CMMC Level 2 Self-Assessment Requirements
32 CFR 170.16 governs the subset of CMMC Level 2 work that DoD allows to be self-assessed (rather than certified by a C3PAO). It requires a triennial self-assessment against all 110 NIST SP 800-171 controls, supplemented by an annual senior-official affirmation, for the specific programs DoD designates as eligible for self-assessment.
Who must comply
Contractors handling CUI on contracts where DoD has designated Level 2 self-assessment (rather than C3PAO certification) as sufficient.
What it requires
- 01Conduct a self-assessment against all 110 NIST SP 800-171 controls every three years.
- 02Score the assessment using the DoD Assessment Methodology and post the score to SPRS.
- 03Submit an annual senior-official affirmation of continued compliance.
- 04Implement any allowed POA&M items within the timelines specified in 32 CFR 170.21.
Related clauses
- 32 CFR 170.17CMMC Level 2 Certification Assessment Requirements
32 CFR 170.17 specifies the procedural requirements when CMMC Level 2 must be verified by a CMMC Third-Party Assessment Organization (C3PAO) rather than self-assessed. It defines the triennial assessment cadence, the role of the Certified CMMC Assessor (CCA), the use of NIST SP 800-171A objectives, and the conditions for issuing a Final Level 2 Certification Assessment.
- 32 CFR 170.22Affirmation by a Senior Official
32 CFR 170.22 requires a named Affirming Official — a senior representative of the contractor with authority to bind the organization — to electronically affirm in SPRS at least every 12 months that the contractor continues to meet the CMMC security requirements for its level. A knowingly false affirmation is the explicit target of the Department of Justice Civil Cyber-Fraud Initiative under the False Claims Act.
- DFARS 252.204-7012Safeguarding Covered Defense Information and Cyber Incident Reporting
DFARS 252.204-7012 requires DoD contractors that handle Covered Defense Information (CDI) to implement the security requirements of NIST SP 800-171, report cyber incidents to DoD within 72 hours via the DIBNet portal, and use FedRAMP Moderate (or equivalent) cloud services for CDI. It has been the contractual basis for NIST 800-171 across the defense industrial base since 2017.