bmad-plus 0.8.0 → 0.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (213) hide show
  1. package/CHANGELOG.md +45 -1
  2. package/LICENSE +21 -21
  3. package/README.md +107 -85
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -266
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  21. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  22. package/package.json +30 -3
  23. package/readme-international/README.de.md +18 -5
  24. package/readme-international/README.es.md +40 -12
  25. package/readme-international/README.fr.md +36 -8
  26. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  27. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  28. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  29. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  30. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  31. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  32. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  33. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  34. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  35. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  36. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  37. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  38. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  39. package/src/bmad-plus/module-help.csv +10 -10
  40. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  41. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  42. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  43. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  44. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  45. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  46. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  47. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  48. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  49. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  50. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  51. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -0
  52. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  53. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -0
  54. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +251 -251
  55. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +168 -168
  56. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +190 -190
  57. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +86 -86
  58. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +240 -240
  59. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +122 -122
  60. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +210 -210
  61. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +139 -139
  62. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +156 -156
  63. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +72 -72
  64. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +239 -239
  65. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +207 -207
  66. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  67. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  68. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  69. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  70. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  71. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +116 -116
  72. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +261 -261
  73. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +191 -191
  74. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +356 -356
  75. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +499 -499
  76. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +236 -236
  77. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +162 -162
  78. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +228 -228
  79. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +255 -255
  80. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +153 -153
  81. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  82. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  83. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  84. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  85. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  86. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  87. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  88. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  89. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  90. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  91. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  92. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  93. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  94. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  95. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  96. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  97. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  98. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  99. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  100. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  101. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  102. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  103. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  104. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  105. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  106. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  107. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  108. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  109. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  110. