Mandatory 2026

CMMC 2.0 Self-Assessment Tool

CMMC 2.0 certification is mandatory for DoD subcontractors from 2026. Complete the Yes/No checklist and generate your System Security Plan (SSP) — the required deliverable for contract compliance.

17Level 1 Practices
110Level 2 Practices
SSPAuto-Generated
2026Mandatory Deadline

Company & System Information (for SSP)

Level 1 Assessment — 0 of 17 answered

0%

System Security Plan (SSP)

CMMC 2.0 Level 1 Self-Assessment — SimpleFileTools

System Information

Assessment Results by Practice

Practice ID Domain Practice Status

Next Steps

What is CMMC 2.0?

CMMC Level 1 (17 practices)

Covers Federal Contract Information (FCI). Required under FAR 52.204-21. All contractors receiving DoD contracts must comply — assessed annually via self-assessment.

Mandatory 2026

CMMC Level 2 (110 practices)

Covers Controlled Unclassified Information (CUI). Aligned with NIST SP 800-171. Most contracts involving sensitive technical data require Level 2 certification.

Third-party audit required

What is the SSP?

The System Security Plan documents how your organization meets each CMMC practice. It is a required deliverable — DoD will request it during contract award or audit.

Required document

POAM (Plan of Action)

For any practice you answer "No," you need a Plan of Action & Milestones (POAM) documenting how/when you will remediate. This tool highlights gaps for your POAM.

For all gaps

Penalties for Non-Compliance

Contracts may be cancelled, suspended, or not renewed. False certifications can trigger False Claims Act liability — fines of up to $27,894 per claim plus treble damages.

False Claims Act risk

Key Deadlines

CMMC Level 1 self-assessment required in all new DoD contracts from 2026. Level 2 third-party assessments phased in through 2027. Start preparation now.

Phase-in 2026–2027