CMMC 2.0 Compliance Attestation (Level 1/2)

CMMC 2.0 Compliance Attestation

Contractor Information

Contract/Proposal Identification

CMMC Level Required

Select the applicable CMMC level for this contract/proposal:

☐ Level 1 (Federal Contract Information – FCI)

• 17 foundational NIST SP 800-171 Rev. 2 controls
• Compliance method: Annual self-assessment
• No C3PAO assessment required

☐ Level 2 (Controlled Unclassified Information – CUI)

• 110 NIST SP 800-171 Rev. 2 controls
• Compliance method: C3PAO certified assessment OR self-attestation (permitted at this level)
• Assessment validity: 3 years

☐ Level 3 (High-Value CUI/National Security)

• 110 NIST SP 800-171 Rev. 2 controls + 24 NIST SP 800-172 advanced controls
• Compliance method: DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) assessment only
• Assessment validity: 3 years

SPRS Score Current Status

Senior Official Acknowledgment

By signing this attestation, the undersigned Senior Agency Official (SAO) certifies and acknowledges:

The undersigned individual, identified below as the Senior Agency Official for this organization, has reviewed and verified the accuracy of this CMMC 2.0 Compliance Attestation.

Senior Agency Official Information:

Truthful Affirmation

Under penalty of perjury, I affirm that:

1. The statements and representations contained in this attestation are true, accurate, and complete to the best of my knowledge and belief.

2. I am authorized to make this attestation on behalf of the contractor organization.

3. The contractor organization understands that false, incomplete, or inaccurate statements or omissions in this attestation may result in:
   - Suspension or debarment from federal contracting
   - Liability under the False Claims Act (31 U.S.C. § 3729 et seq.)
   - Criminal prosecution under 18 U.S.C. § 1001 (false statements to federal agencies)
   - Contract termination and potential damages

4. The cybersecurity controls identified in this attestation have been implemented and are maintained in accordance with NIST SP 800-171 Rev. 2 and DFARS cybersecurity requirements.

5. Any subcontractors and suppliers have been notified of CMMC requirements and must maintain compliance at the level specified in this attestation or higher.

Scope of Assessment

Covered Contractor Information System (CCIS) Boundary

Description of systems and networks subject to this attestation:

[________________________________________________________________________________________________________________________________________________________________]

Date CCIS was established/last modified: [__/__/____]

CUI Handling Enclaves

The following enclaves handle Controlled Unclassified Information (CUI):

FCI Handling

☐ The contractor handles Federal Contract Information (FCI) as follows:

[________________________________________________________________________________________________________________________________________________________________]

FCI storage location(s): [________________________________]

Cloud Service Providers (CSPs)

☐ Yes, cloud services are used to support CCIS

Note: Per DFARS 252.204-7012, any CSP handling CUI or FCI must maintain FedRAMP Moderate or equivalent authorization.

Level 1 (FCI) – 17 Foundational Controls

The following 17 NIST SP 800-171 Rev. 2 controls have been implemented and are maintained in compliance:

Access Control (AC) – 4 Controls

☐ AC.L1-3.1.1 Authorize access to CUI (Access Control Policy)

☐ AC.L1-3.1.2 Enforce access authorization per least privilege (Access Control Implementation)

☐ AC.L1-3.1.20 Revoke access permissions (Access Control – Privilege Revocation)

☐ AC.L1-3.1.22 Review system access for compliance (Access Control – Review & Audit)

Identification and Authentication (IA) – 2 Controls

☐ IA.L1-3.5.1 Authenticate users/devices (Authentication Implementation)

☐ IA.L1-3.5.2 Use multi-factor authentication where feasible (MFA – Recommended at FCI Level)

Media Protection (MP) – 1 Control

☐ MP.L1-3.8.3 Sanitize media before disposal (Media Sanitization)

Physical Protection (PE) – 5 Controls

☐ PE.L1-3.10.1 Control physical access to facilities (Physical Access Control)

☐ PE.L1-3.10.3 Protect electronic equipment from damage/theft (Physical Security – Equipment)

☐ PE.L1-3.10.4 Protect information in transit (Physical Security – Information)

☐ PE.L1-3.10.5 Control physical access at the perimeter (Perimeter Physical Security)

System & Communications Protection (SC) – 2 Controls

☐ SC.L1-3.13.1 Implement boundary protection (Network Boundary Protection)

☐ SC.L1-3.13.5 Protect information in transit (Communications Protection)

System & Information Integrity (SI) – 3 Controls

☐ SI.L1-3.14.1 Implement malware protections (Malware Detection & Prevention)

☐ SI.L1-3.14.2 Monitor system behavior (System Monitoring)

☐ SI.L1-3.14.4 Update/patch systems timely (Software/Firmware Updates)

☐ SI.L1-3.14.5 Maintain system media inventory (Media Management)

Level 2 (CUI) – 110 Controls Summary

The following 110 NIST SP 800-171 Rev. 2 controls are implemented and maintained. Compliance status by control family:

Plans of Action & Milestones (POA&Ms)

Any Level 2 controls not fully implemented must be addressed via a POA&M with a maximum remediation timeline of 180 calendar days.

