Most companies in the defense supply chain aren’t trying to cut corners. They’ve had the same IT setup for years, and there’s never been a breach. From where leadership sits, the systems work, the data is secure, and compliance is handled.
This belief, in most cases, is wrong.
Thinking you’re compliant and being able to demonstrate it is one of the more expensive assumptions in the DIB right now. And the shift from self-attestation to third-party verification is what’s turning that assumption into a business risk.
Why Self-Assessment Has Always Had a Ceiling
Under the previous DFARS framework, contractors self-assessed against NIST SP 800-171 and submitted their score to the Supplier Performance Risk System (SPRS). There was no external check. If you scored yourself well, that score stood unless someone had a reason to question it.
The DoD found plenty of reasons to question it. Internal audits and DIBCAC assessments conducted over several years consistently found a gap between self-reported scores and independently verified ones. The Defense Contract Audit Agency has documented cases where contractors submitted scores in the high nineties while third-party reviewers found scores that were deeply negative. Under the NIST 800-171 scoring methodology, failing controls can result in heavily negative totals when many requirements are unmet.
Self-assessment is a poor instrument for this kind of evaluation, and not because defense contractors are dishonest. The people doing the scoring are usually too close to the systems to see the gaps, and the 110 controls in NIST 800-171 require interpretive judgment that internal teams without specific training routinely get wrong. Encrypting laptops satisfies a control in spirit but may not satisfy it in the way an assessor reads the requirement. That discrepancy, repeated across dozens of controls, is how a company that genuinely believes it’s at 95% ends up assessed at 60%.
What CMMC Level 2 Actually Requires
In the engagements we’ve run, contractors arrive expecting to score in the high 80s and assess in the 30s and 40s. The pattern is consistent enough that it’s no longer surprising.
CMMC Level 2, which applies to any contractor handling Controlled Unclassified Information, removes the self-attestation option for most companies. It requires a third-party assessment conducted by a C3PAO, a CMMC Third-Party Assessment Organization, and that assessment must result in a certification before the contractor can be awarded or renewed on covered contracts. Phase 2 enforcement begins November 10, 2026, which sounds distant until you account for how long remediation actually takes.
For a company that has never had an external review, the path to certification isn’t linear. Assessors check documentation, but they also verify that controls are implemented, operating consistently, and producing the artifacts that prove they work. An SSP that was written three years ago and hasn’t been updated since proves only that documentation exists, not that it reflects how the environment actually operates.
The Assumption That Doesn’t Survive Contact with a Deadline
Companies often point to years of operating the same way without a major incident and read that track record as validation. The logic runs: if the systems were genuinely insecure, something would have gone wrong by now.
That reasoning doesn’t hold up under CMMC, for two reasons.
The first is that absence of a known incident isn’t the same as absence of risk. A significant portion of state-sponsored intrusions go undetected for months or years. The 2024 CISA advisory on Volt Typhoon documented cases in U.S. critical infrastructure where threat actors maintained persistent access for years without triggering alerts. The defense supply chain operates against the same adversaries with similar tradecraft. The absence of a known incident doesn’t tell you whether you’d notice one.
The second is that CMMC assessments aren’t about whether you’ve been attacked. They’re about whether your controls meet a defined standard. A company that has never had a breach but also doesn’t have multi-factor authentication on privileged accounts, lacks a documented incident response plan, or can’t demonstrate that access is reviewed and revoked when employees leave will fail specific controls regardless of its incident history. Assessors are not asking whether your company has been secure enough. They are asking whether your company meets the requirement. Those are different questions, and only the second one decides whether you keep the contract.
What Changes When an Outside Set of Eyes Shows Up
The value of a gap analysis, before a formal assessment, is that it answers that second question on your timeline rather than the assessor’s. A structured review against the 110 NIST 800-171 controls identifies which requirements are fully met, which are partially implemented, which exist only on paper, and which aren’t addressed at all. That picture is usually more complicated than internal teams expect, and almost always more actionable than they feared.
The other thing a proper gap analysis produces is an interim SPRS score. That score reflects your actual posture, not your best estimate of it, and it gives you something concrete to send to a prime who asks. Companies that have had this work done can respond to compliance requests with specifics. Companies that haven’t are still working from assumptions.
Most of the defense contractors we work with aren’t starting from zero. They have security controls in place, and some of them are well-implemented. The issue is documentation, consistency, and the specific requirements that haven’t been addressed because nobody mapped their environment against the full list. Closing those gaps is usually more complex than people imagine it will be before they look at the actual list, but it does need to start before the assessment clock is running.
See Your Real Starting Point
IT-VA’s Security Gap Analysis maps your environment against CMMC Level 2 requirements, baselines your SPRS score, and produces a prioritized remediation plan, the documented starting point that every certification path needs. Our team includes CMMC Registered Practitioners, so the output is something primes and assessors will recognize.