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  111. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  112. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  113. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  114. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  115. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  116. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  117. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  118. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  119. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  120. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  121. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  122. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  123. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  124. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  125. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  126. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  127. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  128. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  129. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  130. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  131. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  132. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  133. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  134. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  135. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  136. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  137. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  138. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  139. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  140. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  141. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  142. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  143. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  144. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  145. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  146. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  147. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  148. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  149. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  150. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  151. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  152. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  153. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  154. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  155. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  156. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  157. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  158. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  159. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  160. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  161. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  162. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  163. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  164. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  165. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  166. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  167. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  168. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  169. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  170. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  171. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  172. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  173. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  174. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  175. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  176. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  177. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  178. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  179. package/tools/bmad-plus-npx.js +3 -5
  180. package/tools/cli/bmad-plus-cli.js +5 -3
  181. package/tools/cli/commands/autoconfig.js +18 -61
  182. package/tools/cli/commands/doctor.js +30 -31
  183. package/tools/cli/commands/install.js +33 -343
  184. package/tools/cli/commands/memory.js +1 -0
  185. package/tools/cli/commands/scan.js +61 -74
  186. package/tools/cli/commands/uninstall.js +7 -4
  187. package/tools/cli/commands/update.js +15 -72
  188. package/tools/cli/i18n.js +92 -10
  189. package/tools/cli/lib/ide-config.js +259 -0
  190. package/tools/cli/lib/memory-init.js +113 -0
  191. package/tools/cli/lib/pack-copy.js +84 -0
  192. package/tools/cli/lib/packs.js +114 -0
  193. package/tools/cli/lib/stack-detect.js +102 -0
  194. package/tools/cli/lib/validate.js +45 -0
  195. package/src/bmad-plus/agents/pack-animated/animated-website-agent.md +0 -325
  196. package/src/bmad-plus/agents/pack-animated/templates/animated-website-workflow.md +0 -55
  197. package/src/bmad-plus/agents/pack-backup/backup-agent.md +0 -71
  198. package/src/bmad-plus/agents/pack-backup/templates/backup-workflow.md +0 -51
  199. package/src/bmad-plus/agents/pack-seo/SKILL.md +0 -171
  200. package/src/bmad-plus/agents/pack-seo/checklist.md +0 -140
  201. package/src/bmad-plus/agents/pack-seo/pagespeed-playbook.md +0 -320
  202. package/src/bmad-plus/agents/pack-seo/ref/audit-schema.json +0 -187
  203. package/src/bmad-plus/agents/pack-seo/ref/cwv-thresholds.md +0 -87
  204. package/src/bmad-plus/agents/pack-seo/ref/eeat-criteria.md +0 -123
