Collapse to view only § 170.22 - Affirmation.
- § 170.14 - CMMC Model.
- § 170.15 - CMMC Level 1 self-assessment and affirmation requirements.
- § 170.16 - CMMC Level 2 self-assessment and affirmation requirements.
- § 170.17 - CMMC Level 2 certification assessment and affirmation requirements.
- § 170.18 - CMMC Level 3 certification assessment and affirmation requirements.
- § 170.19 - CMMC scoping.
- § 170.20 - Standards acceptance.
- § 170.21 - Plan of Action and Milestones requirements.
- § 170.22 - Affirmation.
- § 170.23 - Application to subcontractors.
- § 170.24 - CMMC Scoring Methodology.
- APPENDIX Appendix A - Appendix A to Part 170—Guidance
§ 170.14 - CMMC Model.
(a) Overview. The CMMC Model incorporates the security requirements from:
(1) 48 CFR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems;
(2) NIST SP 800-171 R2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (incorporated by reference, see § 170.2); and
(3) Selected security requirements from NIST SP 800-172 Feb2021, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (incorporated by reference, see § 170.2).
(b) CMMC domains. The CMMC Model consists of domains that map to the Security Requirement Families defined in NIST SP 800-171 R2 (incorporated by reference, see § 170.2).
(c) CMMC level requirements. CMMC Levels 1-3 utilize the safeguarding requirements and security requirements specified in 48 CFR 52.204-21 (for Level 1), NIST SP 800-171 R2 (incorporated by reference, see § 170.2) (for Level 2), and selected security requirements from NIST SP 800-172 Feb2021 (incorporated by reference, see § 170.2) (for Level 3). This paragraph discusses the numbering scheme and the security requirements for each level.
(1) Numbering. Each security requirement has an identification number in the format—DD.L#-REQ—where:
(i) DD is the two-letter domain abbreviation;
(ii) L# is the CMMC level number; and
(iii) REQ is the 48 CFR 52.204-21 paragraph number, NIST SP 800-171 R2 requirement number, or NIST SP 800-172 Feb2021 requirement number.
(2) CMMC Level 1 security requirements. The security requirements in CMMC Level 1 are those set forth in 48 CFR 52.204-21(b)(1)(i) through (xv).
(3) CMMC Level 2 security requirements. The security requirements in CMMC Level 2 are identical to the requirements in NIST SP 800-171 R2.
(4) CMMC Level 3 security requirements. The security requirements in CMMC Level 3 are selected from NIST SP 800-172 Feb2021, and where applicable, Organization-Defined Parameters (ODPs) are assigned. Table 1 to this paragraph identifies the selected requirements and applicable ODPs that represent the CMMC Level 3 security requirements. ODPs for the NIST SP 800-172 Feb2021 requirements are italicized, where applicable:
Table 1 to § 170.14(
| Security requirement No.* | CMMC Level 3 security requirements
(selected NIST SP 800-172 Feb2021 security requirement with DoD ODPs italicized) | (i) AC.L3-3.1.2e | Restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization. | (ii) AC.L3-3.1.3e | Employ | (iii) AT.L3-3.2.1e | Provide awareness training | (iv) AT.L3-3.2.2e | Include practical exercises in awareness training for | (v) CM.L3-3.4.1e | Establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components. | (vi) CM.L3-3.4.2e | Employ automated mechanisms to detect misconfigured or unauthorized system components; after detection, | (vii) CM.L3-3.4.3e | Employ automated discovery and management tools to maintain an up-to-date, complete, accurate, and readily available inventory of system components. | (viii) IA.L3-3.5.1e | Identify and authenticate | (ix) IA.L3-3.5.3e | Employ automated or manual/procedural mechanisms to prohibit system components from connecting to organizational systems unless the components are known, authenticated, in a properly configured state, or in a trust profile. | (x) IR.L3-3.6.1e | Establish and maintain a security operations center capability that operates | (xi) IR.L3-3.6.2e | Establish and maintain a cyber-incident response team that can be deployed by the organization within | (xii) PS.L3-3.9.2e | Ensure that organizational systems are protected if adverse information develops or is obtained about individuals with access to CUI. | (xiii) RA.L3-3.11.1e | Employ | (xiv) RA.L3-3.11.2e | Conduct cyber threat hunting activities | (xv) RA.L3-3.11.3e | Employ advanced automation and analytics capabilities in support of analysts to predict and identify risks to organizations, systems, and system components. | (xvi) RA.L3-3.11.4e | Document or reference in the system security plan the security solution selected, the rationale for the security solution, and the risk determination. | (xvii) RA.L3-3.11.5e | Assess the effectiveness of security solutions | (xviii) RA.L3-3.11.6e | Assess, respond to, and monitor supply chain risks associated with organizational systems and system components. | (xix) RA.L3-3.11.7e | Develop a plan for managing supply chain risks associated with organizational systems and system components; update the plan | (xx) CA.L3-3.12.1e | Conduct penetration testing | (xxi) SC.L3-3.13.4e | Employ | (xxii) SI.L3-3.14.1e | Verify the integrity of | (xxiii) SI.L3-3.14.3e | Ensure that | (xxiv) SI.L3-3.14.6e | Use threat indicator information and effective mitigations obtained from, |
|---|
* Roman numerals in parentheses before the Security Requirement are for numbering purposes only. The numerals are not part of the naming convention for the requirement.
(d) Implementation. Assessment of security requirements is prescribed by NIST SP 800-171A Jun2018 (incorporated by reference, see § 170.2) and NIST SP 800-172A Mar2022 (incorporated by reference, see § 170.2). Descriptive text in these documents support OSA implementation of the security requirements and use the terms organization-defined and periodically. Except where referring to Organization-Defined Parameters (ODPs), organization-defined means as determined by the OSA. Periodically means occurring at regular intervals. As used in many requirements within CMMC, the interval length is organization-defined to provided contractor flexibility, with an interval length of no more than one year.
§ 170.15 - CMMC Level 1 self-assessment and affirmation requirements.
(a) Level 1 self-assessment. To comply with CMMC Level 1 self-assessment requirements, the OSA must meet the requirements detailed in paragraphs (a)(1) and (2) of this section. An OSA conducts a Level 1 self-assessment as detailed in paragraph (c) of this section to achieve a CMMC Status of Final Level 1 (Self).
(1) Level 1 self-assessment requirements. The OSA must complete and achieve a MET result for all security requirements specified in § 170.14(c)(2) to achieve the CMMC Status of Final Level 1 (Self). No POA&Ms are permitted for CMMC Level 1. The OSA must conduct a self-assessment in accordance with the procedures set forth in § 170.15(c)(1) and submit assessment results in SPRS. To maintain compliance with the requirements for the CMMC Status of Final Level 1 (Self), the OSA must conduct a Level 1 self-assessment on an annual basis and submit the results in SPRS, or its successor capability.
(i) Inputs to SPRS. The Level 1 self-assessment results in the Supplier Performance Risk System (SPRS) shall include, at minimum, the following items:
(A) CMMC Level.
(B) CMMC Status Date.
(C) CMMC Assessment Scope.
(D) All industry CAGE code(s) associated with the information system(s) addressed by the CMMC Assessment Scope.
(E) Compliance result.
(ii) [Reserved]
(2) Affirmation. Affirmation of the Level 1 (Self) CMMC Status is required for all Level 1 self-assessments. Affirmation procedures are set forth in § 170.22.
(b) Contract eligibility. Prior to award of any contract or subcontract with a requirement for the CMMC Status of Level 1 (Self), OSAs must both achieve a CMMC Status of Level 1 (Self) and have submitted an affirmation of compliance into SPRS for all information systems within the CMMC Assessment Scope.
(c) Procedures—(1) Level 1 self-assessment. The OSA must conduct a Level 1 self-assessment scored in accordance with the CMMC Scoring Methodology described in § 170.24. The Level 1 self-assessment must be performed in accordance with the CMMC Level 1 scope requirements set forth in § 170.19(a) and (b) and the following:
(i) The Level 1 self-assessment must be performed using the objectives defined in NIST SP 800-171A Jun2018 (incorporated by reference, see § 170.2) for the security requirement that maps to the CMMC Level 1 security requirement as specified in table 1 to paragraph (c)(1)(ii) of this section. In any case where an objective addresses CUI, FCI should be substituted for CUI in the objective.
