Can We Self-Attest CMMC Compliance?

No, CMMC (Cybersecurity Maturity Model Certification) does not allow for self-attestation of compliance.

In order for the Department of Defense to recognize a contractor as CMMC compliant, that contractor must pass a review administered by an authorized Certified Third-Party Assessor Organization (C3PAO). That third-party firm cannot be the same firm that is managing a defense contractor’s IT and IT security.

In fact, one of the primary reasons DoD instituted the CMMC regime was because it lacked confidence in the self-attestation of contractors regarding NIST/DFARS compliance.