  205. package/src/bmad-plus/agents/pack-seo/ref/geo-signals.md +0 -167
  206. package/src/bmad-plus/agents/pack-seo/ref/hreflang-rules.md +0 -153
  207. package/src/bmad-plus/agents/pack-seo/ref/quality-gates.md +0 -133
  208. package/src/bmad-plus/agents/pack-seo/ref/schema-catalog.md +0 -91
  209. package/src/bmad-plus/agents/pack-seo/ref/schema-templates.json +0 -356
  210. package/src/bmad-plus/agents/pack-seo/seo-chief.md +0 -294
  211. package/src/bmad-plus/agents/pack-seo/seo-judge.md +0 -241
  212. package/src/bmad-plus/agents/pack-seo/seo-scout.md +0 -171
  213. package/src/bmad-plus/agents/pack-seo/templates/seo-audit-workflow.md +0 -241
@@ -1,170 +1,170 @@
1
- # CMMC 2.0 — Assessment Guide: SPRS Scoring, C3PAO Process & POA&M Rules
2
-
3
- ## SPRS Score Calculation
4
-
5
- ### Scoring Methodology
6
- The SPRS score is calculated per the DoD Assessment Methodology for NIST SP 800-171:
7
- - **Starting score**: 110 points
8
- - **Each NOT MET practice**: Deduct the assigned point value
9
- - **Partial implementation**: Full deduction applies (no partial credit)
10
- - **Score range**: +110 (all practices met) to −203 (all not met)
11
- - **Submission**: Required for all Level 2 contracts; submit at sprs.csd.disa.mil
12
-
13
- ### Point Values by Domain
14
- Point values are assigned based on the practice's security impact:
15
-
16
- | Domain | Practices | Total Points at Risk |
17
- |--------|-----------|---------------------|
18
- | AC (Access Control) | 22 | ~50 |
19
- | AU (Audit & Accountability) | 9 | ~17 |
20
- | CM (Configuration Management) | 9 | ~19 |
21
- | IA (Identification & Authentication) | 11 | ~22 |
22
- | IR (Incident Response) | 3 | ~5 |
23
- | MA (Maintenance) | 6 | ~11 |
24
- | MP (Media Protection) | 9 | ~8 |
25
- | PE (Physical Protection) | 6 | ~11 |
26
- | PS (Personnel Security) | 2 | ~4 |
27
- | RA (Risk Assessment) | 3 | ~9 |
28
- | CA (Security Assessment) | 4 | ~9 |
29
- | SC (System & Communications) | 16 | ~39 |
30
- | SI (System & Information Integrity) | 7 | ~14 |
31
-
32
- *Exact point values per practice are published in the DoD Assessment Methodology document (v2.2, Nov 2020).*
33
-
34
- ### Highest-Impact Practices (Largest Point Deductions)
35
- Prioritize these when remediating — they carry the heaviest scoring weight:
36
- 1. **AC.L2-3.1.3** — CUI flow control (5 pts)
37
- 2. **SC.L2-3.13.8** — Encryption in transit / FIPS validated (5 pts)
38
- 3. **SC.L2-3.13.11** — FIPS-validated cryptography (5 pts)
39
- 4. **IA.L2-3.5.3** — Multifactor authentication (5 pts)
40
- 5. **SI.L2-3.14.6** — Monitoring for attacks (5 pts)
41
- 6. **AC.L2-3.1.5** — Least privilege (3 pts)
42
- 7. **AU.L2-3.3.1** — Audit logging (3 pts)
43
- 8. **CM.L2-3.4.1** — Baseline configuration (3 pts)
44
-
45
- ---
46
-
47
- ## C3PAO Assessment Process
48
-
49
- ### Pre-Assessment (Contractor Responsibilities)
50
- Before engaging a C3PAO, ensure:
51
- - [ ] System Security Plan (SSP) is complete and covers all 110 practices
52
- - [ ] System boundary is defined with network diagrams
53
- - [ ] CUI data flows are documented
54
- - [ ] POA&M lists all practices not yet met
55
- - [ ] SPRS score has been self-calculated
56
- - [ ] Personnel responsible for each practice are identified
57
-
58
- ### Assessment Phases
59
-
60
- **Phase 1 — Documentation Review (Remote)**
61
- - C3PAO reviews SSP, network diagrams, policies, and POA&M
62
- - Requests artifact list: logs, screenshots, configuration exports, training records
63
- - Duration: 2–4 weeks
64
-
65
- **Phase 2 — Assessment Activities (On-site or Remote)**
66
- - Interviews with system administrators, security personnel, and executives
67
- - Technical testing: vulnerability scans, configuration reviews, access control verification
68
- - Observation of processes (incident response tabletop, maintenance procedures)
69
- - Duration: 1–3 weeks depending on scope
70
-
71
- **Phase 3 — Findings and Reporting**
72
- - C3PAO issues Findings Report: MET, NOT MET, or NOT APPLICABLE per practice
73
- - Contractor may provide additional evidence for disputed findings (limited window)
74
- - Final report submitted to CMMC-AB
75
-
76
- **Phase 4 — Certification Decision**
77
- - **All 110 practices MET**: Full certification issued; valid 3 years
78
- - **Limited unmet practices (non-critical)**: Conditional certification with POA&M; must remediate within 180 days
79
- - **Critical practices unmet**: No certification; remediate and reschedule
80
-
81
- ### Critical Practices (Cannot Have POA&M at Certification)
82
- The following practices must be fully MET for any certification to be issued:
83
- - AC.L2-3.1.3 (CUI flow control)
84
- - IA.L2-3.5.3 (Multifactor authentication)
85
- - SC.L2-3.13.8 (Encryption in transit)
86
- - SC.L2-3.13.11 (FIPS-validated cryptography)
87
- - SI.L2-3.14.6 (Attack monitoring)
88
- - AU.L2-3.3.1 (Audit logging)
89
- - IR.L2-3.6.1 (Incident response capability)
90
-
91
- ---
92
-
93
- ## POA&M Rules and Management
94
-
95
- ### What Can Be in a POA&M at Certification
96
- - Level 2: Up to a limited number of non-critical practices may remain in POA&M at time of certification
97
- - POA&M remediation deadline: **180 days** from certification date
98
- - Failure to remediate = certification revocation
99
- - Level 3: No POA&M at certification — all practices must be MET
100
-
101
- ### POA&M Entry Format
102
-
103
- | Field | Description |
104
- |-------|-------------|
105
- | Practice ID | CMMC practice identifier (e.g., CM.L2-3.4.2) |
106
- | Weakness Description | What is not implemented and why |
107
- | Remediation Steps | Specific actions to achieve compliance |