(ii) Mapping table for CMMC Level 1 security requirements to the NIST SP 800-171A Jun2018 objectives.
Table 2 to § 170.15
| CMMC Level 1 security requirements as set forth in § 170.14(c)(2) | NIST SP 800-171A Jun2018 | AC.L1-b.1.i | 3.1.1 | AC.L1-b.1.ii | 3.1.2 | AC.L1-b.1.iii | 3.1.20 | AC.L1-b.1.iv | 3.1.22 | IA.L1-b.1.v | 3.5.1 | IA.L1-b.1.vi | 3.5.2 | MP.L1-b.1.vii | 3.8.3 | PE.L1-b.1.viii | 3.10.1 | First phrase of PE.L1-b.1.ix (FAR b.1.ix *) | 3.10.3 | Second phrase of PE.L1-b.1.ix (FAR b.1.ix *) | 3.10.4 | Third phrase of PE.L1-b.1.ix (FAR b.1.ix *) | 3.10.5 | SC.L1-b.1.x | 3.13.1 | SC.L1-b.1.xi | 3.13.5 | SI.L1-b.1.xii | 3.14.1 | SI.L1-b.1.xiii | 3.14.2 | SI.L1-b.1.xiv | 3.14.4 | SI.L1-b.1.xv | 3.14.5 |
|---|
* Three of the 48 CFR 52.204-21 requirements were broken apart by “phrase” when NIST SP 800-171 R2 was developed.
(iii) Additional guidance can be found in the guidance document listed in paragraph (b) of appendix A to this part.
(2) Artifact retention. The artifacts used as evidence for the assessment must be retained by the OSA for six (6) years from the CMMC Status Date.
§ 170.16 - CMMC Level 2 self-assessment and affirmation requirements.
(a) Level 2 self-assessment. To comply with Level 2 self-assessment requirements, the OSA must meet the requirements detailed in paragraphs (a)(1) and (2) of this section. An OSA conducts a Level 2 self-assessment as detailed in paragraph (c) of this section to achieve a CMMC Status of either Conditional or Final Level 2 (Self). Achieving a CMMC Status of Level 2 (Self) also satisfies the requirements for a CMMC Status of Level 1 (Self) detailed in § 170.15 for the same CMMC Assessment Scope.
(1) Level 2 self-assessment requirements. The OSA must complete and achieve a MET result for all security requirements specified in § 170.14(c)(3) to achieve the CMMC Status of Level 2 (Self). The OSA must conduct a self-assessment in accordance with the procedures set forth in paragraph (c)(1) of this section and submit assessment results in Supplier Performance Risk System (SPRS). To maintain compliance with the requirements for a CMMC Status of Level 2 (Self), the OSA must conduct a Level 2 self-assessment every three years and submit the results in SPRS, within three years of the CMMC Status Date associated with the Conditional Level 2 (Self).
(i) Inputs to SPRS. The Level 2 self-assessment results in the SPRS shall include, at minimum, the following information:
(A) CMMC Level.
(B) CMMC Status Date.
(C) CMMC Assessment Scope.
(D) All industry CAGE code(s) associated with the information system(s) addressed by the CMMC Assessment Scope.
(E) Overall Level 2 self-assessment score (e.g., 105 out of 110).
(F) POA&M usage and compliance status, if applicable.
(ii) Conditional Level 2 (Self). The OSA has achieved the CMMC Status of Conditional Level 2 (Self) if the Level 2 self-assessment results in a POA&M and the POA&M meets all the CMMC Level 2 POA&M requirements listed in § 170.21(a)(2).
(A) Plan of Action and Milestones. A Level 2 POA&M is allowed only in accordance with the CMMC POA&M requirements listed in § 170.21.
(B) POA&M closeout. The OSA must remediate any NOT MET requirements, must perform a POA&M closeout self-assessment, and must post compliance results to SPRS within 180 days of the CMMC Status Date associated with the Conditional Level 2 (Self). If the POA&M is not successfully closed out within the 180-day timeframe, the Conditional Level 2 (Self) CMMC Status for the information system will expire. If Conditional Level 2 (Self) CMMC Status expires within the period of performance of a contract, standard contractual remedies will apply, and the OSA will be ineligible for additional awards with a requirement for the CMMC Status of Level 2 (Self), or higher requirement, for the information system within the CMMC Assessment Scope until such time as a new CMMC Status is achieved.
(iii) Final Level 2 (Self). The OSA has achieved the CMMC Status of Final Level 2 (Self) if the Level 2 self-assessment results in a passing score as defined in § 170.24. This score may be achieved upon initial self-assessment or as the result of a POA&M closeout self-assessment, as applicable.
(iv) CMMC Status investigation. The DoD reserves the right to conduct a DCMA DIBCAC assessment of the OSA, as provided for under the 48 CFR 252.204-7020. If the investigative results of a subsequent DCMA DIBCAC assessment show that adherence to the provisions of this part have not been achieved or maintained, these DCMA DIBCAC results will take precedence over any pre-existing CMMC Status. At that time, standard contractual remedies will be available and the OSA will be ineligible for additional awards with CMMC Status requirement of Level 2 (Self), or higher requirement, for the information system within the CMMC Assessment Scope until such time as a new CMMC Status is achieved.
(2) Affirmation. Affirmation of the Level 2 (Self) CMMC Status is required for all Level 2 self-assessments at the time of each assessment, and annually thereafter. Affirmation procedures are set forth in § 170.22.
(b) Contract eligibility. Prior to award of any contract or subcontract with requirement for CMMC Status of Level 2 (Self), the following two requirements must be met:
(1) The OSA must achieve, as specified in paragraph (a)(1) of this section, a CMMC Status of either Conditional Level 2 (Self) or Final Level 2 (Self).
(2) The OSA must submit an affirmation of compliance into SPRS, as specified in paragraph (a)(2) of this section.
(c) Procedures—(1) Level 2 self-assessment of the OSA. The OSA must conduct a Level 2 self-assessment in accordance with NIST SP 800-171A Jun2018 (incorporated by reference, see § 170.2) and the CMMC Level 2 scoping requirements set forth in §§ 170.19(a) and (c) for the information systems within the CMMC Assessment Scope. The Level 2 self-assessment must be scored in accordance with the CMMC Scoring Methodology described in § 170.24 and the OSA must upload the results into SPRS. If a POA&M exists, a POA&M closeout self-assessment must be performed by the OSA when all NOT MET requirements have been remediated. The POA&M closeout self-assessment must be performed within 180-days of the Conditional CMMC Status Date. Additional guidance can be found in the guidance document listed in paragraph (c) of appendix A to this part.
(2) Level 2 self-assessment with the use of Cloud Service Provider (CSP). An OSA may use a cloud environment to process, store, or transmit CUI in performance of a contract or subcontract with a requirement for the CMMC Status of Level 2 (Self) under the following circumstances:
(i) The CSP product or service offering is FedRAMP Authorized at the FedRAMP Moderate (or higher) baseline in accordance with the FedRAMP Marketplace; or
(ii) The CSP product or service offering is not FedRAMP Authorized at the FedRAMP Moderate (or higher) baseline but meets security requirements equivalent to those established by the FedRAMP Moderate (or higher) baseline. FedRAMP Moderate or FedRAMP Moderate equivalent is in accordance with DoD Policy.
(iii) In accordance with § 170.19(c)(2), the OSA's on-premises infrastructure connecting to the CSP's product or service offering is part of the CMMC Assessment Scope, which will also be assessed. As such, the security requirements from the Customer Responsibility Matrix (CRM) must be documented or referred to in the OSA's System Security Plan (SSP).
(3) Level 2 self-assessment with the use of an External Service Provider (ESP), not a CSP. An OSA may use an ESP that is not a CSP to process, store, or transmit CUI in performance of a contract or subcontract with a requirement for the CMMC Status of Level 2 (Self) under the following circumstances:
(i) The use of the ESP, its relationship to the OSA, and the services provided are documented in the OSA's SSP and described in the ESP's service description and CRM.
(ii) The ESP services used to meet OSA requirements are assessed within the scope of the OSA's assessment against all Level 2 security requirements.
(iii) In accordance with § 170.19(c)(2), the OSA's on-premises infrastructure connecting to the ESP's product or service offering is part of the CMMC Assessment Scope, which will also be assessed. As such, the security requirements from the CRM must be documented or referred to in the OSA's SSP.
