View all text of Subpart D [§ 170.14 - § 170.24]
§ 170.15 - CMMC Level 1 self-assessment and affirmation requirements.
(a) Level 1 self-assessment. To comply with CMMC Level 1 self-assessment requirements, the OSA must meet the requirements detailed in paragraphs (a)(1) and (2) of this section. An OSA conducts a Level 1 self-assessment as detailed in paragraph (c) of this section to achieve a CMMC Status of Final Level 1 (Self).
(1) Level 1 self-assessment requirements. The OSA must complete and achieve a MET result for all security requirements specified in § 170.14(c)(2) to achieve the CMMC Status of Final Level 1 (Self). No POA&Ms are permitted for CMMC Level 1. The OSA must conduct a self-assessment in accordance with the procedures set forth in § 170.15(c)(1) and submit assessment results in SPRS. To maintain compliance with the requirements for the CMMC Status of Final Level 1 (Self), the OSA must conduct a Level 1 self-assessment on an annual basis and submit the results in SPRS, or its successor capability.
(i) Inputs to SPRS. The Level 1 self-assessment results in the Supplier Performance Risk System (SPRS) shall include, at minimum, the following items:
(A) CMMC Level.
(B) CMMC Status Date.
(C) CMMC Assessment Scope.
(D) All industry CAGE code(s) associated with the information system(s) addressed by the CMMC Assessment Scope.
(E) Compliance result.
(ii) [Reserved]
(2) Affirmation. Affirmation of the Level 1 (Self) CMMC Status is required for all Level 1 self-assessments. Affirmation procedures are set forth in § 170.22.
(b) Contract eligibility. Prior to award of any contract or subcontract with a requirement for the CMMC Status of Level 1 (Self), OSAs must both achieve a CMMC Status of Level 1 (Self) and have submitted an affirmation of compliance into SPRS for all information systems within the CMMC Assessment Scope.
(c) Procedures—(1) Level 1 self-assessment. The OSA must conduct a Level 1 self-assessment scored in accordance with the CMMC Scoring Methodology described in § 170.24. The Level 1 self-assessment must be performed in accordance with the CMMC Level 1 scope requirements set forth in § 170.19(a) and (b) and the following:
(i) The Level 1 self-assessment must be performed using the objectives defined in NIST SP 800-171A Jun2018 (incorporated by reference, see § 170.2) for the security requirement that maps to the CMMC Level 1 security requirement as specified in table 1 to paragraph (c)(1)(ii) of this section. In any case where an objective addresses CUI, FCI should be substituted for CUI in the objective.
(ii) Mapping table for CMMC Level 1 security requirements to the NIST SP 800-171A Jun2018 objectives.
Table 2 to § 170.15
| CMMC Level 1 security requirements as set forth in § 170.14(c)(2) | NIST SP 800-171A Jun2018 | AC.L1-b.1.i | 3.1.1 | AC.L1-b.1.ii | 3.1.2 | AC.L1-b.1.iii | 3.1.20 | AC.L1-b.1.iv | 3.1.22 | IA.L1-b.1.v | 3.5.1 | IA.L1-b.1.vi | 3.5.2 | MP.L1-b.1.vii | 3.8.3 | PE.L1-b.1.viii | 3.10.1 | First phrase of PE.L1-b.1.ix (FAR b.1.ix *) | 3.10.3 | Second phrase of PE.L1-b.1.ix (FAR b.1.ix *) | 3.10.4 | Third phrase of PE.L1-b.1.ix (FAR b.1.ix *) | 3.10.5 | SC.L1-b.1.x | 3.13.1 | SC.L1-b.1.xi | 3.13.5 | SI.L1-b.1.xii | 3.14.1 | SI.L1-b.1.xiii | 3.14.2 | SI.L1-b.1.xiv | 3.14.4 | SI.L1-b.1.xv | 3.14.5 |
|---|
* Three of the 48 CFR 52.204-21 requirements were broken apart by “phrase” when NIST SP 800-171 R2 was developed.
(iii) Additional guidance can be found in the guidance document listed in paragraph (b) of appendix A to this part.
(2) Artifact retention. The artifacts used as evidence for the assessment must be retained by the OSA for six (6) years from the CMMC Status Date.