CMMC Level 2 Certification Assessment Requirements
32 CFR 170.17 specifies the procedural requirements when CMMC Level 2 must be verified by a CMMC Third-Party Assessment Organization (C3PAO) rather than self-assessed. It defines the triennial assessment cadence, the role of the Certified CMMC Assessor (CCA), the use of NIST SP 800-171A objectives, and the conditions for issuing a Final Level 2 Certification Assessment.
Who must comply
Contractors handling CUI on contracts where DoD requires a C3PAO-issued Level 2 certification.
What it requires
- 01Engage an accredited C3PAO to conduct the assessment.
- 02Have the assessment led by a Certified CMMC Assessor (CCA) using NIST SP 800-171A assessment objectives.
- 03Score the assessment using the DoD Assessment Methodology.
- 04Submit an annual senior-official affirmation between certification cycles.
- 05Renew the certification every three years.
Related clauses
- 32 CFR 170.16CMMC Level 2 Self-Assessment Requirements
32 CFR 170.16 governs the subset of CMMC Level 2 work that DoD allows to be self-assessed (rather than certified by a C3PAO). It requires a triennial self-assessment against all 110 NIST SP 800-171 controls, supplemented by an annual senior-official affirmation, for the specific programs DoD designates as eligible for self-assessment.
- 32 CFR 170.22Affirmation by a Senior Official
32 CFR 170.22 requires a named Affirming Official, defined at 32 CFR 170.4 as the senior level representative responsible for ensuring the contractor's compliance with the CMMC Program requirements who has the authority to affirm its continuing compliance, to electronically affirm in SPRS at least every 12 months that the contractor continues to meet the CMMC security requirements for its level. A knowingly false affirmation is the explicit target of the Department of Justice Civil Cyber-Fraud Initiative under the False Claims Act.