(4) Artifact retention. The artifacts used as evidence for the assessment must be retained by the OSA for six (6) years from the CMMC Status Date.
§ 170.17 - CMMC Level 2 certification assessment and affirmation requirements.
(a) Level 2 certification assessment. To comply with Level 2 certification assessment requirements, the OSC must meet the requirements set forth in paragraphs (a)(1) and (2) of this section. An OSC undergoes a Level 2 certification assessment as detailed in paragraph (c) of this section to achieve a CMMC Status of either Conditional or Final Level 2 (C3PAO). Achieving a CMMC Status of Level 2 (C3PAO) also satisfies the requirements for a CMMC Statuses of Level 1 (Self) and Level 2 (Self) set forth in §§ 170.15 and 170.16 respectively for the same CMMC Assessment Scope.
(1) Level 2 certification assessment requirements. The OSC must complete and achieve a MET result for all security requirements specified in § 170.14(c)(3) to achieve the CMMC Status of Level 2 (C3PAO). The OSC must obtain a Level 2 certification assessment from an authorized or accredited C3PAO following the procedures outlined in paragraph (c) of this section. The C3PAO must submit the Level 2 certification assessment results into the CMMC instantiation of eMASS, which then provides automated transmission to SPRS. To maintain compliance with the requirements for a CMMC Status of Level 2 (C3PAO), the Level 2 certification assessment must be completed within three years of the CMMC Status Date associated with the Conditional Level 2 (C3PAO).
(i) Inputs into the CMMC instantiation of eMASS. The Level 2 certification assessment results input into the CMMC instantiation of eMASS shall include, at minimum, the following information:
(A) Date and level of the assessment.
(B) C3PAO name.
(C) Assessment unique identifier.
(D) For each Assessor conducting the assessment, name and business contact information.
(E) All industry CAGE codes associated with the information systems addressed by the CMMC Assessment Scope.
(F) The name, date, and version of the SSP.
(G) CMMC Status Date.
(H) Assessment result for each requirement objective.
(I) POA&M usage and compliance, as applicable.
(J) List of the artifact names, the return value of the hashing algorithm, and the hashing algorithm used.
(ii) Conditional Level 2 (C3PAO). The OSC has achieved the CMMC Status of Conditional Level 2 (C3PAO) if the Level 2 certification assessment results in a POA&M and the POA&M meets all CMMC Level 2 POA&M requirements listed in § 170.21(a)(2).
(A) Plan of Action and Milestones. A Level 2 POA&M is allowed only in accordance with the CMMC POA&M requirements listed in § 170.21.
(B) POA&M closeout. The OSC must remediate any NOT MET requirements, must undergo a POA&M closeout certification assessment from a C3PAO, and the C3PAO must post compliance results into the CMMC instantiation of eMASS within 180 days of the CMMC Status Date associated with the Conditional Level 2 (C3PAO). If the POA&M is not successfully closed out within the 180-day timeframe, the Conditional Level 2 (C3PAO) CMMC Status for the information system will expire. If Conditional Level 2 (C3PAO) CMMC Status expires within the period of performance of a contract, standard contractual remedies will apply, and the OSC will be ineligible for additional awards with a requirement for the CMMC Status of Level 2 (C3PAO), or higher requirement, for the information system within the CMMC Assessment Scope until such time as a new CMMC Status is achieved.
(iii) Final Level 2 (C3PAO). The OSC has achieved the CMMC Status of Final Level 2 (C3PAO) if the Level 2 certification assessment results in a passing score as defined in § 170.24. This score may be achieved upon initial certification assessment or as the result of a POA&M closeout certification assessment, as applicable.
(iv) CMMC Status investigation. The DoD reserves the right to conduct a DCMA DIBCAC assessment of the OSC, as provided for under the 48 CFR 252.204-7020. If the investigative results of a subsequent DCMA DIBCAC assessment show that adherence to the provisions of this part have not been achieved or maintained, these DCMA DIBCAC results will take precedence over any pre-existing CMMC Status. At that time, standard contractual remedies will be available and the OSC will be ineligible for additional awards with CMMC Status requirement of Level 2 (C3PAO), or higher requirement, for the information system within the CMMC Assessment Scope until such time as a new CMMC Status is achieved.
(2) Affirmation. Affirmation of the Level 2 (C3PAO) CMMC Status is required for all Level 2 certification assessments at the time of each assessment, and annually thereafter. Affirmation procedures are provided in § 170.22.
(b) Contract eligibility. Prior to award of any contract or subcontract with a requirement for the CMMC Status of Level 2 (C3PAO), the following two requirements must be met:
(1) The OSC must achieve, as specified in paragraph (a)(1) of this section, a CMMC Status of either Conditional Level 2 (C3PAO) or Final Level 2 (C3PAO).
(2) The OSC must submit an affirmation of compliance into SPRS, as specified in paragraph (a)(2) of this section.
(c) Procedures—(1) Level 2 certification assessment of the OSC. An authorized or accredited C3PAO must perform a Level 2 certification assessment in accordance with NIST SP 800-171A Jun2018 (incorporated by reference, see § 170.2) and the CMMC Level 2 scoping requirements set forth in § 170.19(a) and (c) for the information systems within the CMMC Assessment Scope. The Level 2 certification assessment must be scored in accordance with the CMMC Scoring Methodology described in § 170.24 and the C3PAO must upload the results into the CMMC instantiation of eMASS. Final results are communicated to the OSC through a CMMC Assessment Findings Report.
(2) Security requirement re-evaluation. A security requirement that is NOT MET (as defined in § 170.24) may be re-evaluated during the course of the Level 2 certification assessment and for 10 business days following the active assessment period if all of the following conditions exist:
(i) Additional evidence is available to demonstrate the security requirement has been MET;
(ii) Cannot change or limit the effectiveness of other requirements that have been scored MET; and
(iii) The CMMC Assessment Findings Report has not been delivered.
(3) POA&M. If a POA&M exists, a POA&M closeout certification assessment must be performed by a C3PAO within 180-days of the Conditional CMMC Status Date. Additional guidance can be found in § 170.21 and in the guidance document listed in paragraph (c) of appendix A to this part.
(4) Artifact retention and integrity. The hashed artifacts used as evidence for the assessment must be retained by the OSC for six (6) years from the CMMC Status Date. To ensure that the artifacts have not been altered, the OSC must hash the artifact files using a NIST-approved hashing algorithm. The OSC must provide the C3PAO with a list of the artifact names, the return value of the hashing algorithm, and the hashing algorithm for upload into the CMMC instantiation of eMASS. Additional guidance for hashing artifacts can be found in the guidance document listed in paragraph (h) of appendix A to this part.
(5) Level 2 certification assessment with the use of Cloud Service Provider (CSP). An OSC may use a cloud environment to process, store, or transmit CUI in performance of a contract or subcontract with a requirement for the CMMC Status of Level 2 (C3PAO) under the following circumstances:
(i) The CSP product or service offering is FedRAMP Authorized at the FedRAMP Moderate (or higher) baseline in accordance with the FedRAMP Marketplace; or
(ii) The CSP product or service offering is not FedRAMP Authorized at the FedRAMP Moderate (or higher) baseline but meets security requirements equivalent to those established by the FedRAMP Moderate (or higher) baseline. FedRAMP Moderate or FedRAMP Moderate equivalent is in accordance with DoD Policy.
(iii) In accordance with § 170.19(c)(2), the OSC's on-premises infrastructure connecting to the CSP's product or service offering is part of the CMMC Assessment Scope. As such, the security requirements from the CRM must be documented or referred to in the OSC's SSP.
(6) Level 2 certification assessment with the use of an External Service Provider (ESP), not a CSP. An OSA may use an ESP that is not a CSP to process, store, or transmit CUI in performance of a contract or subcontract with a requirement for the CMMC Status of Level 2 (C3PAO) under the following circumstances:
(i) The use of the ESP, its relationship to the OSA, and the services provided are documented in the OSA's SSP and described in the ESP's service description and customer responsibility matrix.
(ii) The ESP services used to meet OSA requirements are assessed within the scope of the OSA's assessment against all Level 2 security requirements.
