUI (e.g., tax data, archeological records).

• ❌ CMMC Level 2 (Certification Required): Mandatory for contractors handling defense-related CUI, including CTI, engineering drawings, technical manuals, and anything marked with Distribution Statements B–F.

Sources:

• Summit 7: CMMC L2 Self-Assessments

• DoD CMMC Level Determination Brief

• CMMC Assessment Guide Level 2

How Cohort Shield Can Help

At Cohort Shield, we specialize in helping organizations—especially those without dedicated compliance teams—navigate the complexities of CMMC. We help you:

• 🔍 Identify outdated or incorrect information about CMMC requirements.

• ✅ Determine whether self-assessment or third-party certification is required based on your contract and data types.

• 📁 Prepare the necessary policies and artifacts to meet compliance standards.

💬 Have questions or need help preparing for CMMC certification?

Contact us today to schedule a free consultation or compliance readiness review.