32 CFR Part 170

DoD Contractor
CMMC Certification Guide

A chronological, interactive training resource covering all three CMMC levels — from FAR 52.204-21 Level 1 self-assessments through DIBCAC government-led Level 3 assessments.

🏛️
Program Overview
Understand the three-level structure before selecting your path
ℹ️ CMMC (Cybersecurity Maturity Model Certification) is administered under 32 CFR Part 170. The required level is driven by the type of information you process: FCI for Level 1, CUI for Levels 2 and 3. Requirements flow down through solicitations, contracts, and subcontracts.
LEVEL 1

Foundational

For contractors handling Federal Contract Information (FCI). Annual self-assessment against 15 basic safeguarding requirements.

15FAR Requirements
AnnualSelf-Assessment
SPRSReporting
LEVEL 2

Advanced

For contractors handling Controlled Unclassified Information (CUI). Based on 110 requirements in NIST SP 800-171 Rev. 2.

110Controls
C3PAO or SelfAssessment
180-dayPOA&M Window
LEVEL 3

Expert

For the most sensitive CUI environments. Requires Level 2 Final + DIBCAC government assessment every 3 years.

24SP 800-172 Reqs
DIBCACAssessment
3-YearCycle
🗺️
Certification Roadmap
Sequential process applicable across all levels
1
STEP 01

Determine Contract Requirements

Identify the CMMC level required by your solicitation or contract. Determine whether flowdown requirements apply to your subcontractors or enclaves. FCI → Level 1; CUI → Level 2 or 3.

Contracting OfficerLegal ReviewFCI vs CUI
2
STEP 02

Define Scope & Assessment Boundary

Identify all systems, assets, and people that process, store, or transmit FCI/CUI. Document the boundary clearly — only in-scope systems are assessed. Narrowing scope reduces cost and risk.

System OwnerISSONetwork Diagrams
3
STEP 03

Build / Update the SSP

Create or update your System Security Plan describing system boundaries, security control implementation, inherited protections, and responsible parties for each control.

SSP AuthorControl OwnersRequired L1–L3
4
STEP 04

Conduct Gap Analysis & Remediate

Assess current state against required controls. Document gaps in a POA&M (allowed at L2/L3; prohibited at L1). Remediate all gaps — at Level 1, ALL controls must be in place before claiming compliance.

IT/Security StaffPOA&M (L2/L3)180-Day Limit
5
STEP 05

Complete Required Assessment

Level 1: Annual self-assessment. Level 2: Self-assessment or C3PAO certification (contract-driven). Level 3: Must first hold Level 2 Final, then undergo DIBCAC government-led assessment.

Self / C3PAO / DIBCACEvidence Package
6
STEP 06

Submit Results to SPRS / CMMC eMASS

Report assessment scores in the Supplier Performance Risk System (SPRS). Level 3 results also go into CMMC eMASS. Scores must be current and accurate — false claims carry legal liability.

SPRSCMMC eMASS (L3)Contract Admin
7
STEP 07

Annual Affirmation by Senior Official

A senior-level official (not a technical reviewer) must affirm continued compliance annually. This is a management attestation with legal accountability for the organization's declared CMMC status.

⚠ Legal AccountabilityCEO/CISO/SVPAnnual
🛡️
Level 1 — Foundational (FCI)
Annual self-assessment · 15 FAR requirements · No POA&M allowed
⚠️ Critical Rule: At Level 1, POA&Ms are not permitted. All 15 safeguarding requirements in FAR 52.204-21 must be fully implemented before you can claim Level 1 status. A single unmet control means you are not yet compliant.
1
L1 · STEP 01

Identify Covered Information Systems

Locate every system that processes, stores, or transmits Federal Contract Information (FCI). FCI is information provided by or generated for the government under contract — but not intended for public release.

2
L1 · STEP 02

Document the System Boundary

Create a network diagram and data flow showing where FCI enters, resides, and exits your environment. Accurate boundary documentation limits scope and supports your self-assessment narrative.