(iii) In accordance with § 170.19(c)(2), the OSA's on-premises infrastructure connecting to the ESP's product or service offering is part of the CMMC Assessment Scope, which will also be assessed. As such, the security requirements from the CRM must be documented or referred to in the OSA's SSP.
§ 170.18 - CMMC Level 3 certification assessment and affirmation requirements.
(a) Level 3 certification assessment. To comply with Level 3 certification assessment requirements, the OSC must meet the requirements set forth in paragraphs (a)(1) and (2) of this section. An OSC undergoes a Level 3 certification assessment as detailed in paragraph (c) of this section to achieve a CMMC Status of either Conditional or Final Level 3 (DIBCAC). A CMMC Status of Final Level 2 (C3PAO) for information systems within the Level 3 CMMC Assessment Scope is a prerequisite to undergo a Level 3 certification assessment. CMMC Level 3 recertification also has a prerequisite for a new CMMC Level 2 assessment. Achieving a CMMC Status of Level 3 (DIBCAC) also satisfies the requirements for CMMC Statuses of Level 1 (Self), Level 2 (Self), and Level 2 (C3PAO) set forth in §§ 170.15 through 170.17 respectively for the same CMMC Assessment Scope.
(1) Level 3 certification assessment requirements. The OSC must achieve a CMMC Status of Final Level 2 (C3PAO) on the Level 3 CMMC Assessment Scope, as defined in § 170.19(d), prior to initiating a Level 3 certification assessment, which will be performed by DCMA DIBCAC (www.dcma.mil/DIBCAC) on behalf of the DoD. The OSC must complete and achieve a MET result for all security requirements specified in table 1 to § 170.14(c)(4) to achieve the CMMC Status of Level 3 (DIBCAC). DCMA DIBCAC will submit the Level 3 certification assessment results into the CMMC instantiation of eMASS, which then provides automated transmission to SPRS. To maintain compliance with the requirements for a CMMC Status of Level 3 (DIBCAC), the Level 3 certification assessment must be performed every three years for all information systems within the Level 3 CMMC Assessment Scope. In addition, given that compliance with Level 2 requirements is a prerequisite for applying for CMMC Level 3, a Level 2 (C3PAO) certification assessment must also be conducted every three years to maintain CMMC Level 3 (DIBCAC) status. Level 3 certification assessment must be completed within three years of the CMMC Status Date associated with the Final Level 3 (DIBCAC) or, if there was a POA&M, then within three years of the CMMC Status Date associated with the Conditional Level 3 (DIBCAC).
(i) Inputs into the CMMC instantiation of eMASS. The Level 3 certification assessment results input into the CMMC instantiation of eMASS shall include, at minimum, the following items:
(A) Date and level of the assessment.
(B) For each Assessor(s) conducting the assessment, name and government organization information.
(C) All industry CAGE code(s) associated with the information system(s) addressed by the CMMC Assessment Scope.
(D) The name, date, and version of the system security plan(s) (SSP).
(E) CMMC Status Date.
(F) Result for each security requirement objective.
(G) POA&M usage and compliance, as applicable.
(H) List of the artifact names, the return value of the hashing algorithm, and the hashing algorithm used.
(ii) Conditional Level 3 (DIBCAC). The OSC has achieved the CMMC Status of Conditional Level 3 (DIBCAC) if the Level 3 certification assessment results in a POA&M and the POA&M meets all CMMC Level 3 POA&M requirements listed in § 170.21(a)(3).
(A) Plan of Action and Milestones. A Level 3 POA&M is allowed only in accordance with the CMMC POA&M requirements listed in § 170.21.
(B) POA&M closeout. The OSC must remediate any NOT MET requirements, must undergo a POA&M closeout certification assessment from DCMA DIBCAC, and DCMA DIBCAC must post compliance results into the CMMC instantiation of eMASS within 180 days of the CMMC Status Date associated with the Conditional Level 3 (DIBCAC). If the POA&M is not successfully closed out within the 180-day timeframe, the Conditional Level 3 (DIBAC) CMMC Status for the information system will expire. If Conditional Level 3 (DIBCAC) CMMC Status expires within the period of performance of a contract, standard contractual remedies will apply, and the OSC will be ineligible for additional awards with a requirement for the CMMC Status of Level 3 (DIBCAC) for the information system within the CMMC Assessment Scope until such time as a new CMMC Status is achieved.
(iii) Final Level 3 (DIBCAC). The OSC has achieved the CMMC Status of Final Level 3 (DIBCAC) if the Level 3 certification assessment results in a passing score as defined in § 170.24. This score may be achieved upon initial certification assessment or as the result of a POA&M closeout certification assessment, as applicable.
(iv) CMMC Status investigation. The DoD reserves the right to conduct a DCMA DIBCAC assessment of the OSC, as provided for under the 48 CFR 252.204-7020. If the investigative results of a subsequent DCMA DIBCAC assessment show that adherence to the provisions of this part have not been achieved or maintained, these DCMA DIBCAC results will take precedence over any pre-existing CMMC Status. At that time, standard contractual remedies will be available and the OSC will be ineligible for additional awards with CMMC Status requirement of Level 3 (DIBCAC) for the information system within the CMMC Assessment Scope until such time as a new CMMC Status is achieved.
(2) Affirmation. Affirmation of the Level 3 (DIBCAC) CMMC Status is required for all Level 3 certification assessments at the time of each assessment, and annually thereafter. Affirmation procedures are provided in § 170.22.
(b) Contract eligibility. Prior to award of any contract or subcontract with requirement for CMMC Status of Level 3 (DIBCAC), the following two requirements must be met:
(1) The OSC must achieve, as specified in paragraph (a)(1) of this section, a CMMC Status of either Conditional Level 3 (DIBCAC) or Final Level 3 (DIBCAC).
(2) The OSC must submit an affirmation of compliance into SPRS, as specified in paragraph (a)(2) of this section.
(c) Procedures—(1) Level 3 certification assessment of the OSC. The CMMC Level 3 certification assessment process includes:
(i) Final Level 2 (C3PAO). The OSC must achieve a CMMC Status of Final Level 2 (C3PAO) for information systems within the Level 3 CMMC Assessment Scope prior to the CMMC Level 3 certification assessment. The CMMC Assessment Scope for the Level 3 certification assessment must be equal to, or a subset of, the CMMC Assessment Scope associated with the OSC's Final Level 2 (C3PAO). Asset requirements differ for each CMMC Level. Scoping differences are set forth in § 170.19.
(ii) Initiating the Final Level 3 (DIBCAC). The OSC (including ESPs that voluntarily elect to undergo a Level 3 certification assessment) initiates a Level 3 certification assessment by emailing a request to DCMA DIBCAC point of contact found at www.dcma.mil/DIBCAC. The request must include the Level 2 certification assessment unique identifier. DCMA DIBCAC will validate the OSC has achieved a CMMC Status of Level 2 (C3PAO) and will contact the OSC to schedule their Level 3 certification assessment.
(iii) Conducting the Final Level 3 (DIBCAC). DCMA DIBCAC will perform a Level 3 certification assessment in accordance with NIST SP 800-171A Jun2018 (incorporated by reference, see § 170.2) and NIST SP 800-172A Mar2022 (incorporated by reference, see § 170.2) and the CMMC Level 3 scoping requirements set forth in § 170.19(d) for the information systems within the CMMC Assessment Scope. The Level 3 certification assessment will be scored in accordance with the CMMC Scoring Methodology set forth in § 170.24 and DCMA DIBCAC will upload the results into the CMMC instantiation of eMASS. Final results are communicated to the OSC through a CMMC Assessment Findings Report. For assets that changed asset category (i.e., CRMA to CUI Asset) or assessment requirements (i.e., Specialized Assets) between the Level 2 and Level 3 certification assessments, DCMA DIBCAC will perform limited checks of Level 2 security requirements. If the OSC had these upgraded asset categories included in their Level 2 certification assessment, then DCMA DIBCAC may still perform limited checks for compliance. If DCMA DIBCAC identifies that a Level 2 security requirement is NOT MET, the Level 3 assessment process may be paused to allow for remediation, placed on hold, or immediately terminated.
(2) Security requirement re-evaluation. A security requirement that is NOT MET (as defined in § 170.24) may be re-evaluated during the course of the Level 3 certification assessment and for 10 business days following the active assessment period if all of the following conditions exist:
(i) Additional evidence is available to demonstrate the security requirement has been MET;
(ii) The additional evidence does not materially impact previously assessed security requirements; and
(iii) The CMMC Assessment Findings Report has not been delivered.
