- Level 1- Basic Safeguarding of FCI – Annual self-assessment and annual affirmation of compliance with the 15 security requirements in FAR clause 52.204-21
- Level 2- Broad Protection of CUI – Either a self-assessment or an independent assessment by an authorized CMMC Third-Party Assessment Organization (C3PAO) every three years. (The solicitation will specify the assessment requirement.) Additionally, an annual affirmation to verify continued compliance with the 110 security requirements in NIST SP 800-171.
- Level 3- Higher Level Protection of CUI Against Advanced Persistent Threats- Achieve CMMC Level 2 certification first, then undergo an assessment every three years by the Defense Contract Management Agency’s (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Annual affirmations are required every year to verify continued compliance with CMMC Level 2 as well as the 24 identified requirements in NIST SP 800-172.
Note: All assessment results and annual affirmations of continued compliance are entered into SPRS.
- What is Federal Contract Information or FCI?
- FCI is defined in section 4.1901 of the Federal Acquisition Regulation (FAR), as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, excluding information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.”
- What is Controlled Unclassified Information or CUI?
- CUI is defined in Title 32 CFR 2002.4(h), as “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”
For additional terms, please visit the Cyber AB’s Terminology website.