3
L1 · STEP 03

Implement All 15 FAR 52.204-21 Requirements

Review and implement each of the 15 basic safeguarding practices. See the FAR 52.204-21 section for an interactive breakdown. Remember: all 15 must be in place — no partial credit.

4
L1 · STEP 04

Perform the Annual Self-Assessment

Score each of the 15 requirements as Met or Not Met. Document your assessment methodology, evidence reviewed, and findings. Retain records for audit purposes.

5
L1 · STEP 05

Submit Score to SPRS

Enter your self-assessment score in the Supplier Performance Risk System (SPRS). The maximum Level 1 score is +15 (one point per control). Negative scores indicate non-compliance.

6
L1 · STEP 06

Senior Official Submits Annual Affirmation

A senior company official attests that the organization continues to meet all 15 Level 1 requirements. This affirmation carries legal weight — false affirmations may trigger False Claims Act liability.

📋
FAR 52.204-21 — 15 Basic Safeguarding Requirements
Click any requirement to expand implementation guidance
📌 These 15 requirements are the baseline for CMMC Level 1. They are derived from NIST SP 800-171 and focus on basic cyber hygiene. Contractors must implement all 15 with no exceptions or POA&Ms at Level 1.
🔐
Level 2 — Advanced (CUI)
110 NIST SP 800-171 controls · Self or C3PAO · 180-day POA&M window
📎 Level 2 applies when your contract involves Controlled Unclassified Information (CUI). Whether you use a self-assessment or a C3PAO third-party assessment depends on the specific contract solicitation. POA&Ms are allowed for some controls but must be closed within 180 days — and some requirements cannot remain open on a POA&M.
1
L2 · STEP 01

Define CUI Scope & Assessment Boundary

Identify all systems processing CUI. Create or update network diagrams, data flow diagrams, and system inventories. Scoping decisions significantly affect cost and timeline.

ISSOSystem OwnerData Flow Diagrams
2
L2 · STEP 02

Create / Maintain System Security Plan (SSP)

Build a comprehensive SSP documenting all 110 NIST SP 800-171 controls, implementation status, responsible parties, and system interconnections. The SSP is the primary artifact reviewers examine.

Required Document110 Controls
3
L2 · STEP 03

Gap Analysis Against 110 Controls

Assess each of the 110 NIST SP 800-171 Rev. 2 requirements. Score Met/Not Met/Partially Met. Calculate your preliminary SPRS score (max +110; deductions apply for each unmet control by assigned point value).

SPRS Score14 Families
4
L2 · STEP 04

Remediate & Manage POA&Ms

Remediate all gaps possible. For remaining gaps, create POA&M entries documenting the gap, remediation plan, milestones, and responsible party. POA&Ms must be closed within 180 days. Some controls are ineligible for POA&M.

180-Day LimitMilestone Tracking
5
L2 · STEP 05

Complete Assessment (Self or C3PAO)

Self-Assessment: Contractor-led using NIST SP 800-171A assessment methods. C3PAO Certification: Independent third-party assessment by a DoD-approved Certified Third-Party Assessment Organization. Contract type determines which is required.

Evidence PackageInterviewsTechnical Testing
6
L2 · STEP 06

Submit Results to SPRS

Submit your assessment score to SPRS. For C3PAO assessments, the assessor submits directly. Conditional Status may be granted with open POA&Ms; Final Status requires all controls met.

Conditional vs FinalSPRS
7
L2 · STEP 07

Annual Affirmation + Periodic Reassessment

Annual affirmation of continued compliance. C3PAO certifications must be renewed every 3 years. Monitor and update your SPRS score if control status changes.

3-Year C3PAO RenewalAnnual Affirmation
AC · Access Control

Limit System Access

Control access to organizational systems to authorized users, processes, and devices.