(3) POA&M. If a POA&M exists, a POA&M closeout certification assessment will be performed by DCMA DIBCAC within 180-days of the Conditional CMMC Status Date. Additional guidance is located in § 170.21 and in the guidance document listed in paragraph (d) of appendix A to this part.
(4) Artifact retention and integrity. The hashed artifacts used as evidence for the assessment must be retained by the OSC for six (6) years from the CMMC Status Date. The hashed artifacts used as evidence for the assessment must be retained by the OSC for six (6) years from the CMMC Status Date. To ensure that the artifacts have not been altered, the OSC must hash the artifact files using a NIST-approved hashing algorithm. Assessors will collect the list of the artifact names, the return value of the hashing algorithm, and the hashing algorithm used and upload that data into the CMMC instantiation of eMASS. Additional guidance for hashing artifacts can be found in the guidance document listed in paragraph (h) of appendix A to this part.
(5) Level 3 certification assessment with the use of Cloud Service Provider (CSP). An OSC may use a cloud environment to process, store, or transmit CUI in performance of a contract or subcontract with a requirement for the CMMC Status of Level 3 (DIBCAC) under the following circumstances:
(i) The OSC may utilize a CSP product or service offering that meets the FedRAMP Moderate (or higher) baseline. If the CSP's product or service offering is not FedRAMP Authorized at the FedRAMP Moderate (or higher) baseline, the product or service offering must meet security requirements equivalent to those established by the FedRAMP Moderate (or higher) baseline in accordance with DoD Policy.
(ii) Use of a CSP does not relieve an OSC of its obligation to implement the 24 Level 3 security requirements. These 24 requirements apply to every environment where the CUI data is processed, stored, or transmitted, when Level 3 (DIBCAC) is the designated CMMC Status. If any of these 24 requirements are inherited from a CSP, the OSC must demonstrate that protection during a Level 3 certification assessment via a Customer Implementation Summary/Customer Responsibility Matrix (CIS/CRM) and associated Body of Evidence (BOE). The BOE must clearly indicate whether the OSC or the CSP is responsible for meeting each requirement and which requirements are implemented by the OSC versus inherited from the CSP.
(iii) In accordance with § 170.19(d)(2), the OSC's on-premises infrastructure connecting to the CSP's product or service offering is part of the CMMC Assessment Scope. As such, the security requirements from the CRM must be documented or referred to in the OSC's SSP.
(6) Level 3 certification assessment with the use of an ESP, not a CSP. An OSC may use an ESP that is not a CSP to process, store, or transmit CUI in performance of a contract or subcontract with a requirement for the CMMC Status of Level 3 (DIBCAC) under the following circumstances:
(i) The use of the ESP, its relationship to the OSC, and the services provided are documented in the OSC's SSP and described in the ESP's service description and customer responsibility matrix.
(ii) The ESP services used to meet OSC requirements are assessed within the scope of the OSC's assessment against all Level 2 and Level 3 security requirements.
(iii) In accordance with § 170.19(d)(2), the OSC's on-premises infrastructure connecting to the ESP's product or service offering is part of the CMMC Assessment Scope, which will also be assessed. As such, the security requirements from the CRM must be documented or referred to in the OSC's SSP.
§ 170.19 - CMMC scoping.
(a) Scoping requirement. (1) The CMMC Assessment Scope must be specified prior to assessment in accordance with the requirements of this section. The CMMC Assessment Scope is the set of all assets in the OSA's environment that will be assessed against CMMC security requirements.
(2) The requirements for defining the CMMC Assessment Scope for CMMC Levels 1, 2, and 3 are set forth in this section. Additional guidance regarding scoping can be found in the guidance documents listed in paragraphs (e) through (g) of appendix A to this part.
(b) CMMC Level 1 scoping. Prior to performing a Level 1 self-assessment, the OSA must specify the CMMC Assessment Scope.
(1) Assets in scope for Level 1 self-assessment. OSA information systems which process, store, or transmit FCI are in scope for CMMC Level 1 and must be self-assessed against applicable CMMC security requirements.
(2) Assets not in scope for Level 1 self-assessment—(i) Out-of-Scope Assets. OSA information systems which do not process, store, or transmit FCI are outside the scope for CMMC Level 1. An endpoint hosting a VDI client configured to not allow any processing, storage, or transmission of FCI beyond the Keyboard/Video/Mouse sent to the VDI client is considered out-of-scope. There are no documentation requirements for out-of-scope assets.
(ii) Specialized Assets. Specialized Assets are those assets that can process, store, or transmit FCI but are unable to be fully secured, including: Internet of Things (IoT) devices, Industrial Internet of Things (IIoT) devices, Operational Technology (OT), Government Furnished Equipment (GFE), Restricted Information Systems, and Test Equipment. Specialized Assets are not part of the Level 1 CMMC Assessment Scope and are not assessed against CMMC security requirements.
(3) Level 1 self-assessment scoping considerations. To scope a Level 1 self-assessment, OSAs should consider the people, technology, facilities, and External Service Providers (ESP) within its environment that process, store, or transmit FCI.
(c) CMMC Level 2 Scoping. Prior to performing a Level 2 self-assessment or Level 2 certification assessment, the OSA must specify the CMMC Assessment Scope.
(1) The CMMC Assessment Scope for CMMC Level 2 is based on the specification of asset categories and their respective requirements as defined in table 3 to this paragraph (c)(1). Additional information is available in the guidance document listed in paragraph (f) of appendix A to this part.
Table 3 to § 170.19
| Asset category | Asset description | OSA requirements | CMMC assessment requirements | Controlled Unclassified Information (CUI) Assets | • Assets that process, store, or transmit CUI | • Document in the asset inventory
• Document asset treatment in the System Security Plan (SSP). • Document in the network diagram of the CMMC Assessment Scope. • Prepare to be assessed against CMMC Level 2 security requirements. | • Assess against all Level 2 security requirements. | Security Protection Assets | • Assets that provide security functions or capabilities to the OSA's CMMC Assessment Scope | • Document in the asset inventory
• Document asset treatment in SSP. • Document in the network diagram of the CMMC Assessment Scope. • Prepare to be assessed against CMMC Level 2 security requirements. | • Assess against Level 2 security requirements that are relevant to the capabilities provided. | Contractor Risk Managed Assets | • Assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place
• Assets are not required to be physically or logically separated from CUI assets. | • Document in the asset inventory
• Document asset treatment in the SSP. • Document in the network diagram of the CMMC Assessment Scope. • Prepare to be assessed against CMMC Level 2 security requirements. | • Review the SSP:
• If sufficiently documented, do not assess against other CMMC security requirements, except as noted. • If OSA's risk-based security policies, procedures, and practices documentation or other findings raise questions about these assets, the assessor can conduct a limited check to identify deficiencies. | • The limited check(s) shall not materially increase the assessment duration nor the assessment cost. | • The limited check(s) will be assessed against CMMC security requirements. | Specialized Assets | • Assets that can process, store, or transmit CUI but are unable to be fully secured, including: Internet of Things (IoT) devices, Industrial Internet of Things (IIoT) devices, Operational Technology (OT), Government Furnished Equipment (GFE), Restricted Information Systems, and Test Equipment | • Document in the asset inventory
• Document asset treatment in the SSP. • Show these assets are managed using the contractor's risk-based security policies, procedures, and practices. • Document in the network diagram of the CMMC Assessment Scope. | • Review the SSP.
• Do not assess against other CMMC security requirements. | Out-of-Scope Assets | • Assets that cannot process, store, or transmit CUI; and do not provide security protections for CUI Assets | • Prepare to justify the inability of an Out-of-Scope Asset to process, store, or transmit CUI | • None. | • Assets that are physically or logically separated from CUI assets | • Assets that fall into any in-scope asset category cannot be considered an Out-of-Scope Asset | • An endpoint hosting a VDI client configured to not allow any processing, storage, or transmission of CUI beyond the Keyboard/Video/Mouse sent to the VDI client is considered an Out-of-Scope Asset |
|---|
(2)(i) Table 4 to this paragraph (c)(2)(i) defines the requirements to be met when utilizing an External Service Provider (ESP). The OSA must consider whether the ESP is a Cloud Service Provider (CSP) and whether the ESP processes, stores, or transmits CUI and/or Security Protection Data (SPD).
