← Custodia
32 CFR 170.17

CMMC Level 2 Certification Assessment Requirements

In plain English

32 CFR 170.17 specifies the procedural requirements when CMMC Level 2 must be verified by a CMMC Third-Party Assessment Organization (C3PAO) rather than self-assessed. It defines the triennial assessment cadence, the role of the Certified CMMC Assessor (CCA), the use of NIST SP 800-171A objectives, and the conditions for issuing a Final Level 2 Certification Assessment.

Who must comply

Contractors handling CUI on contracts where DoD requires a C3PAO-issued Level 2 certification.

What it requires

  1. 01Engage an accredited C3PAO to conduct the assessment.
  2. 02Have the assessment led by a Certified CMMC Assessor (CCA) using NIST SP 800-171A assessment objectives.
  3. 03Score the assessment using the DoD Assessment Methodology.
  4. 04Submit an annual senior-official affirmation between certification cycles.
  5. 05Renew the certification every three years.
Primary source
Read 32 CFR 170.17 at its source

Related clauses

Related terms

Free · Every Monday

Get the federal bids a small business can win, in your inbox.

The Monday Bid Digest: brand-new SAM.gov solicitations matched to your NAICS, pre-filtered to Level 1 fit, with the CMMC gate called out on every one. Two minutes, no spam.

Get the Monday Bid Digest
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements, no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual, two months free)