22 requirements covering user accounts, remote access, least privilege, CUI flow enforcement, separation of duties, and mobile device control.
AT · Awareness & Training

Ensure Security Awareness

Provide awareness training; ensure personnel are aware of security risks associated with their activities.

3 requirements: role-based awareness training, threat recognition training, and insider threat training. Training records are a key audit artifact.
AU · Audit & Accountability

Create & Retain Audit Logs

Create and retain logs sufficient to enable monitoring, analysis, investigation, and reporting of unlawful activity.

9 requirements: log creation, log retention, log review, log protection, and alerting on audit failures. System log configurations and retention policies are reviewed.
CM · Configuration Management

Establish Secure Configurations

Establish and maintain baseline configurations and inventories of organizational systems.

9 requirements including configuration baselines, configuration change control, security impact analysis, principle of least functionality, and blacklisting/whitelisting.
IA · Identification & Authentication

Identify & Authenticate Users

Identify system users, processes, and devices and authenticate their identities before allowing access.

11 requirements covering MFA, password complexity, password management, identifier management, and authenticator management. MFA for remote access is a frequent finding.
IR · Incident Response

Establish Incident Capabilities

Establish an operational incident-handling capability including preparation, detection, analysis, containment, recovery, and user activities.

3 requirements: incident response plan, incident handling, and incident reporting. Plans must be tested and reporting timelines (72 hrs for CUI breaches) must be documented.
MA · Maintenance

Perform System Maintenance

Perform maintenance on organizational systems; provide controls on tools, techniques, and personnel performing maintenance.

6 requirements covering scheduled maintenance, controlled use of maintenance tools, sanitization of equipment removed for maintenance, and multi-factor authentication for remote maintenance.
MP · Media Protection

Protect System Media

Protect system media containing CUI, both paper and digital.

9 requirements: media access, media marking, media storage, media transport, media sanitization, and media protection policies. Encryption of portable media is commonly reviewed.
PE · Physical Protection

Limit Physical Access

Limit physical access to organizational systems to authorized individuals.

6 requirements covering physical access authorizations, physical access controls, escorting visitors, physical access log management, and monitoring physical access.
PS · Personnel Security

Screen Individuals

Screen individuals prior to authorizing access; ensure CUI is protected during and after personnel actions.

2 requirements: personnel screening (background checks) and personnel termination/transfer procedures including revoking system access and retrieving credentials.
RA · Risk Assessment

Assess Organizational Risk

Periodically assess the risk to operations, assets, and individuals resulting from system operation and associated information processing.

3 requirements: risk assessments, vulnerability scanning, and remediation of vulnerabilities. Vulnerability scan results and remediation timelines are audit artifacts.
CA · Security Assessment

Periodically Assess Controls

Periodically assess security controls; develop and implement plans of action; and monitor systems on an ongoing basis.

4 requirements: security assessments, plans of action and milestones, continuous monitoring, and system connections. The SSP and POA&M directly support this family.
SC · System & Comm. Protection

Protect System Communications

Monitor, control, and protect communications at external boundaries and key internal boundaries.

16 requirements including boundary protection, CUI encryption in transit, network segmentation, denial of service protection, split tunneling, and mobile code controls.
SI · System & Info. Integrity

Identify & Correct Flaws

Identify, report, and correct information system flaws; protect systems from malicious code; monitor system security alerts.

7 requirements: flaw remediation, malicious code protection, security alerts, software/firmware integrity, spam protection, security functionality verification, and information input validation.
📋 POA&Ms at Level 2 are permitted for some unmet controls, but with strict conditions. Understanding these rules is essential for managing your path to Level 2 Final status.
!

180-Day Closeout Requirement

All POA&M items must be closed within 180 days of the initial assessment date. Failure to close POA&Ms within this window results in loss of Conditional Status and potential contract impacts.

Hard Deadline180 Days
!

Ineligible Controls — Cannot Be on POA&M

DoD has designated certain high-priority requirements as ineligible for POA&M. These controls must be fully implemented before claiming even Conditional Status. Review current DoD guidance for the current ineligible list.

