CMMC Level 2 Certification Assessment Requirements
32 CFR 170.17 specifies the procedural requirements when CMMC Level 2 must be verified by a CMMC Third-Party Assessment Organization (C3PAO) rather than self-assessed. It defines the triennial assessment cadence, the role of the Certified CMMC Assessor (CCA), the use of NIST SP 800-171A objectives, and the conditions for issuing a Final Level 2 Certification Assessment.
Who must comply
Contractors handling CUI on contracts where DoD requires a C3PAO-issued Level 2 certification.
What it requires
- 01Engage an accredited C3PAO to conduct the assessment.
- 02Have the assessment led by a Certified CMMC Assessor (CCA) using NIST SP 800-171A assessment objectives.
- 03Score the assessment using the DoD Assessment Methodology.
- 04Submit an annual senior-official affirmation between certification cycles.
- 05Renew the certification every three years.
Related clauses
- 32 CFR 170.16CMMC Level 2 Self-Assessment Requirements
32 CFR 170.16 governs the subset of CMMC Level 2 work that DoD allows to be self-assessed (rather than certified by a C3PAO). It requires a triennial self-assessment against all 110 NIST SP 800-171 controls, supplemented by an annual senior-official affirmation, for the specific programs DoD designates as eligible for self-assessment.
- 32 CFR 170.22Affirmation by a Senior Official
32 CFR 170.22 requires a named Affirming Official — a senior representative of the contractor with authority to bind the organization — to electronically affirm in SPRS at least every 12 months that the contractor continues to meet the CMMC security requirements for its level. A knowingly false affirmation is the explicit target of the Department of Justice Civil Cyber-Fraud Initiative under the False Claims Act.