CMMC Level 1

FAR 52.204-21 is the Federal Acquisition Regulation clause that requires federal contractors to apply 15 basic safeguarding requirements to systems that process, store, or transmit Federal Contract Information (FCI). It is the regulatory basis for CMMC Level 1 — the 15 Level 1 practices are drawn directly from paragraph (b)(1) of this clause.

Federal Contract Information (FCI) is non-public information provided by or generated for the federal government under a contract to develop or deliver a product or service. It is the information type protected under FAR 52.204-21 and is the trigger for CMMC Level 1.

CMMC Level 2 is the middle CMMC certification tier, covering contractors who handle Controlled Unclassified Information (CUI). It requires implementing all 110 controls of NIST SP 800-171 and undergoing either a self-assessment or a triennial assessment by a CMMC Third-Party Assessment Organization (C3PAO) depending on the program's prioritization.

The annual affirmation is the electronic statement, posted in SPRS at least every 12 months by an Affirming Official under 32 CFR 170.22, that the contractor continues to meet the security requirements for its CMMC level. Knowingly false affirmations are the explicit enforcement target of the DOJ Civil Cyber-Fraud Initiative.

The Supplier Performance Risk System (SPRS) is the Department of Defense system of record where contractors post their NIST SP 800-171 assessment scores and CMMC affirmations. Contracting officers verify SPRS entries before award on solicitations that include DFARS 252.204-7019, -7020, or -7021.