Self-Assessment
A CMMC self-assessment is an internally-conducted evaluation of an organization's implementation of the applicable security requirements, performed without a third-party assessor. CMMC Level 1 is exclusively self-assessed; CMMC Level 2 is self-assessed for some programs and C3PAO-assessed for others depending on the contract requirement.
Related terms
- CMMC Level 1
CMMC Level 1 is the lowest of the three CMMC certification tiers, covering contractors who handle Federal Contract Information (FCI) but not CUI. It requires implementing the 15 safeguarding requirements in FAR 52.204-21(b)(1), an annual self-assessment, and an annual senior-official affirmation posted in SPRS.
- Annual Affirmation
The annual affirmation is the electronic statement, posted in SPRS at least every 12 months by an Affirming Official under 32 CFR 170.22, that the contractor continues to meet the security requirements for its CMMC level. Knowingly false affirmations are the explicit enforcement target of the DOJ Civil Cyber-Fraud Initiative.
- Supplier Performance Risk System
The Supplier Performance Risk System (SPRS) is the Department of Defense system of record where contractors post their NIST SP 800-171 assessment scores and CMMC affirmations. Contracting officers verify SPRS entries before award on solicitations that include DFARS 252.204-7019, -7020, or -7021.