Self-Assess or Certify: The New DoD CUI Assessment Split

Eric Marquette

Hello everyone and welcome back to CMMC Unlocked. I'm Eric Marquette, and today we're digging into the recent split between self-assessment and certification for CMMC Level 2. Ruby, Paul, Roz—lovely to see you all as always. Let’s jump right in: Paul, what's the crux of this new DoD decision about who needs outside certification for Level 2, and who can still self-assess?

Paul Netopski

Thanks, Eric. The Department of Defense has clarified, and honestly, this was overdue, that whether a contractor can self-assess or must undergo a third-party assessment for CMMC Level 2 depends directly on the specific type of Controlled Unclassified Information—CUI—they handle. Specifically, if your CUI is found only in the National Archives and Records Administration CUI Registry—so, not also in the Defense Organizational Index Grouping—you’re eligible for Level 2 self-assessment. But if you’re handling CUI in categories that appear under the Defense Organizational Index Grouping—things like Controlled Technical Information, DoD Critical Infrastructure, Naval Nuclear Propulsion, Unclassified Controlled Nuclear Information—then you need a certified third-party assessment. And let me tell you, this caused quite a stir at Elysian Technology. We had an internal debate last quarter because it wasn’t clear from the contractual language if we were going to fall into the self-assessment bucket or not, simply because the CUI category was ambiguous. Eventually, we mapped it out by going through the NARA Registry and, honestly, a good old-fashioned spreadsheet helped sort it out.

Ruby Sturt

Paul, that’s classic—nothing like a spreadsheet showdown! But that’s the thing, isn’t it? With the changes, you can’t just assume that if you’re handling CUI, you get to pick your path. Now, contractors really have to dig into which registry their CUI is listed under. Eric, I remember last episode we had all that back-and-forth about asset classification with MSSPs—this feels like the same kind of documentation headache, just with higher stakes.

Roz the Rulemaker

Well put, Ruby. From a policy perspective, it’s a classic instance of regulatory precision—sometimes painful but ultimately defensible. The clear linkage to the NARA CUI Registry, and specifically to the Defense Organizational Index Grouping, provides an objective mechanism. That way, both contractors and assessors aren’t left guessing. This reduces the ambiguity at the boundary—at least, in theory—about whether you’re in the “self-attestation” group or require a third-party Certified Assessor Organization. But of course, implementation relies on everyone correctly identifying which CUI categories they actually handle, which is never as simple as it sounds.

Eric Marquette

Absolutely, Roz. And, you know, that approach is a pretty big shift for a lot of organizations, especially smaller contractors. The difference between self-assessment and undergoing a full C3PAO evaluation is significant in terms of cost, time, stress—you name it.

Paul Netopski

Spot on, Eric. And just to knit this together, it’s not only about understanding the types of CUI your organization actually touches; it’s also about documenting that journey. That’s what saved us in the Elysian case. We could show our logic and our traceability from the contract to the CUI category to the registry—kept us out of the crosshairs. But plenty of organizations are going to be surprised when they realize where their CUI lives.

Ruby Sturt

And let’s face it, some of those categories in the Defense Organizational Index Grouping sound almost like plot twists in an action movie. "Naval Nuclear Propulsion"? That’s... yeah, that's not your average workday CUI.

Eric Marquette

Now, before this update, a lot of folks thought Acquisition Category—ACAT, right?—would play a role in determining who has to certify and who can self-assess. Paul, why didn’t the DoD just stick with the old ACAT buckets as a line of demarcation?

Paul Netopski

That’s a good one, Eric. Industry really did expect ACAT to be the litmus test. For years, ACAT levels have defined the program significance and oversight based on cost, complexity, and so on, with ACAT I being your major defense acquisition programs, down to ACAT IV for much smaller, typically service-specific efforts. Buuut—that’s not the direction DoD went for CMMC assessments. Here, it’s all about the CUI category alignment to the NARA and Defense Organizational Index, not program spend or oversight level. The ACAT system isn’t tied to information stewardship—it’s tied to programmatic scale. CMMC wanted something more data-centric, I guess you could say.

Roz the Rulemaker

Paul’s got it entirely right. And the regulatory reasoning makes sense if you look under the hood. ACAT categorizations were developed to address oversight based on resource commitment and risk, particularly for major acquisitions, as set out in DoD policies like DoDI 5000.85. Here, the determination is based on the type of information, not cost or program category. I’ve actually seen similar logic in other agencies, where expectations build around one regulatory marker—say, program size—but a rule is crafted around a more targeted concern, like safety or in this case, data sensitivity and national security. It can feel like a curveball for organizations, but it follows from the legislative and risk logic: higher sensitivity data, higher assurance required. So the registry match is now the decisive factor, not ACAT labels.

