CMMC Memo January 17, 2025

CMMC Memo January 17, 2025

Since the publication of CFR 32, which put CMMC in place for all Defense Contracts, one of the main questions has been regarding CMMC level 2 and self-attestation vs third party assessment and when each applies. 

Recently, the DoD has issued the attached memo that sheds some light on the subject.   While this memo does help clarify the process, it is important to remember to review your contracts and contact your contracting officers should you have questions.  Also, remember that the CMMC certification process will flow down, which means if you are a subcontractor you will need to meet the controls and requirements. 

The memo breaks down these points as defined below: 

CMMC Level 1 (Self-Assessment) – Assessed against the FAR clause 52.204-21:  

• FAR clause 52.204-21 applies to FCI (Federal Contracting Information). This clause does not apply to information provided by the Government to the public, such as on public websites, or simple transactional information, such as is necessary to process payments.  

• If the planned contract, task order, or delivery order may require the contractor (or subcontractors at any tier) to process, store, or transmit only FCI in its information system, the appropriate assessment requirement is CMMC Level 1 Self-Assessment.  

CMMC Level 2 – Assessed against the NIST SP 800-171:  

• DFARS clause 252.204-7012 applies when CUI (Controlled Unclassified Information) will be processed, stored, or transmitted on contractor-owned information systems in the performance of a DoD contract and flows down to subcontracts, or similar contractual instruments, as described in DFARS clause 252.204-7012.  

• If the planned contract will require the contractor (or subcontractors) to process, store, or transmit CUI on a contractor-owned information system, compliance must be assessed against NIST SP 800-171 requirements.  

• CMMC Level 2 (Self-Assessment) is the minimum assessment requirement for CUI. It is sufficient only for CUI outside of the National Archive’ s CUI Registry Defense Organizational Index Grouping. Category markings and definitions may be found on the CUI Registry https://www.archives.gov/cui. The Program Manager may elevate the CMMC level if there is high risk to the confidentiality, integrity, or availability of the CUI.  

• CMMC Level 2 (Certification) is the minimum assessment requirement when the planned contract will require the contractor (or subcontractors) to process, store, or transmit CUI categorized under the National Archives CUI Registry Defense Organizational Index Grouping. Category markings and definitions may be found on the CUI Registry (https://www.archives.gov/cui) CMMC Level 2 certification assessment is performed by third-party assessors employing the methods described in NIST SP 800-171A.  

CMMC Level 3 (Certification) – Assessed by DoD officials against select controls in NIST SP 800-172:  

• The enhanced protections of NIST SP 800-172 must be applied to safeguard mission critical or unique technologies and programs associated with the following factors/scenarios. Compliance with NIST SP 800-172 is a significant effort. Program Managers and requiring activities must carefully consider the need for safeguarding of the particular CUI to be shared and avoid overuse of the CMMC Level 3 requirement.  

• CUI associated with a breakthrough, unique, and/or advanced technology; 

• Significant aggregation or compilation of CUI in a single information system or IT environment; and  

• Ubiquity – when an attack on a single information system or IT environment would result in widespread vulnerability across DoD. 

• The Office of the Under Secretary of Defense for Research and Engineering will publish and maintain a guidebook with additional details for the application of NIST SP 800-172 at https://aaf.dau.cdu/guidebook.  

• If the planned contract will require the contractor (or subcontractors) to process, store, or transmit CUI that requires enhanced protections provided by NIST SP 800-172, then the minimum assessment requirement is CMMC Level 3 (Certification).  

• DoD Program Managers and requiring activities will determine if a contract effort requires the contractor (or subcontractors) to process, store, or transmit CUI within non-federal unclassified information systems pertaining to the essential technology elements identified for prioritized protection through application of the NIST SP 800- 172 requirements described in DoD Instruction 8582.01.  

• When CMMC Level 3 is warranted, a Security Classification Guide must be provided to communicate any CUI distribution limitations or instructions and allow for the segregation of information such that information that need not be covered by CMMC Level 3 can be handled appropriately at levels below CMMC level 3 throughout the supply chain. Failure to do so may result in the CMMC Level 3 requirements being unnecessarily flowed down to all sub-tiers at significant cost to the program. 

What does this mean for your contracts? 

If your contract does not contain CUI but does contain non-public FCI, then you must meet self-attest CMMC level 1.  If your contract has CUI and the CUI type can be found on the CUI Registry, you must complete a 3rd party assessment, otherwise you can self-attest.  Lastly if the CUI is considered mission critical you must meet the requirements of Level 3 and the enhanced protections of NIST 800-172.