The CMMC Program provides assessments at three levels, each incorporating security requirements from existing regulations and guidelines.
Level 1: Basic Safeguarding of FCI
Requirements: Annual self-assessment and annual affirmation of compliance with the 15 security requirements in FAR clause 52.204-21.
Level 2: Broad Protection of CUI
Requirements:
Either a self-assessment or a C3PAO assessment every three years, as specified in the solicitation.
Decided by the type of information processed, transmitted, or stored on the contractor or subcontractor information systems.
Annual affirmation, verify compliance with the 110 security requirements in NIST SP 800-171 Revision 2.
Level 3: Higher-Level Protection of CUI Against Advanced Persistent Threats
Requirements:
Achieve CMMC Status of Final Level 2.
Undergo an assessment every three years by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Provide an annual affirmation verifying compliance with the 24 identified requirements from NIST SP 800-172.