Once the program is fully implemented, DoD will include in the applicable solicitation (1) the CMMC level
            contractors must comply with and (2) the type of assessment required to verify the implementation of the
            security requirements. The applicable CMMC level will be determined by DoD program managers who
            review the information stored and processed through a contractor’s system. The type of assessment
            required will depend on both the applicable CMMC level and the Contracting Officer's (CO’s) discretionary
            determination.

            The CMMC will consist of three levels, each of which is detailed below.



            CMMC Level 1

            The first level of certification, which will apply to the largest number of companies in the DoD supply base,
            is  CMMC  Level  1.  This  level  mandates  relevant  contractors  comply  with  15  security  requirements
            provided in Federal Acquisition Regulation (FAR) 52.204-21. Many contractors already comply with the
            FAR  52.204-21  requirements  and,  therefore,  will  likely  not  need  to  implement  any  new  protocols  to
            comply with CMMC Level 1.

            Contractors will be required to annually self-certify to the CMMC Level 1 requirements. This certification
            can be done by engaging a third-party certification organization (C3PAO) or using internal resources.
            The results of the certification must be entered in the Supplier Performance Risk System (SPRS), and a
            “senior official” from the prime contractor must initially “affirm” compliance and then on an annual basis
            thereafter.



            CMMC Level 2

            Many contractors are also already in compliance with CMMC Level 2 as its requirements mirror those
            under DFARS 252.204-7012, which ensures contractors implement the 110 security controls contained
            in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting
            Controlled Unclassified Information in Nonfederal Systems and Organizations. Under the proposed rule,
            the CO is given the discretion to determine whether contracts containing the CMMC Level 2 requirements
            necessitate a self-assessment or a CMMC Level 2 Certification Assessment to verify the implementation
            of the necessary security requirements. That decision will center on the “program criticality, information
            sensitivity, and the severity of the cyber threat.”

            If a contractor is not already in compliance with CMMC Level 2 requirements, it may have to submit a
            Plan of Action and Milestones Requirements (POA&M), which provides a roadmap for the contractor to
            address areas of weakness.

            The self-assessment process for verifying CMMC Level 2 requirements remains largely the same as
            those required to certify CMMC Level 1 requirements. The self-assessment results, as well as an initial
            compliance affirmation, must be submitted to the SPRS system prior to award.

            On the other hand, the CMMC Level 2 Certification Assessment requires that contractors engage third-
            party  assessment  organizations  to  certify  a  contractor’s  compliance  with  Level  2  requirements.  The




            Cyber Defense eMagazine – March 2024 Edition                                                                                                                                                                                                          138
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.