January 8, 2025

The magic numbers are 88 and 180: Level 2 self-assessment and affirmation requirements

Happy New Year! I can hardly believe it's 2025 already, and as predicted a few years ago, this is the year of official CMMC Assessments and CMMC clauses in contracts.

If you handle CUI, what is the most important thing you need to be thinking about right now? The magic numbers are 88 and 180. For the first time, we now have a minimum required self-assessment score in SPRS and a maximum time allowed to correct all deficiencies.

Say what? I confess, I hadn't considered this myself until I was chatting with colleagues last week. Let me summarize here, and then I'll walk through the details if you want to get into the weeds.

Executive Summary

The phased rollout begins with OSAs (Organization Seeking Assessment -- that's you) required to self-assess and affirm their compliance in order to be awarded future new contracts with the 7021 (CMMC) clause (L1 almost certainly for most, and some L2). Prime contractors often push harder and faster than DOD, so perform your due diligence on subcontracts as well.

We learned in the final rule that this self-assessment is much more rigorous than might be expected. For both L1 and L2, OSAs must perform a self-assessment using the same procedures as an official certification assessment.

There are four key points here:

1. No POA&M is permitted for CMMC Level 1. "Self-assessment results are scored as MET or NOT MET in their entirety." Full implementation to self-assess compliance.
   
   
2. If you handle CUI and self-assess with a score lower than 88, and if any of the controls you assessed NOT MET are L1 controls or are 3-5 pointers (except FIPS), you cannot give yourself a Conditional status. You have failed the assessment and you are non-compliant.
   
   
3. If you scored 88 or higher and the NOT MET controls are eligible for POA&M, you have 180 days to close those POA&Ms and award yourself a Final status. Your Conditional status expires in 180 days if you haven't met all the requirements on that date.
   
   
4. For both levels, you must produce evidence for all Assessment Objectives (AOs) for all controls, and this evidence ("Artifacts") must be preserved by you for a period of 6 years.

If you want the details, keep reading!

Detailed Walk-Through

The CMMC Program is defined in 32 CFR 170. At § 170.16 the requirements for Level 2 self-assessment and affirmation by OSAs are detailed:

To comply with Level 2 self-assessment requirements, the OSA must meet the requirements detailed in paragraphs (a)(1) and (2) of this section. An OSA conducts a Level 2 self-assessment as detailed in paragraph (c) of this section to achieve a CMMC Status of either Conditional or Final Level 2 (Self).

Paragraph (a)(1) tells us:

The OSA must complete and achieve a MET result for all security requirements specified in § 170.14(c)(3) to achieve the CMMC Status of Level 2 (Self).

The "security requirements specified in § 170.14(c)(3)" are the FAR 52.204-21 for FCI (CMMC L1), NIST SP 800-171r2 for CUI (CMMC L2) and a subset of NIST SP 800-172 (CMMC L3). Nothing new there. Note that you have to meet all the requirements of 800-171 to self-assess and affirm a Final Level 2 (Self). (a)(1) further states:

The OSA must conduct a self-assessment in accordance with the procedures set forth in paragraph (c)(1) of this section and submit assessment results in Supplier Performance Risk System (SPRS).

What are the procedures in (c)(1) of this section?

The OSA must conduct a Level 2 self-assessment in accordance with NIST SP 800-171A Jun2018 (incorporated by reference, see § 170.2) and the CMMC Level 2 scoping requirements set forth in §§ 170.19(a) and (c) for the information systems within the CMMC Assessment Scope. The Level 2 self-assessment must be scored in accordance with the CMMC Scoring Methodology described in § 170.24 and the OSA must upload the results into SPRS.

The CMMC Scoring Methodology for L2 is essentially the NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1, June 24, 2020. Okay, this is basically the requirement of the 7019 clause in effect since 2020, with a twist. You've verified at the level of each AO in 800-171A that you have implemented all the requirements. Now you're adding the CMMC scoping (which is significantly different), producing and maintaining evidence, and recording the score in a different tab in SPRS, with affirmation by an official.

What if you didn't self-assess a perfect 110? There's an answer for that:

The OSA has achieved the CMMC Status of Conditional Level 2 (Self) if the Level 2 self-assessment results in a POA&M and the POA&M meets all the CMMC Level 2 POA&M requirements listed in § 170.21(a)(2).

