A CMMC self-assessment will apply to those companies that are only required to protect the information systems on which FCI is processed, stored or transmitted; and a subset of companies that are required to protect CUI. The CMMC self-assessment should be completed using the CMMC Assessment Guide codified in 32 CFR for the appropriate CMMC level. A CMMC self-attestation is a representation that the offeror meets the requirements of the CMMC level required by the solicitation. The CMMC program will require an annual self-assessment and an annual affirmation by a senior company official.

A “Basic Assessment”, as defined in DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements, means a contractor’s self-assessment of the contractor’s implementation of NIST SP 800-171 that —

Is based on the Contractor’s review of their system security plan(s) associated with covered contractor information system(s);

Is conducted in accordance with the NIST SP 800-171 DoD Assessment Methodology; and

Results in a confidence level of “Low” in the resulting score, because it is a self-generated score.