A self-assessment is something your organization does internally, scoring yourself against NIST 800-171 and submitting the result to SPRS, it satisfies CMMC’s current Level 1 and select Level 2 requirements during Phase 1. A gap assessment is an advisory engagement, typically run by a compliance firm, that gives you a detailed, expert-reviewed picture of where you actually stand before you submit anything or move toward formal certification. They’re not competing options, a gap assessment is what makes your self-assessment accurate, and what prepares you for the C3PAO assessment Phase 2 will require.
Why This Confusion Costs Contractors Real Time
These two terms get used almost interchangeably in casual conversation, and that’s a problem, because they serve completely different purposes at completely different points in your CMMC timeline. Confusing them leads to one of two costly mistakes: submitting a self-assessment score you’re not confident in, or assuming a gap assessment alone makes you “compliant” when it doesn’t grant any certification at all.
Self-Assessment — What It Actually Is
A self-assessment is exactly what it sounds like: your organization reviews its own environment against the NIST 800-171 requirements and assigns itself a score, which gets submitted to the Supplier Performance Risk System (SPRS). No outside assessor is required. No certification is issued. It’s an internal attestation that you are reporting honestly on your own compliance posture.
This is the mechanism that satisfies CMMC Phase 1 requirements for Level 1, and for select Level 2 contracts where self-attestation is currently sufficient. It’s faster and cheaper than a formal third-party assessment — but it carries real risk if it’s inaccurate, since you’re putting your own name behind a number that prime contractors and the DoD may rely on.
The risk: self-assessments done without expert review tend to either overstate readiness (because internal teams don’t always know what “fully implemented” actually requires under NIST 800-171) or understate it (because teams don’t know where to find evidence for controls they’ve actually already met). Either error has consequences — an inflated score can surface during a later C3PAO assessment or audit; an understated score can cost you contract eligibility you actually qualified for.
Gap Assessment — What It Actually Is
A gap assessment is an advisory engagement — typically conducted by a compliance advisory firm, not your own internal team — that reviews all 110 controls across the 14 NIST 800-171 control families and tells you, control by control, what’s Met, Not Met, or Not Applicable.
Critically, a gap assessment does not result in certification and isn’t submitted anywhere on your behalf. It’s the diagnostic step that makes everything downstream — your self-assessment score, your remediation plan, your eventual C3PAO readiness — accurate instead of guessed at.
What you walk away with: a control-by-control gap report you can act on directly, and a Plan of Action and Milestones (POA&M) — your remediation roadmap, with every unmet control, the fix required, an owner, and a realistic timeline.
Side-by-Side Comparison
| Self-Assessment | Gap Assessment | |
|---|---|---|
| Who performs it | Your internal team | A compliance advisory firm |
| Results in certification? | No | No |
| Submitted to SPRS? | Yes | No |
| Purpose | Internal attestation of current compliance posture | Diagnostic review to identify gaps and plan remediation |
| Required for | CMMC Phase 1 (Level 1, select Level 2) | Not formally required, but strongly recommended before any self-assessment or C3PAO assessment |
| Typical output | A numeric SPRS score | A control-by-control gap report and POA&M |
How They Actually Work Together
The strongest sequence isn’t “pick one” — it’s running a gap assessment first, then using its findings to submit a more accurate, defensible self-assessment score, and eventually to prepare for the formal C3PAO assessment Phase 2 will require for most CUI-handling contracts.
In practice: a gap assessment surfaces exactly where your real control gaps sit. That informs a far more accurate self-assessment submission to SPRS — instead of an internal team’s best guess. And the same gap report becomes the starting point for remediation work ahead of your eventual formal certification.
Skipping the gap assessment and going straight to self-assessment is how organizations end up with SPRS scores that don’t hold up under scrutiny later — either because they were too generous, or because the team didn’t actually know where their real gaps were.
What This Means for Your Timeline
If Phase 2 (November 10, 2026) applies to your contracts, a gap assessment now is what tells you accurately whether you’re 6 months or 14 months away from being ready for formal C3PAO certification. A self-assessment alone won’t give you that level of diagnostic detail — it tells you your score, not your roadmap.
Not sure whether you need a self-assessment, a gap assessment, or both? We’ll help you figure out exactly where you stand. → Book a CMMC Advisory Call
FAQ SECTION
Q: Is a CMMC gap assessment the same as a self-assessment?
A: No. A self-assessment is an internal review your organization conducts and submits to SPRS as a score. A gap assessment is an advisory engagement, typically run by a compliance firm, that produces a detailed control-by-control report and remediation roadmap — it isn’t submitted anywhere and doesn’t result in certification.
Q: Do I need a gap assessment before doing a self-assessment?
A: It’s strongly recommended, though not formally required. A gap assessment surfaces your real control gaps in detail, which produces a far more accurate and defensible self-assessment score than an internal team estimating its own compliance without expert review.
Q: Can a self-assessment result in CMMC certification?
A: No. Self-assessment satisfies specific Phase 1 requirements for Level 1 and select Level 2 contracts through SPRS submission, but it does not constitute formal certification. Formal Level 2 certification requires a third-party assessment by an accredited C3PAO.
Q: What happens to my self-assessment score if it’s inaccurate?
A: An inflated score can be exposed during a later C3PAO assessment or audit, creating credibility and contractual risk. An understated score can cost you contract eligibility you may have actually qualified for. Both outcomes are reasons to ground your self-assessment in a proper gap assessment first.
Q: Who performs a CMMC gap assessment?
A: Compliance advisory firms with NIST 800-171 expertise perform gap assessments. This is distinct from a C3PAO assessment, which can only be conducted by an accredited Certified Third-Party Assessor Organization.
