32 C.F.R. § 170.15

Current through November 30, 2024
Section 170.15 - [Effective 12/16/2024] CMMC Level 1 self-assessment and affirmation requirements
(a)Level 1 self-assessment. To comply with CMMC Level 1 self-assessment requirements, the OSA must meet the requirements detailed in paragraphs (a)(1) and (2) of this section. An OSA conducts a Level 1 self-assessment as detailed in paragraph (c) of this section to achieve a CMMC Status of Final Level 1 (Self).
(1)Level 1 self-assessment requirements. The OSA must complete and achieve a MET result for all security requirements specified in § 170.14(c)(2) to achieve the CMMC Status of Final Level 1 (Self). No POA&Ms are permitted for CMMC Level 1. The OSA must conduct a self-assessment in accordance with the procedures set forth in § 170.15(c)(1) and submit assessment results in SPRS. To maintain compliance with the requirements for the CMMC Status of Final Level 1 (Self), the OSA must conduct a Level 1 self-assessment on an annual basis and submit the results in SPRS, or its successor capability.
(i)Inputs to SPRS. The Level 1 self-assessment results in the Supplier Performance Risk System (SPRS) shall include, at minimum, the following items:
(A) CMMC Level.
(B) CMMC Status Date.
(C) CMMC Assessment Scope.
(D) All industry CAGE code(s) associated with the information system(s) addressed by the CMMC Assessment Scope.
(E) Compliance result.
(ii) [Reserved]
(2)Affirmation. Affirmation of the Level 1 (Self) CMMC Status is required for all Level 1 self-assessments. Affirmation procedures are set forth in § 170.22.
(b)Contract eligibility. Prior to award of any contract or subcontract with a requirement for the CMMC Status of Level 1 (Self), OSAs must both achieve a CMMC Status of Level 1 (Self) and have submitted an affirmation of compliance into SPRS for all information systems within the CMMC Assessment Scope.
(c)Procedures -
(1)Level 1 self-assessment. The OSA must conduct a Level 1 self-assessment scored in accordance with the CMMC Scoring Methodology described in § 170.24. The Level 1 self-assessment must be performed in accordance with the CMMC Level 1 scope requirements set forth in § 170.19(a) and (b) and the following:
(i) The Level 1 self-assessment must be performed using the objectives defined in NIST SP 800-171A Jun2018 (incorporated by reference, see § 170.2) for the security requirement that maps to the CMMC Level 1 security requirement as specified in table 1 to paragraph (c)(1)(ii) of this section. In any case where an objective addresses CUI, FCI should be substituted for CUI in the objective.
(ii) Mapping table for CMMC Level 1 security requirements to the NIST SP 800-171A Jun2018 objectives.

Table 2 to § 170.15 (c)(1)(ii) -CMMC Level 1 Security Requirements Mapped to NIST SP 800-171A Jun2018

CMMC Level 1 security requirements as set forth in § 170.14(c)(2)NIST SP 800-171A Jun2018
AC.L1-b.1.i3.1.1
AC.L1-b.1.ii3.1.2
AC.L1-b.1.iii3.1.20
AC.L1-b.1.iv3.1.22
IA.L1-b.1.v3.5.1
IA.L1-b.1.vi3.5.2
MP.L1-b.1.vii3.8.3
PE.L1-b.1.viii3.10.1
First phrase of PE.L1-b.1.ix (FAR b.1.ix *)3.10.3
Second phrase of PE.L1-b.1.ix (FAR b.1.ix *)3.10.4
Third phrase of PE.L1-b.1.ix (FAR b.1.ix *)3.10.5
SC.L1-b.1.x3.13.1
SC.L1-b.1.xi3.13.5
SI.L1-b.1.xii3.14.1
SI.L1-b.1.xiii3.14.2
SI.L1-b.1.xiv3.14.4
SI.L1-b.1.xv3.14.5

* Three of the 48 CFR 52.204-21 requirements were broken apart by "phrase" when NIST SP 800-171 R2 was developed.

(iii) Additional guidance can be found in the guidance document listed in paragraph (b) of appendix A to this part.
(2)Artifact retention. The artifacts used as evidence for the assessment must be retained by the OSA for six (6) years from the CMMC Status Date.

32 C.F.R. §170.15

89 FR 83214 , 12/16/2024