MFA RequirementsEncryption ControlsIncident Response
!

Conditional vs. Final Status

Conditional: Open POA&M items exist but are allowable; contract work may proceed subject to contracting officer approval. Final: All 110 controls met; no open POA&Ms. Final status required for highest-sensitivity programs.

SPRS Reporting
!

SPRS Score Implications

Each unmet control carries a negative point value (ranging from -1 to -5). The base score is +110. POA&M controls are still counted as deductions until fully remediated. A negative SPRS score is a significant red flag to contracting officers.

Base: +110Deductions Per Control
🎯
Level 3 — Expert (Sensitive CUI)
Requires Level 2 Final · DIBCAC assessment · 24 NIST SP 800-172 requirements
🔴 Prerequisite: You must hold Level 2 Final status before pursuing Level 3. Level 3 adds 24 enhanced security requirements from NIST SP 800-172 on top of the Level 2 baseline, and requires a government-led assessment by DCMA's DIBCAC every 3 years.
1
L3 · PREREQUISITE

Achieve Level 2 Final Status

All 110 NIST SP 800-171 controls must be fully implemented with no open POA&Ms. Level 2 Final status must be recorded in SPRS before pursuing Level 3 assessment.

SPRS: Final Status110 Controls Met
2
L3 · STEP 01

Implement 24 NIST SP 800-172 Requirements

Layer the 24 selected enhanced security requirements from NIST SP 800-172 on top of your Level 2 controls. These address advanced persistent threats (APTs) and are significantly more stringent, covering penetration resistance, deception techniques, and advanced threat hunting.

SP 800-172APT FocusEnhanced Controls
3
L3 · STEP 02

Prepare Evidence Package for DIBCAC

Compile a comprehensive evidence package: updated SSP, all policies and procedures, training records, network and data flow diagrams, system inventories, audit logs, incident response documentation, and results from any prior assessments.

SSP + AppendicesPolicy LibraryTechnical Evidence
4
L3 · STEP 03

Undergo DIBCAC Assessment

The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), under DCMA, conducts the government-led Level 3 assessment. This is a rigorous evaluation combining document review, interviews, and technical testing. See the DIBCAC Assessment section for the full process.

DCMA / DIBCACGovernment-LedOn-Site + Remote
5
L3 · STEP 04

Results Recorded in CMMC eMASS & SPRS

DIBCAC records assessment results in CMMC eMASS. Your SPRS record is also updated. Level 3 status is valid for 3 years, subject to annual affirmation and continuous monitoring.

CMMC eMASSSPRS Update3-Year Validity
6
L3 · STEP 05

Annual Affirmation + 3-Year Re-Assessment

Senior official annual affirmation continues at Level 3. Every 3 years, a new DIBCAC assessment is required to maintain Level 3 certification. Significant changes to the system boundary or controls should trigger interim reporting.

Annual Affirmation3-Year DIBCAC Cycle
📐
NIST SP 800-172 — 24 Enhanced Requirements
Selected requirements added at Level 3 above the Level 2 baseline
🏛️
DIBCAC Assessment Process
DCMA Defense Industrial Base Cybersecurity Assessment Center · Level 3 Government-Led Assessment
🎖️ The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) is an element of the Defense Contract Management Agency (DCMA). DIBCAC conducts government-led cybersecurity assessments for contractors seeking CMMC Level 3. These are rigorous, multi-phase evaluations — very different from a self-assessment or C3PAO review.
1
DIBCAC · PHASE 01

Pre-Assessment Preparation

DIBCAC notifies the contractor of the pending assessment. The contractor confirms Level 2 Final status in SPRS, designates a primary Point of Contact (POC) and Technical POC, and prepares the evidence package. DIBCAC reviews your SSP before the formal assessment begins.

