Foundational
For contractors handling Federal Contract Information (FCI). Annual self-assessment against 15 basic safeguarding requirements.
Advanced
For contractors handling Controlled Unclassified Information (CUI). Based on 110 requirements in NIST SP 800-171 Rev. 2.
Expert
For the most sensitive CUI environments. Requires Level 2 Final + DIBCAC government assessment every 3 years.
Determine Contract Requirements
Identify the CMMC level required by your solicitation or contract. Determine whether flowdown requirements apply to your subcontractors or enclaves. FCI → Level 1; CUI → Level 2 or 3.
Define Scope & Assessment Boundary
Identify all systems, assets, and people that process, store, or transmit FCI/CUI. Document the boundary clearly — only in-scope systems are assessed. Narrowing scope reduces cost and risk.
Build / Update the SSP
Create or update your System Security Plan describing system boundaries, security control implementation, inherited protections, and responsible parties for each control.
Conduct Gap Analysis & Remediate
Assess current state against required controls. Document gaps in a POA&M (allowed at L2/L3; prohibited at L1). Remediate all gaps — at Level 1, ALL controls must be in place before claiming compliance.
Complete Required Assessment
Level 1: Annual self-assessment. Level 2: Self-assessment or C3PAO certification (contract-driven). Level 3: Must first hold Level 2 Final, then undergo DIBCAC government-led assessment.
Submit Results to SPRS / CMMC eMASS
Report assessment scores in the Supplier Performance Risk System (SPRS). Level 3 results also go into CMMC eMASS. Scores must be current and accurate — false claims carry legal liability.
Annual Affirmation by Senior Official
A senior-level official (not a technical reviewer) must affirm continued compliance annually. This is a management attestation with legal accountability for the organization's declared CMMC status.
Identify Covered Information Systems
Locate every system that processes, stores, or transmits Federal Contract Information (FCI). FCI is information provided by or generated for the government under contract — but not intended for public release.
Document the System Boundary
Create a network diagram and data flow showing where FCI enters, resides, and exits your environment. Accurate boundary documentation limits scope and supports your self-assessment narrative.
Implement All 15 FAR 52.204-21 Requirements
Review and implement each of the 15 basic safeguarding practices. See the FAR 52.204-21 section for an interactive breakdown. Remember: all 15 must be in place — no partial credit.
Perform the Annual Self-Assessment
Score each of the 15 requirements as Met or Not Met. Document your assessment methodology, evidence reviewed, and findings. Retain records for audit purposes.
Submit Score to SPRS
Enter your self-assessment score in the Supplier Performance Risk System (SPRS). The maximum Level 1 score is +15 (one point per control). Negative scores indicate non-compliance.
Senior Official Submits Annual Affirmation
A senior company official attests that the organization continues to meet all 15 Level 1 requirements. This affirmation carries legal weight — false affirmations may trigger False Claims Act liability.
Define CUI Scope & Assessment Boundary
Identify all systems processing CUI. Create or update network diagrams, data flow diagrams, and system inventories. Scoping decisions significantly affect cost and timeline.
Create / Maintain System Security Plan (SSP)
Build a comprehensive SSP documenting all 110 NIST SP 800-171 controls, implementation status, responsible parties, and system interconnections. The SSP is the primary artifact reviewers examine.
Gap Analysis Against 110 Controls
Assess each of the 110 NIST SP 800-171 Rev. 2 requirements. Score Met/Not Met/Partially Met. Calculate your preliminary SPRS score (max +110; deductions apply for each unmet control by assigned point value).
Remediate & Manage POA&Ms
Remediate all gaps possible. For remaining gaps, create POA&M entries documenting the gap, remediation plan, milestones, and responsible party. POA&Ms must be closed within 180 days. Some controls are ineligible for POA&M.