Table 4 to § 170.19
| When the ESP processes, stores, or transmits: | When utilizing an ESP that is: | A CSP | Not a CSP | CUI (with or without SPD) | The CSP shall meet the FedRAMP requirements in 48 CFR 252.204-7012 | The services provided by the ESP are in the OSA's assessment scope and shall be assessed as part of the OSA's assessment. | SPD (without CUI) | The services provided by the CSP are in the OSA's assessment scope and shall be assessed as Security Protection Assets | The services provided by the ESP are in the OSA's assessment scope and shall be assessed as Security Protection Assets. | Neither CUI nor SPD | A service provider that does not process CUI or SPD does not meet the CMMC definition of an ESP | A service provider that does not process CUI or SPD does not meet the CMMC definition of an ESP. |
|---|
(ii) The use of an ESP, its relationship to the OSA, and the services provided need to be documented in the OSA's SSP and described in the ESP's service description and customer responsibility matrix (CRM), which describes the responsibilities of the OSA and ESP with respect to the services provided. Note that the ESP may voluntarily undergo a CMMC certification assessment to reduce the ESP's effort required during the OSA's assessment. The minimum assessment type for the ESP is dictated by the OSA's DoD contract requirement.
(d) CMMC Level 3 scoping. Prior to performing a Level 3 certification assessment, the CMMC Assessment Scope must be specified.
(1) The CMMC Assessment Scope for Level 3 is based on the specification of asset categories and their respective requirements as set forth in table 5 to this paragraph (d)(1). Additional information is available in the guidance document listed in paragraph (g) of appendix A to this part.
Table 5 to § 170.19
| Asset category | Asset description | OSC requirements | CMMC assessment requirements | Controlled Unclassified Information (CUI) Assets | • Assets that process, store, or transmit CUI
• Assets that can, but are not intended to, process, store, or transmit CUI (defined as Contractor Risk Managed Assets in table 1 to paragraph (c)(1) of this section CMMC Scoping). | • Document in the asset inventory
• Document asset treatment in the System Security Plan (SSP). • Document in the network diagram of the CMMC Assessment Scope. • Prepare to be assessed against CMMC Level 2 and Level 3 security requirements. | • Limited check against Level 2 and assess against all Level 3 CMMC security requirements. | Security Protection Assets | • Assets that provide security functions or capabilities to the OSC's CMMC Assessment Scope, irrespective of whether or not these assets process, store, or transmit CUI | • Document in the asset inventory
• Document asset treatment in the SSP. • Document in the network diagram of the CMMC Assessment Scope. • Prepare to be assessed against CMMC Level 2 and Level 3 security requirements. | • Limited check against Level 2 and assess against all Level 3 CMMC security requirements that are relevant to the capabilities provided. | Specialized Assets | • Assets that can process, store, or transmit CUI but are unable to be fully secured, including: Internet of Things (IoT) devices, Industrial Internet of Things (IIoT) devices, Operational Technology (OT), Government Furnished Equipment (GFE), Restricted Information Systems, and Test Equipment | • Document in the asset inventory
• Document asset treatment in the SSP. • Document in the network diagram of the CMMC Assessment Scope. • Prepare to be assessed against CMMC Level 2 and Level 3 security requirements. | • Limited check against Level 2 and assess against all Level 3 CMMC security requirements.
• Intermediary devices are permitted to provide the capability for the specialized asset to meet one or more CMMC security requirements. | Out-of-Scope Assets | • Assets that cannot process, store, or transmit CUI; and do not provide security protections for CUI Assets | • Prepare to justify the inability of an Out-of-Scope Asset to process, store, or transmit CUI | • None. | • Assets that are physically or logically separated from CUI assets | • Assets that fall into any in-scope asset category cannot be considered an Out-of-Scope Asset | • An endpoint hosting a VDI client configured to not allow any processing, storage, or transmission of CUI beyond the Keyboard/Video/Mouse sent to the VDI client is considered an Out-of-Scope Asset |
|---|
(2)(i) Table 6 to this paragraph (d)(2)(i) defines the requirements to be met when utilizing an External Service Provider (ESP). The OSA must consider whether the ESP is a Cloud Service Provider (CSP) and whether the ESP processes, stores, or transmits CUI and/or Security Protection Data (SPD).
Table 6 to § 170.19
| When the ESP processes, stores, or transmits: | When utilizing an ESP that is: | A CSP | Not a CSP | CUI (with or without SPD) | The CSP shall meet the FedRAMP requirements in 48 CFR 252.204-7012 | The services provided by the ESP are in the OSA's assessment scope and shall be assessed as part of the OSA's assessment. | SPD (without CUI) | The services provided by the CSP are in the OSA's assessment scope and shall be assessed as Security Protection Assets | The services provided by the ESP are in the OSA's assessment scope and shall be assessed as Security Protection Assets. | Neither CUI nor SPD | A service provider that does not process CUI or SPD does not meet the CMMC definition of an ESP | A service provider that does not process CUI or SPD does not meet the CMMC definition of an ESP. |
|---|
(ii) The use of an ESP, its relationship to the OSC, and the services provided need to be documented in the OSC's SSP and described in the ESP's service description and customer responsibility matrix (CRM), which describes the responsibilities of the OSC and ESP with respect to the services provided. Note that the ESP may voluntarily undergo a CMMC certification assessment to reduce the ESP's effort required during the OSA's assessment. The minimum. The minimum assessment type for the ESP is dictated by the OSC's DoD contract requirement.
(e) Relationship between Level 2 and Level 3 CMMC Assessment Scope. The Level 3 CMMC Assessment Scope must be equal to or a subset of the Level 2 CMMC Assessment Scope in accordance with § 170.18(a) (e.g., a Level 3 data enclave with greater restrictions and protections within a Level 2 data enclave). Any Level 2 POA&M items must be closed prior to the initiation of the Level 3 certification assessment. DCMA DIBCAC may check any Level 2 security requirement of any in-scope asset. If DCMA DIBCAC identifies that a Level 2 security requirement is NOT MET, the Level 3 assessment process may be paused to allow for remediation, placed on hold, or immediately terminated. For further information regarding scoping of CMMC Level 3 assessments please contact DCMA DIBCAC at www.dcma.mil/DIBCAC/.
§ 170.20 - Standards acceptance.
(a) NIST SP 800-171 R2 DoD assessments. In order to avoid duplication of efforts, thereby reducing the aggregate cost to industry and the Department, OSCs that have completed a DCMA DIBCAC High Assessment aligned with CMMC Level 2 Scoping will be given the CMMC Status of Final Level 2 (C3PAO) under the following conditions:
(1) DCMA DIBCAC High Assessment. An OSC that achieved a perfect score with no open POA&M from a DCMA DIBCAC High Assessment conducted prior to the effective date of this rule, will be given a CMMC Status of Level 2 Final (C3PAO) with a validity period of three (3) years from the date of the original DCMA DIBCAC High Assessment. DCMA DIBCAC will identify assessments that meet these criteria and verify that SPRS accurately reflects the CMMC Status. Eligible DCMA DIBCAC High Assessments include ones conducted with Joint Surveillance in accordance with the DCMA Manual 2302-01 Surveillance. The scope of the Level 2 certification assessment is identical to the scope of the DCMA DIBCAC High Assessment. In accordance with § 170.17(a)(2), the OSC must also submit an affirmation in SPRS and annually thereafter to achieve contractual eligibility.
(2) [Reserved].
(b) [Reserved].
§ 170.21 - Plan of Action and Milestones requirements.
(a) POA&M. For purposes of achieving a Conditional CMMC Status, an OSA is only permitted to have a POA&M for select requirements scored as NOT MET during the CMMC assessment and only under the following conditions:
(1) Level 1 self-assessment. A POA&M is not permitted at any time for Level 1 self-assessments.
(2) Level 2 self-assessment and Level 2 certification assessment. An OSA is only permitted to achieve the CMMC Status of Conditional Level 2 (Self) or Conditional Level 2 (C3PAO), as appropriate, if all the following conditions are met:
(i) The assessment score divided by the total number of CMMC Level 2 security requirements is greater than or equal to 0.8;
(ii) None of the security requirements included in the POA&M have a point value of greater than 1 as specified in the CMMC Scoring Methodology set forth in § 170.24, except SC.L2-3.13.11 CUI Encryption may be included on a POA&M if encryption is employed but it is not FIPS-validated, which would result in a point value of 3; and
(iii) None of the following security requirements are included in the POA&M:
(A) AC.L2-3.1.20 External Connections (CUI Data).
