Current through November 30, 2024
Section 170.15 - [Effective 12/16/2024] CMMC Level 1 self-assessment and affirmation requirements(a)Level 1 self-assessment. To comply with CMMC Level 1 self-assessment requirements, the OSA must meet the requirements detailed in paragraphs (a)(1) and (2) of this section. An OSA conducts a Level 1 self-assessment as detailed in paragraph (c) of this section to achieve a CMMC Status of Final Level 1 (Self). (1)Level 1 self-assessment requirements. The OSA must complete and achieve a MET result for all security requirements specified in § 170.14(c)(2) to achieve the CMMC Status of Final Level 1 (Self). No POA&Ms are permitted for CMMC Level 1. The OSA must conduct a self-assessment in accordance with the procedures set forth in § 170.15(c)(1) and submit assessment results in SPRS. To maintain compliance with the requirements for the CMMC Status of Final Level 1 (Self), the OSA must conduct a Level 1 self-assessment on an annual basis and submit the results in SPRS, or its successor capability. (i)Inputs to SPRS. The Level 1 self-assessment results in the Supplier Performance Risk System (SPRS) shall include, at minimum, the following items: (C) CMMC Assessment Scope.(D) All industry CAGE code(s) associated with the information system(s) addressed by the CMMC Assessment Scope.(2)Affirmation. Affirmation of the Level 1 (Self) CMMC Status is required for all Level 1 self-assessments. Affirmation procedures are set forth in § 170.22.(b)Contract eligibility. Prior to award of any contract or subcontract with a requirement for the CMMC Status of Level 1 (Self), OSAs must both achieve a CMMC Status of Level 1 (Self) and have submitted an affirmation of compliance into SPRS for all information systems within the CMMC Assessment Scope.(c)Procedures - (1)Level 1 self-assessment. The OSA must conduct a Level 1 self-assessment scored in accordance with the CMMC Scoring Methodology described in § 170.24. The Level 1 self-assessment must be performed in accordance with the CMMC Level 1 scope requirements set forth in § 170.19(a) and (b) and the following: (i) The Level 1 self-assessment must be performed using the objectives defined in NIST SP 800-171A Jun2018 (incorporated by reference, see § 170.2) for the security requirement that maps to the CMMC Level 1 security requirement as specified in table 1 to paragraph (c)(1)(ii) of this section. In any case where an objective addresses CUI, FCI should be substituted for CUI in the objective.(ii) Mapping table for CMMC Level 1 security requirements to the NIST SP 800-171A Jun2018 objectives. Table 2 to § 170.15 (c)(1)(ii) -CMMC Level 1 Security Requirements Mapped to NIST SP 800-171A Jun2018
CMMC Level 1 security requirements as set forth in § 170.14(c)(2) | NIST SP 800-171A Jun2018 |
AC.L1-b.1.i | 3.1.1 |
AC.L1-b.1.ii | 3.1.2 |
AC.L1-b.1.iii | 3.1.20 |
AC.L1-b.1.iv | 3.1.22 |
IA.L1-b.1.v | 3.5.1 |
IA.L1-b.1.vi | 3.5.2 |
MP.L1-b.1.vii | 3.8.3 |
PE.L1-b.1.viii | 3.10.1 |
First phrase of PE.L1-b.1.ix (FAR b.1.ix *) | 3.10.3 |
Second phrase of PE.L1-b.1.ix (FAR b.1.ix *) | 3.10.4 |
Third phrase of PE.L1-b.1.ix (FAR b.1.ix *) | 3.10.5 |
SC.L1-b.1.x | 3.13.1 |
SC.L1-b.1.xi | 3.13.5 |
SI.L1-b.1.xii | 3.14.1 |
SI.L1-b.1.xiii | 3.14.2 |
SI.L1-b.1.xiv | 3.14.4 |
SI.L1-b.1.xv | 3.14.5 |
* Three of the 48 CFR 52.204-21 requirements were broken apart by "phrase" when NIST SP 800-171 R2 was developed.
(iii) Additional guidance can be found in the guidance document listed in paragraph (b) of appendix A to this part. (2)Artifact retention. The artifacts used as evidence for the assessment must be retained by the OSA for six (6) years from the CMMC Status Date.