108
- | Milestone 1–N | Intermediate checkpoints with dates |
109
- | Scheduled Completion | Target date for full implementation |
110
- | Resources Required | Personnel, tools, budget |
111
- | Status | Open / In Progress / Completed |
112
- | Evidence of Closure | What artifacts will demonstrate completion |
113
-
114
- ### POA&M Best Practices
115
- - Never list a critical practice in a POA&M if seeking certification
116
- - Update monthly; stale POA&Ms raise auditor concerns
117
- - Link each POA&M item to the relevant SSP section
118
- - Document root cause, not just the symptom
119
-
120
- ---
121
-
122
- ## Evidence Requirements by Practice Type
123
-
124
- ### Documentary Evidence (policies, procedures, plans)
125
- - Acceptable formats: PDF, Word, screenshots with metadata
126
- - Must show: author, date, version, approval signature
127
- - Examples: SSP, access control policy, incident response plan, training records
128
-
129
- ### Technical Evidence (system configuration, logs)
130
- - Configuration exports from firewalls, Active Directory, SIEM
131
- - Vulnerability scan reports (authenticated scans preferred)
132
- - MFA enrollment reports showing all privileged user enrollment
133
- - Patch management reports showing remediation timelines
134
-
135
- ### Interview Evidence
136
- - Assessors will interview: ISSO/ISSM, system admins, end users, executives
137
- - Prepare personnel to describe their security responsibilities
138
- - Cannot substitute documentation for interview — both required
139
-
140
- ---
141
-
142
- ## DIBNET Incident Reporting (DFARS 7012)
143
-
144
- DFARS 252.204-7012 mandates cyber incident reporting regardless of CMMC level:
145
- - **Report to**: DIBNET portal (dibnet.dod.mil)
146
- - **Deadline**: Within **72 hours** of discovering the incident
147
- - **What to report**: Systems affected, CUI categories involved, attack vectors, forensic indicators
148
- - **Preserve evidence**: Maintain disk images and forensic evidence for 90 days; DoD may request copies
149
- - **Notify prime**: If you are a subcontractor, notify the prime who notifies DoD
150
-
151
- ### What Constitutes a Reportable Incident
152
- - Unauthorized access to systems containing CUI
153
- - Exfiltration of CUI (actual or suspected)
154
- - Malware detected on systems that process CUI
155
- - Compromise of credentials that could lead to CUI access
156
-
157
- ---
158
-
159
- ## Common Assessment Findings
160
-
161
- | Practice | Common Finding | Typical Remediation |
162
- |----------|---------------|---------------------|
163
- | IA.L2-3.5.3 | MFA not enabled for all privileged accounts or remote access | Deploy MFA solution (Azure MFA, Duo, Okta); enforce via conditional access |
164
- | SC.L2-3.13.11 | TLS 1.0/1.1 still enabled; non-FIPS algorithms in use | Disable TLS 1.0/1.1; enable only FIPS-validated cipher suites |
165
- | AU.L2-3.3.1 | Logs not retained per policy; not all devices log to SIEM | Deploy/configure SIEM; set 3-year retention; cover all CUI-touching systems |
166
- | CM.L2-3.4.1 | No formal baseline configuration document | Create baseline config docs per OS/application; store in change management |
167
- | AC.L2-3.1.5 | Excessive admin rights; shared admin accounts | Implement PAM solution; audit/remove excess privileges quarterly |
168
- | RA.L2-3.11.2 | Vulnerability scans not authenticated; not covering all assets | Configure credentialed scans; scan all in-scope assets monthly |
169
- | CA.L2-3.12.4 | SSP outdated or incomplete | Update SSP; review and re-approve annually or after significant changes |
170
- | AC.L2-3.1.3 | CUI accessible to users without need-to-know | Implement data classification labels; enforce access controls at file/folder level |
1
+ # CMMC 2.0 — Assessment Guide: SPRS Scoring, C3PAO Process & POA&M Rules
2
+
3
+ ## SPRS Score Calculation
4
+
5
+ ### Scoring Methodology
6
+ The SPRS score is calculated per the DoD Assessment Methodology for NIST SP 800-171:
7
+ - **Starting score**: 110 points
8
+ - **Each NOT MET practice**: Deduct the assigned point value
9
+ - **Partial implementation**: Full deduction applies (no partial credit)
10
+ - **Score range**: +110 (all practices met) to −203 (all not met)
11
+ - **Submission**: Required for all Level 2 contracts; submit at sprs.csd.disa.mil
12
+
13
+ ### Point Values by Domain
14
+ Point values are assigned based on the practice's security impact:
15
+
16
+ | Domain | Practices | Total Points at Risk |
17
+ |--------|-----------|---------------------|
18
+ | AC (Access Control) | 22 | ~50 |
19
+ | AU (Audit & Accountability) | 9 | ~17 |
20
+ | CM (Configuration Management) | 9 | ~19 |
21
+ | IA (Identification & Authentication) | 11 | ~22 |
22
+ | IR (Incident Response) | 3 | ~5 |
23
+ | MA (Maintenance) | 6 | ~11 |
24
+ | MP (Media Protection) | 9 | ~8 |
25
+ | PE (Physical Protection) | 6 | ~11 |
26
+ | PS (Personnel Security) | 2 | ~4 |
27
+ | RA (Risk Assessment) | 3 | ~9 |
28
+ | CA (Security Assessment) | 4 | ~9 |
29
+ | SC (System & Communications) | 16 | ~39 |
30
+ | SI (System & Information Integrity) | 7 | ~14 |
31
+
32
+ *Exact point values per practice are published in the DoD Assessment Methodology document (v2.2, Nov 2020).*
33
+
34
+ ### Highest-Impact Practices (Largest Point Deductions)
35
+ Prioritize these when remediating — they carry the heaviest scoring weight:
36
+ 1. **AC.L2-3.1.3** — CUI flow control (5 pts)
37
+ 2. **SC.L2-3.13.8** — Encryption in transit / FIPS validated (5 pts)
38
+ 3. **SC.L2-3.13.11** — FIPS-validated cryptography (5 pts)
39
+ 4. **IA.L2-3.5.3** — Multifactor authentication (5 pts)