(B) AC.L2-3.1.22 Control Public Information (CUI Data).
(C) CA.L2-3.12.4 System Security Plan.
(D) PE.L2-3.10.3 Escort Visitors (CUI Data).
(E) PE.L2-3.10.4 Physical Access Logs (CUI Data).
(F) PE.L2-3.10.5 Manage Physical Access (CUI Data).
(3) Level 3 certification assessment. An OSC is only permitted to achieve the CMMC Status of Conditional Level 3 (DIBCAC) if all the following conditions are met:
(i) The assessment score divided by the total number of CMMC Level 3 security requirements is greater than or equal to 0.8; and
(ii) The POA&M does not include any of following security requirements:
(A) IR.L3-3.6.1e Security Operations Center.
(B) IR.L3-3.6.2e Cyber Incident Response Team.
(C) RA.L3-3.11.1e Threat-Informed Risk Assessment.
(D) RA.L3-3.11.6e Supply Chain Risk Response.
(E) RA.L3-3.11.7e Supply Chain Risk Plan.
(F) RA.L3-3.11.4e Security Solution Rationale.
(G) SI.L3-3.14.3e Specialized Asset Security.
(b) POA&M closeout assessment. A POA&M closeout assessment is a CMMC assessment that assesses only the NOT MET requirements that were identified with POA&M in the initial assessment. The closing of a POA&M must be confirmed by a POA&M closeout assessment within 180-days of the Conditional CMMC Status Date. If the POA&M is not successfully closed out within the 180-day timeframe, the Conditional CMMC Status for the information system will expire.
(1) Level 2 self-assessment. For a Level 2 self-assessment, the POA&M closeout self-assessment shall be performed by the OSA in the same manner as the initial self-assessment.
(2) Level 2 certification assessment. For Level 2 certification assessment, the POA&M closeout certification assessment must be performed by an authorized or accredited C3PAO.
(3) Level 3 certification assessment. For Level 3 certification assessment, DCMA DIBCAC will perform the POA&M closeout certification assessment.
§ 170.22 - Affirmation.
(a) General. The OSA must affirm continuing compliance with the appropriate level self-assessment or certification assessment. An Affirming Official from each OSA, whether a prime or subcontractor, must affirm the continuing compliance of their respective organizations with the specified security requirement after every assessment, including POA&M closeout, and annually thereafter. Affirmations are entered electronically in SPRS. The affirmation shall be submitted in accordance with the following requirements:
(1) Affirming Official. The Affirming Official is the senior level representative from within each Organization Seeking Assessment (OSA) who is responsible for ensuring the OSA's compliance with the CMMC Program requirements and has the authority to affirm the OSA's continuing compliance with the specified security requirements for their respective organizations.
(2) Affirmation content. Each CMMC affirmation shall include the following information:
(i) Name, title, and contact information for the Affirming Official; and
(ii) Affirmation statement attesting that the OSA has implemented and will maintain implementation of all applicable CMMC security requirements to their CMMC Status for all information systems within the relevant CMMC Assessment Scope.
(3) Affirmation submission. The Affirming Official shall submit a CMMC affirmation in the following instances:
(i) Upon achievement of a Conditional CMMC Status, as applicable;
(ii) Upon achievement of a Final CMMC Status;
(iii) Annually following a Final CMMC Status Date; and
(iv) Following a POA&M closeout assessment, as applicable.
(b) Submission procedures. All affirmations shall be completed in SPRS. The Department will verify submission of the affirmation in SPRS to ensure compliance with CMMC solicitation or contract requirements.
(1) Level 1 self-assessment. At the completion of a Level 1 self-assessment and annually thereafter, the Affirming Official shall submit a CMMC affirmation attesting to continuing compliance with all requirements of the CMMC Status Level 1 (Self).
(2) Level 2 self-assessment. At the completion of a Level 2 self-assessment and annually following a Final CMMC Status Date, the Affirming Official shall submit a CMMC affirmation attesting to continuing compliance with all requirements of the CMMC Status Level 2 (Self). An affirmation shall also be submitted at the completion of a POA&M closeout self-assessment.
(3) Level 2 certification assessment. At the completion of a Level 2 certification assessment and annually following a Final CMMC Status Date, the Affirming Official shall submit a CMMC affirmation attesting to continuing compliance with all requirements of the CMMC Status Level 2 (C3PAO). An affirmation shall also be submitted at the completion of a POA&M closeout certification assessment.
(4) Level 3 certification assessment. At the completion of a Level 3 certification assessment and annually following a Final CMMC Status Date, the Affirming Official shall submit a CMMC affirmation attesting to continuing compliance with all requirements of the CMMC Status Level 3 (DIBCAC). Because C3PAOs and DCMA DIBCAC check for compliance with different requirements in their respective assessments, OSCs must annually affirm their CMMC Status of Level 2 (C3PAO) in addition to their CMMC Status of Level 3 (DIBCAC) to maintain eligibility for contracts requiring compliance with Level 3. An affirmation shall also be submitted at the completion of a POA&M closeout certification assessment.
§ 170.23 - Application to subcontractors.
(a) CMMC requirements apply to prime contractors and subcontractors throughout the supply chain at all tiers that will process, store, or transmit any FCI or CUI on contractor information systems in the performance of the DoD contract or subcontract. Prime contractors shall comply and shall require subcontractors to comply with and to flow down CMMC requirements, such that compliance will be required throughout the supply chain at all tiers with the applicable CMMC level and assessment type for each subcontract as follows:
(1) If a subcontractor will only process, store, or transmit FCI (and not CUI) in performance of the subcontract, then a CMMC Status of Level 1 (Self) is required for the subcontractor.
(2) If a subcontractor will process, store, or transmit CUI in performance of the subcontract, then a CMMC Status of Level 2 (Self) is the minimum requirement for the subcontractor.
(3) If a subcontractor will process, store, or transmit CUI in performance of the subcontract and the associated prime contract has a requirement for a CMMC Status of Level 2 (C3PAO), then the CMMC Status of Level 2 (C3PAO) is the minimum requirement for the subcontractor.
(4) If a subcontractor will process, store, or transmit CUI in performance of the subcontract and the associated prime contract has a requirement for the CMMC Status of Level 3 (DIBCAC), then the CMMC Status of Level 2 (C3PAO) is the minimum requirement for the subcontractor.
(b) As with any solicitation or contract, the DoD may provide specific guidance pertaining to flow-down.
§ 170.24 - CMMC Scoring Methodology.
(a) General. This scoring methodology is designed to provide a measurement of an OSA's implementation status of the NIST SP 800-171 R2 security requirements (incorporated by reference elsewhere in this part, see § 170.2) and the selected NIST SP 800-172 Feb2021 security requirements (incorporated by reference elsewhere in this part, see § 170.2). The CMMC Scoring Methodology is designed to credit partial implementation only in limited cases (e.g., multi-factor authentication IA.L2-3.5.3).
(b) Assessment findings. Each security requirement assessed under the CMMC Scoring Methodology must result in one of three possible assessment findings, as follows:
(1) Met. All applicable objectives for the security requirement are satisfied based on evidence. All evidence must be in final form and not draft. Unacceptable forms of evidence include but are not limited to working papers, drafts, and unofficial or unapproved policies.
(i) Enduring exceptions when described, along with any mitigations, in the system security plan shall be assessed as MET.
(ii) Temporary deficiencies that are appropriately addressed in operational plans of action (i.e., include deficiency reviews and show progress towards the implementation of corrections to reduce or eliminate identified vulnerabilities) shall be assessed as MET.
(2) Not Met. One or more applicable objectives for the security requirement is not satisfied. During an assessment, for each security requirement objective marked NOT MET, the assessor will document why the evidence does not conform.
(3) Not Applicable (N/A). A security requirement and/or objective does not apply at the time of the CMMC assessment. For example, Public-Access System Separation (SC.L2-3.13.5) might be N/A if there are no publicly accessible systems within the CMMC Assessment Scope. During an assessment, an assessment objective assessed as N/A is equivalent to the same assessment objective being assessed as MET.