Complete Assessment (Self or C3PAO)
Self-Assessment: Contractor-led using NIST SP 800-171A assessment methods. C3PAO Certification: Independent third-party assessment by a DoD-approved Certified Third-Party Assessment Organization. Contract type determines which is required.
Submit Results to SPRS
Submit your assessment score to SPRS. For C3PAO assessments, the assessor submits directly. Conditional Status may be granted with open POA&Ms; Final Status requires all controls met.
Annual Affirmation + Periodic Reassessment
Annual affirmation of continued compliance. C3PAO certifications must be renewed every 3 years. Monitor and update your SPRS score if control status changes.
Limit System Access
Control access to organizational systems to authorized users, processes, and devices.
Ensure Security Awareness
Provide awareness training; ensure personnel are aware of security risks associated with their activities.
Create & Retain Audit Logs
Create and retain logs sufficient to enable monitoring, analysis, investigation, and reporting of unlawful activity.
Establish Secure Configurations
Establish and maintain baseline configurations and inventories of organizational systems.
Identify & Authenticate Users
Identify system users, processes, and devices and authenticate their identities before allowing access.
Establish Incident Capabilities
Establish an operational incident-handling capability including preparation, detection, analysis, containment, recovery, and user activities.
Perform System Maintenance
Perform maintenance on organizational systems; provide controls on tools, techniques, and personnel performing maintenance.
Protect System Media
Protect system media containing CUI, both paper and digital.
Limit Physical Access
Limit physical access to organizational systems to authorized individuals.
Screen Individuals
Screen individuals prior to authorizing access; ensure CUI is protected during and after personnel actions.
Assess Organizational Risk
Periodically assess the risk to operations, assets, and individuals resulting from system operation and associated information processing.
Periodically Assess Controls
Periodically assess security controls; develop and implement plans of action; and monitor systems on an ongoing basis.
Protect System Communications
Monitor, control, and protect communications at external boundaries and key internal boundaries.
Identify & Correct Flaws
Identify, report, and correct information system flaws; protect systems from malicious code; monitor system security alerts.
180-Day Closeout Requirement
All POA&M items must be closed within 180 days of the initial assessment date. Failure to close POA&Ms within this window results in loss of Conditional Status and potential contract impacts.
Ineligible Controls — Cannot Be on POA&M
DoD has designated certain high-priority requirements as ineligible for POA&M. These controls must be fully implemented before claiming even Conditional Status. Review current DoD guidance for the current ineligible list.
Conditional vs. Final Status
Conditional: Open POA&M items exist but are allowable; contract work may proceed subject to contracting officer approval. Final: All 110 controls met; no open POA&Ms. Final status required for highest-sensitivity programs.
SPRS Score Implications
Each unmet control carries a negative point value (ranging from -1 to -5). The base score is +110. POA&M controls are still counted as deductions until fully remediated. A negative SPRS score is a significant red flag to contracting officers.
Achieve Level 2 Final Status
All 110 NIST SP 800-171 controls must be fully implemented with no open POA&Ms. Level 2 Final status must be recorded in SPRS before pursuing Level 3 assessment.
Implement 24 NIST SP 800-172 Requirements
Layer the 24 selected enhanced security requirements from NIST SP 800-172 on top of your Level 2 controls. These address advanced persistent threats (APTs) and are significantly more stringent, covering penetration resistance, deception techniques, and advanced threat hunting.
Prepare Evidence Package for DIBCAC
Compile a comprehensive evidence package: updated SSP, all policies and procedures, training records, network and data flow diagrams, system inventories, audit logs, incident response documentation, and results from any prior assessments.
Undergo DIBCAC Assessment
The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), under DCMA, conducts the government-led Level 3 assessment. This is a rigorous evaluation combining document review, interviews, and technical testing. See the DIBCAC Assessment section for the full process.
Results Recorded in CMMC eMASS & SPRS
DIBCAC records assessment results in CMMC eMASS. Your SPRS record is also updated. Level 3 status is valid for 3 years, subject to annual affirmation and continuous monitoring.