SSP SubmissionPOC DesignationEvidence Pre-Check
2
DIBCAC · PHASE 02

Document & Policy Review

DIBCAC assessors conduct an in-depth review of your SSP, policies, procedures, training records, incident response plans, and all supporting documentation. Gaps identified during document review are flagged for follow-up during interviews and testing.

SSP Deep DivePolicy Gap AnalysisRemote or On-Site
3
DIBCAC · PHASE 03

Interviews

DIBCAC conducts structured interviews with system owners, IT/security staff, control owners, HR personnel, and senior management. Interview questions focus on whether documented controls are understood and operationally implemented — not just written in the SSP.

All StakeholdersOperational FocusConsistency Check
4
DIBCAC · PHASE 04

Technical Testing & Observation

Assessors perform technical testing to verify control implementation: reviewing system configurations, testing access controls, observing authentication processes, checking audit log settings, verifying encryption in transit and at rest, and examining network segmentation effectiveness.

Config ReviewAccess TestingEncryption VerificationLog Analysis
5
DIBCAC · PHASE 05

Finding Adjudication & Draft Report

DIBCAC compiles findings, scores each of the 134 requirements (110 from L2 + 24 from SP 800-172), and prepares a draft assessment report. The contractor has an opportunity to review and provide clarification or additional evidence for disputed findings before the report is finalized.

134 Requirements ScoredDraft Review PeriodContractor Response
6
DIBCAC · PHASE 06

Final Report & CMMC eMASS Entry

DIBCAC issues the final assessment report and records results in CMMC eMASS. If all requirements are met, Level 3 status is granted for 3 years. If deficiencies remain, the contractor must remediate and may need to undergo a re-assessment.

CMMC eMASSSPRS Update3-Year Certificate
7
DIBCAC · PHASE 07

Continuous Monitoring & Annual Affirmation

Post-assessment, the contractor must maintain all controls, report significant changes to the system environment, and submit annual affirmations of continued compliance. The 3-year re-assessment cycle then repeats.

Change ReportingAnnual Affirmation3-Year Cycle
📦 Assemble this artifact package before DIBCAC arrives. Incomplete or inconsistent artifacts are the most common reason for extended assessment timelines. Each artifact should clearly map to specific NIST SP 800-171 or 800-172 controls.
📁
Required Documents & Records
Core documentation requirements across all three CMMC levels
📌 These documents form the evidentiary backbone of any CMMC assessment. At Level 2 and Level 3, assessors expect artifacts that are current, consistent with each other, and traceable to specific controls. A well-documented SSP with supporting artifacts dramatically reduces assessment friction.
Document Purpose L1 L2 L3
System Security Plan (SSP)Describes system boundary, control implementation, responsible parties, interconnections
Plan of Action & Milestones (POA&M)Tracks unmet controls, remediation plans, milestones, and responsible owners
SPRS Assessment ScoreOfficial reporting of self-assessment or certification results in DoD system
Annual AffirmationSenior official attests continued compliance; carries legal weight
Network Topology DiagramVisual depiction of system architecture, connections, and boundary
CUI Data Flow DiagramShows how CUI enters, moves through, and exits the system environment
System Component InventoryList of all hardware, software, and services in scope
Policies & Procedures LibraryDocumented organizational policies mapped to security control families
Security Awareness Training RecordsEvidence that all personnel completed required security training
Incident Response Plan (IRP)Documented procedures for detecting, responding to, and recovering from incidents
Configuration BaselinesApproved security configurations for all in-scope system components
Vulnerability Scan ResultsRecent scan outputs with remediation status and timelines
Access Control Lists / User InventoryList of authorized users, accounts, and access levels for in-scope systems
Audit Log SamplesRepresentative log samples demonstrating logging is operational and retained
CMMC eMASS RecordGovernment system record for Level 3 DIBCAC assessment results
Penetration Test ResultsEvidence of adversarial testing against in-scope systems (SP 800-172 requirement)
Master Audit Checklist
Click items to mark complete · Progress tracked automatically
Checklist Progress 0 / 20 completed