40
+ 5. **SI.L2-3.14.6** — Monitoring for attacks (5 pts)
41
+ 6. **AC.L2-3.1.5** — Least privilege (3 pts)
42
+ 7. **AU.L2-3.3.1** — Audit logging (3 pts)
43
+ 8. **CM.L2-3.4.1** — Baseline configuration (3 pts)
44
+
45
+ ---
46
+
47
+ ## C3PAO Assessment Process
48
+
49
+ ### Pre-Assessment (Contractor Responsibilities)
50
+ Before engaging a C3PAO, ensure:
51
+ - [ ] System Security Plan (SSP) is complete and covers all 110 practices
52
+ - [ ] System boundary is defined with network diagrams
53
+ - [ ] CUI data flows are documented
54
+ - [ ] POA&M lists all practices not yet met
55
+ - [ ] SPRS score has been self-calculated
56
+ - [ ] Personnel responsible for each practice are identified
57
+
58
+ ### Assessment Phases
59
+
60
+ **Phase 1 — Documentation Review (Remote)**
61
+ - C3PAO reviews SSP, network diagrams, policies, and POA&M
62
+ - Requests artifact list: logs, screenshots, configuration exports, training records
63
+ - Duration: 2–4 weeks
64
+
65
+ **Phase 2 — Assessment Activities (On-site or Remote)**
66
+ - Interviews with system administrators, security personnel, and executives
67
+ - Technical testing: vulnerability scans, configuration reviews, access control verification
68
+ - Observation of processes (incident response tabletop, maintenance procedures)
69
+ - Duration: 1–3 weeks depending on scope
70
+
71
+ **Phase 3 — Findings and Reporting**
72
+ - C3PAO issues Findings Report: MET, NOT MET, or NOT APPLICABLE per practice
73
+ - Contractor may provide additional evidence for disputed findings (limited window)
74
+ - Final report submitted to CMMC-AB
75
+
76
+ **Phase 4 — Certification Decision**
77
+ - **All 110 practices MET**: Full certification issued; valid 3 years
78
+ - **Limited unmet practices (non-critical)**: Conditional certification with POA&M; must remediate within 180 days
79
+ - **Critical practices unmet**: No certification; remediate and reschedule
80
+
81
+ ### Critical Practices (Cannot Have POA&M at Certification)
82
+ The following practices must be fully MET for any certification to be issued:
83
+ - AC.L2-3.1.3 (CUI flow control)
84
+ - IA.L2-3.5.3 (Multifactor authentication)
85
+ - SC.L2-3.13.8 (Encryption in transit)
86
+ - SC.L2-3.13.11 (FIPS-validated cryptography)
87
+ - SI.L2-3.14.6 (Attack monitoring)
88
+ - AU.L2-3.3.1 (Audit logging)
89
+ - IR.L2-3.6.1 (Incident response capability)
90
+
91
+ ---
92
+
93
+ ## POA&M Rules and Management
94
+
95
+ ### What Can Be in a POA&M at Certification
96
+ - Level 2: Up to a limited number of non-critical practices may remain in POA&M at time of certification
97
+ - POA&M remediation deadline: **180 days** from certification date
98
+ - Failure to remediate = certification revocation
99
+ - Level 3: No POA&M at certification — all practices must be MET
100
+
101
+ ### POA&M Entry Format
102
+
103
+ | Field | Description |
104
+ |-------|-------------|
105
+ | Practice ID | CMMC practice identifier (e.g., CM.L2-3.4.2) |
106
+ | Weakness Description | What is not implemented and why |
107
+ | Remediation Steps | Specific actions to achieve compliance |
108
+ | Milestone 1–N | Intermediate checkpoints with dates |
109
+ | Scheduled Completion | Target date for full implementation |
110
+ | Resources Required | Personnel, tools, budget |
111
+ | Status | Open / In Progress / Completed |
112
+ | Evidence of Closure | What artifacts will demonstrate completion |
113
+
114
+ ### POA&M Best Practices
115
+ - Never list a critical practice in a POA&M if seeking certification
116
+ - Update monthly; stale POA&Ms raise auditor concerns
117
+ - Link each POA&M item to the relevant SSP section
118
+ - Document root cause, not just the symptom
119
+
120
+ ---
121
+
122
+ ## Evidence Requirements by Practice Type
123
+
124
+ ### Documentary Evidence (policies, procedures, plans)
125
+ - Acceptable formats: PDF, Word, screenshots with metadata
126
+ - Must show: author, date, version, approval signature
127
+ - Examples: SSP, access control policy, incident response plan, training records
128
+
129
+ ### Technical Evidence (system configuration, logs)
130
+ - Configuration exports from firewalls, Active Directory, SIEM
131
+ - Vulnerability scan reports (authenticated scans preferred)
132
+ - MFA enrollment reports showing all privileged user enrollment
133
+ - Patch management reports showing remediation timelines
134
+
135
+ ### Interview Evidence
136
+ - Assessors will interview: ISSO/ISSM, system admins, end users, executives
137
+ - Prepare personnel to describe their security responsibilities
138
+ - Cannot substitute documentation for interview — both required
139
+
140
+ ---
141
+
142
+ ## DIBNET Incident Reporting (DFARS 7012)
143
+
144
+ DFARS 252.204-7012 mandates cyber incident reporting regardless of CMMC level:
145
+ - **Report to**: DIBNET portal (dibnet.dod.mil)
146
+ - **Deadline**: Within **72 hours** of discovering the incident
147
+ - **What to report**: Systems affected, CUI categories involved, attack vectors, forensic indicators
148
+ - **Preserve evidence**: Maintain disk images and forensic evidence for 90 days; DoD may request copies
149
+ - **Notify prime**: If you are a subcontractor, notify the prime who notifies DoD
150
+
151
+ ### What Constitutes a Reportable Incident
152
+ - Unauthorized access to systems containing CUI
153
+ - Exfiltration of CUI (actual or suspected)
154
+ - Malware detected on systems that process CUI
155
+ - Compromise of credentials that could lead to CUI access
156
+
157
+ ---
158
+
159
+ ## Common Assessment Findings
160
+
161
+ | Practice | Common Finding | Typical Remediation |