Annual Affirmation + 3-Year Re-Assessment
Senior official annual affirmation continues at Level 3. Every 3 years, a new DIBCAC assessment is required to maintain Level 3 certification. Significant changes to the system boundary or controls should trigger interim reporting.
Pre-Assessment Preparation
DIBCAC notifies the contractor of the pending assessment. The contractor confirms Level 2 Final status in SPRS, designates a primary Point of Contact (POC) and Technical POC, and prepares the evidence package. DIBCAC reviews your SSP before the formal assessment begins.
Document & Policy Review
DIBCAC assessors conduct an in-depth review of your SSP, policies, procedures, training records, incident response plans, and all supporting documentation. Gaps identified during document review are flagged for follow-up during interviews and testing.
Interviews
DIBCAC conducts structured interviews with system owners, IT/security staff, control owners, HR personnel, and senior management. Interview questions focus on whether documented controls are understood and operationally implemented — not just written in the SSP.
Technical Testing & Observation
Assessors perform technical testing to verify control implementation: reviewing system configurations, testing access controls, observing authentication processes, checking audit log settings, verifying encryption in transit and at rest, and examining network segmentation effectiveness.
Finding Adjudication & Draft Report
DIBCAC compiles findings, scores each of the 134 requirements (110 from L2 + 24 from SP 800-172), and prepares a draft assessment report. The contractor has an opportunity to review and provide clarification or additional evidence for disputed findings before the report is finalized.
Final Report & CMMC eMASS Entry
DIBCAC issues the final assessment report and records results in CMMC eMASS. If all requirements are met, Level 3 status is granted for 3 years. If deficiencies remain, the contractor must remediate and may need to undergo a re-assessment.
Continuous Monitoring & Annual Affirmation
Post-assessment, the contractor must maintain all controls, report significant changes to the system environment, and submit annual affirmations of continued compliance. The 3-year re-assessment cycle then repeats.
| Document | Purpose | L1 | L2 | L3 |
|---|---|---|---|---|
| System Security Plan (SSP) | Describes system boundary, control implementation, responsible parties, interconnections | ✓ | ✓ | ✓ |
| Plan of Action & Milestones (POA&M) | Tracks unmet controls, remediation plans, milestones, and responsible owners | — | ✓ | ✓ |
| SPRS Assessment Score | Official reporting of self-assessment or certification results in DoD system | ✓ | ✓ | ✓ |
| Annual Affirmation | Senior official attests continued compliance; carries legal weight | ✓ | ✓ | ✓ |
| Network Topology Diagram | Visual depiction of system architecture, connections, and boundary | — | ✓ | ✓ |
| CUI Data Flow Diagram | Shows how CUI enters, moves through, and exits the system environment | — | ✓ | ✓ |
| System Component Inventory | List of all hardware, software, and services in scope | — | ✓ | ✓ |
| Policies & Procedures Library | Documented organizational policies mapped to security control families | — | ✓ | ✓ |
| Security Awareness Training Records | Evidence that all personnel completed required security training | — | ✓ | ✓ |
| Incident Response Plan (IRP) | Documented procedures for detecting, responding to, and recovering from incidents | — | ✓ | ✓ |
| Configuration Baselines | Approved security configurations for all in-scope system components | — | ✓ | ✓ |
| Vulnerability Scan Results | Recent scan outputs with remediation status and timelines | — | ✓ | ✓ |
| Access Control Lists / User Inventory | List of authorized users, accounts, and access levels for in-scope systems | — | ✓ | ✓ |
| Audit Log Samples | Representative log samples demonstrating logging is operational and retained | — | ✓ | ✓ |
| CMMC eMASS Record | Government system record for Level 3 DIBCAC assessment results | — | — | ✓ |
| Penetration Test Results | Evidence of adversarial testing against in-scope systems (SP 800-172 requirement) | — | — | ✓ |