Ruby Sturt

You know, Roz, that reminds me of a case you talked about in episode four—you compared it to rulemaking surprises at the OMB. I feel like the entire defense sector is constantly waiting for someone to move the regulatory goalposts! But seriously, I reckon a lot of contractors thought “ACAT equals more rules,” and instead, it’s “CUI category equals more rules.” That’s a pretty fundamental reframe for folks, isn’t it?

Roz the Rulemaker

Absolutely, Ruby. And just as we saw in those earlier regulatory pivots, it all comes down to risk alignment. Agencies have to weigh the cost of compliance—think ACAT, program budget—against the risk profile. Here, by aligning to NARA and DoD CUI registries, they’re saying the risk to national security posed by certain types of information trumps the acquisition footprint. So yes, for everyone listening: check your CUI registry more than the program’s ACAT label if you want to know your assessment path.

Eric Marquette

And honestly, Paul, you said “data-centric”, which nails it. This is a real shift from looking at program size to what you actually hold and process as an organization. I imagine some of our listeners might still be wrapping their heads around that distinction.

Paul Netopski

Yeah, and again, this isn’t to say ACAT is meaningless—it's still key to how the DoD manages its purchases and oversight. But for CMMC assessment, it’s the CUI’s presence in those very specific registries that counts. So... not what everyone expected, but more targeted. And if you’re not sure? I’d say, err on the side of checking the registries yourself—don’t just assume.

Ruby Sturt

Alright, let’s talk brass tacks. If you’re listening and you’re a contractor or a subcontractor, how do you know which path you’re on—self-assess or get certified? What do you actually need to do now?

Paul Netopski

The first concrete step is mapping your information assets to the CUI categories in question. You check the NARA CUI Registry—identify all the CUI you process, store, or transmit, and see if any of it falls in the Defense Organizational Index Grouping. If you only handle CUI that's in the NARA registry and not under the Defense OIG—congrats, you’re eligible for self-assessment. But if even one bit falls into those defense-specific buckets—Controlled Technical Info, DoD Critical Infrastructure, and so on—it triggers the requirement for the C3PAO third-party assessment. This applies to both primes and subs; everyone holding CUI has the same obligation. And you have to keep a defensible record of that mapping for audit purposes.

Ruby Sturt

Exactly. And I had a call with a bunch of podcast training newcomers last week. There was this small business owner—probably a dozen staff—who wasn’t sure where they stood. We sat down and went through their contracts, their data flow, and those registry listings. Turned out all their CUI was generic export control info, nothing in the Defense OIG. When they realized they could self-assess instead of pay for a big third-party audit—it was like watching a massive weight drop off their shoulders. And, truthfully, some of ‘em almost missed that step entirely. So the practical upshot is: don’t guess, do the registry homework. It can mean serious resource savings.

Roz the Rulemaker

Ruby, that’s an excellent point and really illustrates a policy’s real-world impact. The mapping process is as much about risk assessment as it is about compliance, and organizations—big and small—should take the time to periodically review their registries, especially as contracts and data flows change. It goes hand-in-hand with what we discussed in episode five about ongoing risk management and documentation. This isn’t a “set it and forget it” exercise—it needs maintenance and periodic review.

Eric Marquette

Absolutely. And keeping records of how you made your determination isn’t just good practice—it might be what saves you during an assessment, or if you’re ever questioned. We keep coming back to documentation: asset inventories, network diagrams, mapping to registries. It’s the underpinning of everything, and probably the most recurring theme through all our episodes.

Paul Netopski

You’re right, Eric. And to bring it full circle—if you’re still unsure after all this, reach out and get the advice. Don’t go it alone, because a misstep here can be expensive and, honestly, damaging to your business prospects with the DoD. If you’re handling CUI, treat your registry mapping as a living document. That’s the only way to stay off the compliance rollercoaster.

Ruby Sturt

We’ll keep cheering you on! And hey, if you ever feel lost, our inbox is open. Paul's got his spreadsheets, I've got my... colour-coded sticky notes. Whatever works, right?

Roz the Rulemaker

Process trumps panic—always. Stay curious, stay thorough, and you’ll be able to navigate these changes. We’re here to guide you through not only the specifics, but the spirit of good compliance.

Eric Marquette

Well, I think that’s the right note to end on for today. This split in self-assessment versus certification is a pivotal change, but if organizations take the time to map, document, and review, they’ll be in good stead. Ruby, Paul, Roz—thanks for joining me and for another sharp round of insights. To all our listeners, thanks for making CMMC Unlocked part of your compliance journey. We'll be back with more CMMC realities and practical guidance soon. Cheers, everyone!

Ruby Sturt

Thanks, Eric—catch ya next time! Paul, Roz, don’t forget to bring your best horror stories, I want more case studies next episode.

Paul Netopski

Always a pleasure. Until next time—stay secure, everyone.

Roz the Rulemaker

Thank you, everyone. Keep those questions coming, and remember—regulatory clarity is just a conversation away. Goodbye, all!