162
+ |----------|---------------|---------------------|
163
+ | IA.L2-3.5.3 | MFA not enabled for all privileged accounts or remote access | Deploy MFA solution (Azure MFA, Duo, Okta); enforce via conditional access |
164
+ | SC.L2-3.13.11 | TLS 1.0/1.1 still enabled; non-FIPS algorithms in use | Disable TLS 1.0/1.1; enable only FIPS-validated cipher suites |
165
+ | AU.L2-3.3.1 | Logs not retained per policy; not all devices log to SIEM | Deploy/configure SIEM; set 3-year retention; cover all CUI-touching systems |
166
+ | CM.L2-3.4.1 | No formal baseline configuration document | Create baseline config docs per OS/application; store in change management |
167
+ | AC.L2-3.1.5 | Excessive admin rights; shared admin accounts | Implement PAM solution; audit/remove excess privileges quarterly |
168
+ | RA.L2-3.11.2 | Vulnerability scans not authenticated; not covering all assets | Configure credentialed scans; scan all in-scope assets monthly |
169
+ | CA.L2-3.12.4 | SSP outdated or incomplete | Update SSP; review and re-approve annually or after significant changes |
170
+ | AC.L2-3.1.3 | CUI accessible to users without need-to-know | Implement data classification labels; enforce access controls at file/folder level |
@@ -1,113 +1,113 @@
1
- # CMMC 2.0 — Level Comparison, Assessment Types & Flow-Down Rules
2
-
3
- ## Level Comparison Table
4
-
5
- | Attribute | Level 1 — Foundational | Level 2 — Advanced | Level 3 — Expert |
6
- |-----------|----------------------|-------------------|-----------------|
7
- | **Practices** | 17 (FAR 52.204-21) | 110 (NIST SP 800-171 Rev 2) | 110+ (SP 800-171 + SP 800-172 subset) |
8
- | **Focus** | Federal Contract Information (FCI) | Controlled Unclassified Information (CUI) | CUI on highest-priority DoD programs; APT resilience |
9
- | **Assessment type** | Annual self-assessment | Triennial C3PAO assessment (critical) OR self-assessment (non-critical) | DIBCAC-led government assessment (triennial) |
10
- | **SPRS submission** | Yes | Yes | Yes |
11
- | **Certification body** | Self | C3PAO (CMMC Third-Party Assessment Organization) | DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) |
12
- | **Conditional certification** | No | Yes (limited POA&M allowed) | No |
13
- | **Who needs it** | All DoD contractors receiving/generating FCI | Contractors handling CUI on DoD contracts | Contractors on highest-priority programs (e.g., nuclear C3, certain weapons systems) |
14
-
15
- ---
16
-
17
- ## DFARS Clause Mapping
18
-
19
- | DFARS Clause | Requirement | Level Implied |
20
- |-------------|-------------|---------------|
21
- | FAR 52.204-21 | Basic Safeguarding of FCI — 15 requirements | Level 1 baseline |
22
- | DFARS 252.204-7012 | Safeguarding CUI; 72-hr DIBNET incident reporting; cloud = FedRAMP Moderate | Level 2 prerequisite |
23
- | DFARS 252.204-7019 | NIST SP 800-171 self-assessment; SPRS submission required | Level 2 self-assessment |
24
- | DFARS 252.204-7020 | DoD access to contractor assessment results in SPRS | Level 2 |
25
- | DFARS 252.204-7021 | CMMC certification requirement; flow-down to subcontractors | Level 2 or 3 |
26
-
27
- **Rule**: If your contract contains DFARS 252.204-7021, your CMMC level is specified in the contract. Check Section L or the Performance Work Statement.
28
-
29
- ---
30
-
31
- ## Assessment Process by Level
32
-
33
- ### Level 1 — Self-Assessment
34
- 1. Assess all 17 practices against FAR 52.204-21
35
- 2. Calculate and submit SPRS score (17 practices, max score = 17, each = 1 point)
36
- 3. Submit to SPRS at https://www.sprs.csd.disa.mil/
37
- 4. Senior official affirms accuracy
38
- 5. Repeat annually
39
-
40
- ### Level 2 — C3PAO Assessment (Critical Programs)
41
- 1. **Pre-assessment preparation** (6–12 months): SSP, POA&M, gap remediation
42
- 2. **Select a C3PAO**: Must be CMMC-AB authorized; find at cyberAB.us
43
- 3. **Contract with C3PAO**: Negotiate scope, timeline, NDA
44
- 4. **Assessment**: C3PAO reviews evidence, interviews, observes (typically 2–4 weeks on-site/remote)
45
- 5. **Findings**: CMMC-AB receives results; conditional certification possible with limited POA&M
46
- 6. **Certification**: Issued by CMMC-AB; valid for 3 years
47
- 7. **Annual affirmation**: Affirm continued compliance each year
48
-
49
- ### Level 2 — Self-Assessment (Non-Critical Programs)
50
- - Same 110 practices as C3PAO path
51
- - Self-assessed by contractor; senior official affirms in SPRS
52
- - DoD reserves right to audit; false statements = False Claims Act liability
53
- - Must still submit SPRS score
54
-
55
- ### Level 3 — DIBCAC Assessment
56
- 1. Contractor must hold a current Level 2 C3PAO certification first
57
- 2. DIBCAC (government team) conducts assessment — not contractor-selected
58
- 3. Assesses SP 800-171 practices PLUS select SP 800-172 enhanced requirements
59
- 4. No conditional certification — all practices must be MET
60
- 5. Government schedules the assessment; no commercial negotiation
61
-
62
- ---
63
-
64
- ## Flow-Down Requirements
65
-
66
- DFARS 252.204-7021(c) requires prime contractors to:
67
- - Include CMMC requirements in **all subcontracts** where the subcontractor processes, stores, or transmits CUI
68
- - Specify the required CMMC level in the subcontract
69
- - Verify subcontractor certification before award (Level 2/3 must appear in SPRS/CMMC-AB registry)
70
- - Flow-down applies to **all tiers** — sub-subcontractors are not exempt
71
-
72
- **Practical implication**: If you're a prime, map your CUI to each subcontractor and determine which level applies to each. Document this in your supply chain security program.
