CMMC Level 1 Self-Attestation requires compliance with the basic safeguarding of 15 requirements to protect Federal Contract Information(FCI) set forth in FAR clause 52.204-21.

Every year, an accountable executive within the defense contractor organization will be required to submit a self-attestation of the company’s implementation of the 15 requirements outlined in 32 CFR 170.15 into the Supplier Performance Risk System (SPRS), an initial affirmation of compliance, and annually after that, an affirmation of continued compliance as outlined in 32 CFR 170-22, making the company eligible for DoD contract award.

CMMC Level 2 Self-Attestation requires compliance with the 110 security requirements outlined in 32 CFR 170.17 and NIST SP 800-171 Rev 2 to protect Controlled Unclassified Information (CUI).

Every year, an accountable executive within the defense contractor organization will be required to submit a self-attestation of the company’s implementation of the 110 requirements outlined in 32 CFR 170.16 into the Supplier Performance Risk System (SPRS), an initial affirmation of compliance, a POA&M closeout affirmation if necessary, and, annually after that, an affirmation of continued compliance as outlined in 32 CFR 170.22, making the company eligible for DoD contract award.

CMMC Level 2 Certification requires compliance with the 110 security requirements outlined in 32 CFR 170.17 and NIST SP 800-171 Rev 2 to protect Controlled Unclassified Information (CUI).

Level 2 Certification requires an authorized or accredited CMMC Certified Third-Party Assessment Organization (C3PAO) to validate the implementation of the NIST SP 800-171 Rev 2 security requirements and upload the results into eMASS, which will feed the information into SPRS making the defense contractor eligible for DoD contract award for three years.

Level 2 Certification also requires an accountable executive within the defense contractor’s organization to submit an initial affirmation of compliance, a POA&M closeout affirmation if necessary, and, annually after that, an affirmation of continued compliance outlined in 32 CFR 170.22.

CMMC Level 3 Certification requires a CMMC Level 2 Final Certification Assessment and compliance with the additional security requirements to defense contractors required by existing acquisition regulations set forth in 32 CFR 170.18 to protect CUI. This level provides enhanced security requirements for protecting against Advanced Persistent Threats (APTs).

Level 3 Certification requires DCMA Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to validate the implementation of the DoD-defined selected security requirements as outlined in NIST SP 800-172. A CMMC Level 2 Final Certification is a prerequisite to schedule a DIBCAC assessment for CMMC Level 3. DIBCAC will upload the CMMC Level 3 results into eMASS, which will feed information into SPRS making the defense contractors eligible for DoD contract awards for three years.

Level 3 Certification also requires an accountable executive within the defense contractor’s organization to submit an initial affirmation of compliance, a POA&M closeout affirmation if necessary, and, annually after that, an affirmation of continued compliance outlined in 32 CFR 170.22.

SMPL-C does not offer a Level 3 Product at this time.

You must complete a CMMC Level 2 Certification before scheduling a DIBCAC Assessment for CMMC Level 3.