(c) Scoring. At each CMMC Level, security requirements are scored as follows:
(1) CMMC Level 1. All CMMC Level 1 security requirements must be fully implemented to be considered MET. No POA&M is permitted for CMMC Level 1, and self-assessment results are scored as MET or NOT MET in their entirety.
(2) CMMC Level 2 Scoring Methodology. The maximum score achievable for a Level 2 self-assessment or Level 2 certification assessment is equal to the total number of CMMC Level 2 security requirements. If all CMMC Level 2 security requirements are MET, OSAs are awarded the maximum score. For each requirement NOT MET, the associated value of the security requirement is subtracted from the maximum score, which may result in a negative score.
(i) Procedures. (A) Scoring methodology for Level 2 self-assessment and Level 2 certification assessment is based on all CMMC Level 2 security requirement objectives, including those NOT MET.
(B) In the CMMC Level 2 Scoring Methodology, each security requirement has a value (e.g., 1, 3 or 5), which is related to the designation by NIST as basic or derived security requirements. Per NIST SP 800-171 R2, the basic security requirements are obtained from FIPS PUB 200 Mar2006, which provides the high-level and fundamental security requirements for Federal information and systems. The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST SP 800-53 R5.
(1) For NIST SP 800-171 R2 basic and derived security requirements that, if not implemented, could lead to significant exploitation of the network, or exfiltration of CUI, five (5) points are subtracted from the maximum score. The basic and derived security requirements with a value of five (5) points include:
(i) Basic security requirements. AC.L2-3.1.1, AC.L2-3.1.2, AT.L2-3.2.1, AT.L2-3.2.2, AU.L2-3.3.1, CM.L2-3.4.1, CM.L2-3.4.2, IA-L2-3.5.1, IA-L2-3.5.2, IR.L2-3.6.1, IR.L2-3.6.2, MA.L2-3.7.2, MP.L2-3.8.3, PS.L2-3.9.2, PE.L2-3.10.1, PE.L2-3.10.2, CA.L2-3.12.1, CA.L2-3.12.3, SC.L2-3.13.1, SC.L2-3.13.2, SI.L2-3.14.1, SI.L2-3.14.2, and SI.L2-3.14.3.
(ii) Derived security requirements. AC.L2-3.1.12, AC.L2-3.1.13, AC.L2-3.1.16, AC.L2-3.1.17, AC.L2-3.1.18, AU.L2-3.3.5, CM.L2-3.4.5, CM.L2-3.4.6, CM.L2-3.4.7, CM.L2-3.4.8, IA.L2-3.5.10, MA.L2-3.7.5, MP.L2-3.8.7, RA.L2-3.11.2, SC.L2-3.13.5, SC.L2-3.13.6, SC.L2-3.13.15, SI.L2-3.14.4, and SI.L2-3.14.6.
(2) For basic and derived security requirements that, if not implemented, have a specific and confined effect on the security of the network and its data, three (3) points are subtracted from the maximum score. The basic and derived security requirements with a value of three (3) points include:
(i) Basic security requirements. AU.L2-3.3.2, MA.L2-3.7.1, MP.L2-3.8.1, MP.L2-3.8.2, PS.L2-3.9.1, RA.L2-3.11.1, and CA.L2-3.12.2.
(ii) Derived security requirements. AC.L2-3.1.5, AC.L2- 3.1.19, MA.L2-3.7.4, MP.L2-3.8.8, SC.L2-3.13.8, SI.L2-3.14.5, and SI.L2-3.14.7.
(3) All remaining derived security requirements, other than the exceptions noted, if not implemented, have a limited or indirect effect on the security of the network and its data. For these, 1 point is subtracted from the maximum score.
(4) Two derived security requirements, IA.L2-3.5.3 and SC.L2-3.13.11, can be partially effective even if not completely or properly implemented, and the points deducted may be adjusted depending on how the security requirement is implemented.
(i) Multi-factor authentication (MFA) (CMMC Level 2 security requirement IA.L2-3.5.3) is typically implemented first for remote and privileged users (since these users are both limited in number and more critical) and then for the general user, so three (3) points are subtracted from the maximum score if MFA is implemented only for remote and privileged users. Five (5) points are subtracted from the maximum score if MFA is not implemented for any users.
(ii) FIPS-validated encryption (CMMC Level 2 security requirement SC.L2-3.13.11) is required to protect the confidentiality of CUI. If encryption is employed, but is not FIPS-validated, three (3) points are subtracted from the maximum score; if encryption is not employed; five (5) points are subtracted from the maximum score.
(5) OSAs must have a System Security Plan (SSP) (CMMC security requirement CA.L2-3.12.4) in place at the time of assessment to describe each information system within the CMMC Assessment Scope. The absence of an up to date SSP at the time of the assessment would result in a finding that 'an assessment could not be completed due to incomplete information and noncompliance with 48 CFR 252.204-7012.'
(6) For each NOT MET security requirement the OSA must have a POA&M in place. A POA&M addressing NOT MET security requirements is not a substitute for a completed requirement. Security requirements not implemented, whether described in a POA&M or not, is assessed as 'NOT MET.'
(7) Specialized Assets must be evaluated for their asset category per the CMMC scoping guidance for the level in question and handled accordingly as set forth in § 170.19.
(8) If an OSC previously received a favorable adjudication from the DoD CIO indicating that a security requirement is not applicable or that an alternative security measure is equally effective (in accordance with 48 CFR 252.204-7008 or 48 CFR 252.204-7012), the DoD CIO adjudication must be included in the system security plan to receive consideration during an assessment. A security requirement for which implemented security measures have been adjudicated by the DoD CIO as equally effective is assessed as MET if there have been no changes in the environment.
(ii) CMMC Level 2 Scoring Table. CMMC Level 2 scoring has been assigned based on the methodology set forth in table 1 to this paragraph (c)(2)(ii).
Table 7 to § 170.24
| CMMC Level 2 requirement categories | Point value
subtracted from maximum score | If not implemented, could lead to significant exploitation of the network, or exfiltration of CUI | 5 | If not implemented, has specific and confined effect on the security of the network and its data | 3 | If not implemented, could lead to significant exploitation of the network, or exfiltration of CUI | 5 | If not completely or properly implemented, could be partially effective and points adjusted depending on how the security requirement is implemented: | 3 or 5 | —Partially effective implementation—3 points. | —Non-effective (not implemented at all)—5 points. | If not implemented, has specific and confined effect on the security of the network and its data | 3 | If not implemented, has a limited or indirect effect on the security of the network and its data | 1 |
|---|
(3) CMMC Level 3 assessment scoring methodology. CMMC Level 3 scoring does not utilize varying values like the scoring for CMMC Level 2. All CMMC Level 3 security requirements use a value of one (1) point for each security requirement. As a result, the maximum score achievable for a Level 3 certification assessment is equivalent to the total number of the selected subset of NIST SP 800-172 Feb2021 security requirements for CMMC Level 3, see § 170.14(c)(4). The maximum score is reduced by one (1) point for each security requirement NOT MET. The CMMC Level 3 scoring methodology reflects the fact that all CMMC Level 2 security requirements must already be MET (for the Level 3 CMMC Assessment Scope). A maximum score on the Level 2 certification assessment is required to be eligible to initiate a Level 3 certification assessment. The Level 3 certification assessment score is equal to the number of CMMC Level 3 security requirements that are assessed as MET.
Appendix A - Appendix A to Part 170—Guidance
Guidance documents include:
(a) “CMMC Model Overview” available at https://DoDcio.defense.gov/CMMC/.
(b) “CMMC Assessment Guide—Level 1” available at https://DoDcio.defense.gov/CMMC/.
(c) “CMMC Assessment Guide—Level 2” available at https://DoDcio.defense.gov/CMMC/.
(d) “CMMC Assessment Guide—Level 3” available at https://DoDcio.defense.gov/CMMC/.
(e) “CMMC Scoping Guide—Level 1” available at https://DoDcio.defense.gov/CMMC/.
(f) “CMMC Scoping Guide—Level 2” available at https://DoDcio.defense.gov/CMMC/.
(g) “CMMC Scoping Guide—Level 3” available at https://DoDcio.defense.gov/CMMC/.
(h) “CMMC Hashing Guide” available at https://DoDcio.defense.gov/CMMC/.