73
-
74
- ---
75
-
76
- ## Timeline and Key Dates
77
-
78
- | Milestone | Date |
79
- |-----------|------|
80
- | CMMC 2.0 Final Rule (32 CFR Part 170) effective | December 16, 2024 |
81
- | DFARS rule (48 CFR Parts 204, 212, 252) effective | December 16, 2024 |
82
- | CMMC requirements in new contracts | Phased: began Q1 2025, full rollout through 2026 |
83
- | Level 1 self-assessments required | All contracts with FAR 52.204-21, immediately |
84
- | Level 2 C3PAO assessments | Required when DFARS 7021 included in solicitation |
85
-
86
- ---
87
-
88
- ## CUI Categories Most Common in Defense Contracts
89
-
90
- | CUI Category | Examples | Typical Contract Types |
91
- |-------------|----------|----------------------|
92
- | Export Controlled (CTI) | Technical data, software, drawings | Engineering, manufacturing |
93
- | Naval Nuclear Propulsion (NOFORN) | Propulsion design data | Shipbuilding, nuclear |
94
- | Controlled Technical Information (CTI) | ITAR/EAR-controlled technical data | Weapons systems, aerospace |
95
- | Privacy (PII) | Personnel records | HR, health, benefits |
96
- | Law Enforcement Sensitive | Investigation data | Base security contractors |
97
- | Procurement/Acquisition | Pre-award contract info | Proposal/BD teams |
98
-
99
- ---
100
-
101
- ## Key Definitions
102
-
103
- | Term | Definition |
104
- |------|-----------|
105
- | **FCI** | Federal Contract Information — information provided by or generated for the Government under contract, not intended for public release |
106
- | **CUI** | Controlled Unclassified Information — information the Government creates or possesses that requires safeguarding per law/regulation/policy |
107
- | **SPRS** | Supplier Performance Risk System — DoD portal where self-assessment scores are submitted |
108
- | **C3PAO** | CMMC Third-Party Assessment Organization — authorized to conduct Level 2 assessments |
109
- | **DIBCAC** | Defense Industrial Base Cybersecurity Assessment Center — DCSA organization conducting Level 3 government assessments |
110
- | **CMMC-AB** | Cyber AB — accreditation body that certifies C3PAOs, assessors, and consultants |
111
- | **OSC** | Organization Seeking Certification — the defense contractor being assessed |
112
- | **POA&M** | Plan of Action & Milestones — documented remediation plan for unmet practices |
113
- | **SSP** | System Security Plan — describes the system boundary, CUI flows, and control implementations |
1
+ # CMMC 2.0 — Level Comparison, Assessment Types & Flow-Down Rules
2
+
3
+ ## Level Comparison Table
4
+
5
+ | Attribute | Level 1 — Foundational | Level 2 — Advanced | Level 3 — Expert |
6
+ |-----------|----------------------|-------------------|-----------------|
7
+ | **Practices** | 17 (FAR 52.204-21) | 110 (NIST SP 800-171 Rev 2) | 110+ (SP 800-171 + SP 800-172 subset) |
8
+ | **Focus** | Federal Contract Information (FCI) | Controlled Unclassified Information (CUI) | CUI on highest-priority DoD programs; APT resilience |
9
+ | **Assessment type** | Annual self-assessment | Triennial C3PAO assessment (critical) OR self-assessment (non-critical) | DIBCAC-led government assessment (triennial) |
10
+ | **SPRS submission** | Yes | Yes | Yes |
11
+ | **Certification body** | Self | C3PAO (CMMC Third-Party Assessment Organization) | DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) |
12
+ | **Conditional certification** | No | Yes (limited POA&M allowed) | No |
13
+ | **Who needs it** | All DoD contractors receiving/generating FCI | Contractors handling CUI on DoD contracts | Contractors on highest-priority programs (e.g., nuclear C3, certain weapons systems) |
14
+
15
+ ---
16
+
17
+ ## DFARS Clause Mapping
18
+
19
+ | DFARS Clause | Requirement | Level Implied |
20
+ |-------------|-------------|---------------|
21
+ | FAR 52.204-21 | Basic Safeguarding of FCI — 15 requirements | Level 1 baseline |
22
+ | DFARS 252.204-7012 | Safeguarding CUI; 72-hr DIBNET incident reporting; cloud = FedRAMP Moderate | Level 2 prerequisite |
23
+ | DFARS 252.204-7019 | NIST SP 800-171 self-assessment; SPRS submission required | Level 2 self-assessment |
24
+ | DFARS 252.204-7020 | DoD access to contractor assessment results in SPRS | Level 2 |
25
+ | DFARS 252.204-7021 | CMMC certification requirement; flow-down to subcontractors | Level 2 or 3 |
26
+
27
+ **Rule**: If your contract contains DFARS 252.204-7021, your CMMC level is specified in the contract. Check Section L or the Performance Work Statement.