Hmmm, what are the POA&M requirements listed in § 170.21(a)(2)?

An OSA is only permitted to achieve the CMMC Status of Conditional Level 2 (Self) or Conditional Level 2 (C3PAO), as appropriate, if all the following conditions are met:

(i) The assessment score divided by the total number of CMMC Level 2 security requirements is greater than or equal to 0.8;

Ah, there is the magic number of 88! That's now the minimum permissible self-assessment score to be considered compliant with CMMC L2 and eligible for new contracts with CUI. But wait, there's more!

ii) None of the security requirements included in the POA&M have a point value of greater than 1 as specified in the CMMC Scoring Methodology set forth in § 170.24, except SC.L2-3.13.11 CUI Encryption may be included on a POA&M if encryption is employed but it is not FIPS-validated, which would result in a point value of 3; and

(iii) None of the following security requirements are included in the POA&M:

[followed by a listing of the 1-point controls that are CMMC L1 controls].

So, not only do you need a minimum score of 88, but the max 22 controls you haven't fully met cannot be L1 controls nor worth 3-5 points according to the scoring methodology. Before you begin an assessment, whether self or with a C3PAO, make sure you know which controls cannot go on a POA&M, and double-triple check your implementation of those controls! Any single one of those is an automatic fail.

Going back to the Level 2 self-assessment and affirmation requirements:

B) POA&M closeout. The OSA must remediate any NOT MET requirements, must perform a POA&M closeout self-assessment, and must post compliance results to SPRS within 180 days of the CMMC Status Date associated with the Conditional Level 2 (Self).

Ah, there is the magic number of 180! That's how long you have to close our your POA&Ms and update your self-assessment in SPRS from Self Conditional to Self Final. And there are teeth:

If the POA&M is not successfully closed out within the 180-day timeframe, the Conditional Level 2 (Self) CMMC Status for the information system will expire. If Conditional Level 2 (Self) CMMC Status expires within the period of performance of a contract, standard contractual remedies will apply, and the OSA will be ineligible for additional awards with a requirement for the CMMC Status of Level 2 (Self), or higher requirement, for the information system within the CMMC Assessment Scope until such time as a new CMMC Status is achieved.

b) Contract eligibility. Prior to award of any contract or subcontract with requirement for CMMC Status of Level 2 (Self), the following two requirements must be met:

(1) The OSA must achieve, as specified in paragraph (a)(1) of this section, a CMMC Status of either Conditional Level 2 (Self) or Final Level 2 (Self).

(2) The OSA must submit an affirmation of compliance into SPRS, as specified in paragraph (a)(2) of this section.

[...] (iv) CMMC Status investigation. The DoD reserves the right to conduct a DCMA DIBCAC assessment of the OSA, as provided for under the 48 CFR 252.204-7020. If the investigative results of a subsequent DCMA DIBCAC assessment show that adherence to the provisions of this part have not been achieved or maintained, these DCMA DIBCAC results will take precedence over any pre-existing CMMC Status. At that time, standard contractual remedies will be available and the OSA will be ineligible for additional awards with CMMC Status requirement of Level 2 (Self), or higher requirement, for the information system within the CMMC Assessment Scope until such time as a new CMMC Status is achieved.

And don't forget, this self-assessment is not a check-box exercise. You cannot just go down the rows in your spreadsheet and put MET on every AO. You have to produce evidence and store it for 6 years:

4) Artifact retention. The artifacts used as evidence for the assessment must be retained by the OSA for six (6) years from the CMMC Status Date.

Whew. It looks to me like DOD really has finally gotten serious about this compliance thing. Are you ready? Call if you need help!

Winter Workshops

CMMC 101: An Introduction to CMMC

Are you feeling pressure to prepare for CMMC -- but don't know how to begin? This virtual workshop will get you started!

Tuesday, January 28 @ 10am - 12pm (CT)

Reserve Your Spot

CMMC 102: Understanding the Security Controls

This deep-dive into the requirements of CMMC L1 will focus on the assessment objectives and evidence, preparing you to assess L2.

Tuesday, February 11 @ 10am - 12pm (CT)

Reserve Your Spot

Sincerely,

Glenda R. Snodgrass, CCP/CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107