28
+
29
+ ---
30
+
31
+ ## Assessment Process by Level
32
+
33
+ ### Level 1 — Self-Assessment
34
+ 1. Assess all 17 practices against FAR 52.204-21
35
+ 2. Calculate and submit SPRS score (17 practices, max score = 17, each = 1 point)
36
+ 3. Submit to SPRS at https://www.sprs.csd.disa.mil/
37
+ 4. Senior official affirms accuracy
38
+ 5. Repeat annually
39
+
40
+ ### Level 2 — C3PAO Assessment (Critical Programs)
41
+ 1. **Pre-assessment preparation** (6–12 months): SSP, POA&M, gap remediation
42
+ 2. **Select a C3PAO**: Must be CMMC-AB authorized; find at cyberAB.us
43
+ 3. **Contract with C3PAO**: Negotiate scope, timeline, NDA
44
+ 4. **Assessment**: C3PAO reviews evidence, interviews, observes (typically 2–4 weeks on-site/remote)
45
+ 5. **Findings**: CMMC-AB receives results; conditional certification possible with limited POA&M
46
+ 6. **Certification**: Issued by CMMC-AB; valid for 3 years
47
+ 7. **Annual affirmation**: Affirm continued compliance each year
48
+
49
+ ### Level 2 — Self-Assessment (Non-Critical Programs)
50
+ - Same 110 practices as C3PAO path
51
+ - Self-assessed by contractor; senior official affirms in SPRS
52
+ - DoD reserves right to audit; false statements = False Claims Act liability
53
+ - Must still submit SPRS score
54
+
55
+ ### Level 3 — DIBCAC Assessment
56
+ 1. Contractor must hold a current Level 2 C3PAO certification first
57
+ 2. DIBCAC (government team) conducts assessment — not contractor-selected
58
+ 3. Assesses SP 800-171 practices PLUS select SP 800-172 enhanced requirements
59
+ 4. No conditional certification — all practices must be MET
60
+ 5. Government schedules the assessment; no commercial negotiation
61
+
62
+ ---
63
+
64
+ ## Flow-Down Requirements
65
+
66
+ DFARS 252.204-7021(c) requires prime contractors to:
67
+ - Include CMMC requirements in **all subcontracts** where the subcontractor processes, stores, or transmits CUI
68
+ - Specify the required CMMC level in the subcontract
69
+ - Verify subcontractor certification before award (Level 2/3 must appear in SPRS/CMMC-AB registry)
70
+ - Flow-down applies to **all tiers** — sub-subcontractors are not exempt
71
+
72
+ **Practical implication**: If you're a prime, map your CUI to each subcontractor and determine which level applies to each. Document this in your supply chain security program.
73
+
74
+ ---
75
+
76
+ ## Timeline and Key Dates
77
+
78
+ | Milestone | Date |
79
+ |-----------|------|
80
+ | CMMC 2.0 Final Rule (32 CFR Part 170) effective | December 16, 2024 |
81
+ | DFARS rule (48 CFR Parts 204, 212, 252) effective | December 16, 2024 |
82
+ | CMMC requirements in new contracts | Phased: began Q1 2025, full rollout through 2026 |
83
+ | Level 1 self-assessments required | All contracts with FAR 52.204-21, immediately |
84
+ | Level 2 C3PAO assessments | Required when DFARS 7021 included in solicitation |
85
+
86
+ ---
87
+
88
+ ## CUI Categories Most Common in Defense Contracts
89
+
90
+ | CUI Category | Examples | Typical Contract Types |
91
+ |-------------|----------|----------------------|
92
+ | Export Controlled (CTI) | Technical data, software, drawings | Engineering, manufacturing |
93
+ | Naval Nuclear Propulsion (NOFORN) | Propulsion design data | Shipbuilding, nuclear |
94
+ | Controlled Technical Information (CTI) | ITAR/EAR-controlled technical data | Weapons systems, aerospace |
95
+ | Privacy (PII) | Personnel records | HR, health, benefits |
96
+ | Law Enforcement Sensitive | Investigation data | Base security contractors |
97
+ | Procurement/Acquisition | Pre-award contract info | Proposal/BD teams |
98
+
99
+ ---
100
+
101
+ ## Key Definitions
102
+
103
+ | Term | Definition |
104
+ |------|-----------|
105
+ | **FCI** | Federal Contract Information — information provided by or generated for the Government under contract, not intended for public release |
106
+ | **CUI** | Controlled Unclassified Information — information the Government creates or possesses that requires safeguarding per law/regulation/policy |
107
+ | **SPRS** | Supplier Performance Risk System — DoD portal where self-assessment scores are submitted |
108
+ | **C3PAO** | CMMC Third-Party Assessment Organization — authorized to conduct Level 2 assessments |
109
+ | **DIBCAC** | Defense Industrial Base Cybersecurity Assessment Center — DCSA organization conducting Level 3 government assessments |
110
+ | **CMMC-AB** | Cyber AB — accreditation body that certifies C3PAOs, assessors, and consultants |
111
+ | **OSC** | Organization Seeking Certification — the defense contractor being assessed |
112
+ | **POA&M** | Plan of Action & Milestones — documented remediation plan for unmet practices |
113
+ | **SSP** | System Security Plan — describes the system boundary, CUI flows, and control implementations |