Non-Compliant Control Inventory

Attached: ☐ Detailed POA&M document (separate file)

System Security Plan (SSP) Status

SSP includes:

☐ System description and CCIS boundary documentation

☐ Inventory of information systems and hardware

☐ Network architecture diagram(s)

☐ NIST SP 800-171 control implementation narrative for each control

☐ Risk assessment findings and mitigations

☐ Incident response plan

☐ Continuous monitoring procedures

Incident Reporting Commitment

The contractor commits to:

1. Notification Requirement: Notify the Contracting Officer and Cybersecurity Incident Notification Center (CINC) within 72 hours of discovery of any incident involving compromise, loss, or suspected compromise of CUI or FCI per DFARS 252.204-7012.

2. Incident Response: Maintain and implement an Incident Response Plan (IRP) that includes:
   - Incident detection and classification procedures
   - Escalation and notification protocols
   - Forensic preservation and evidence handling
   - Recovery and remediation timelines
   - Lessons learned / continuous improvement

3. Reporting Contact:

4. Post-Incident Activities: Provide incident reports within 30 days of detection, including root cause analysis, impact assessment, and corrective actions.

Subcontractor Flow-Down Plan

DFARS 252.204-7021 requires flow-down of CMMC requirements to all subcontractors handling CUI or FCI.

Subcontractor Management

Key Commitments:

☐ No subcontract will be issued below the CMMC level specified above.

☐ Subcontracts include flowdown of DFARS 252.204-7012, 7019, 7020, and 7021 clauses.

☐ Subcontractors must maintain independent compliance documentation and pass subcontractor assessments.

☐ Subcontractor compliance is verified quarterly or upon significant system changes.

Subcontractor Oversight POC: [________________________________]

Supply Chain Risk Management (SCRM)

Federal Acquisition Regulation (FAR) § 889 Part B Compliance

The contractor certifies that:

1. ☐ It does not use or support the use of products or services supplied by Huawei Technologies Company, ZTE Corporation, Kaspersky Lab, or their subsidiaries/affiliates.

2. ☐ It has reviewed supply chain for prohibited Chinese telecommunications equipment and does not install, maintain, or use such equipment in the CCIS.

3. ☐ It will not knowingly use vendors that fail to comply with § 889 Part B restrictions.

Software Bill of Materials (SBOM) & Third-Party Risk

☐ The contractor maintains a current Software Bill of Materials (SBOM) identifying all third-party and open-source components in the CCIS.

☐ Third-party software is evaluated for known vulnerabilities and licensing compliance.

☐ Supply chain risks are assessed annually and documented in the System Security Plan.

Affirmation and Signature Block

Final Certification

I, the undersigned Senior Agency Official, certify under penalty of perjury (18 U.S.C. § 1001) that:

• All information contained in this CMMC 2.0 Compliance Attestation is true and accurate.
• The contractor organization has implemented and maintains the cybersecurity controls stated herein.
• All subcontractors have been notified of CMMC requirements and are in compliance or on an approved remediation schedule.
• The organization understands the legal consequences of false attestation.

Witness (Optional but Recommended):

Attachments Checklist

All referenced documents must be available for review by the Contracting Officer, Defense Counterintelligence and Security Agency (DCSA), or authorized assessors.

☐ System Security Plan (SSP) – Current version with all NIST SP 800-171 Rev. 2 controls mapped

☐ Plan of Action & Milestones (POA&M) – If applicable; all non-compliant controls with remediation dates

☐ Risk Assessment Report – Current organizational risk assessment or system-specific risk analysis

☐ Incident Response Plan (IRP) – Procedures for detection, reporting, and remediation

☐ Information Security Training Records – Personnel training completion documentation (AT controls)

☐ Audit/Compliance Evidence – System logs, configuration baselines, access control lists, or assessment reports

☐ Cloud Service Provider Documentation – FedRAMP Authorizations and Shared Responsibility Matrices (if CSPs are used)

☐ Supply Chain Risk Assessment – Third-party software inventory, vulnerability assessments, and § 889 Part B certification

☐ Subcontractor Attestations – Flow-down compliance documentation from subcontractors

☐ Continuous Monitoring Plan – Schedule and procedures for ongoing compliance verification

Notes & Guidance

Definitions

CCIS (Covered Contractor Information System): The information system(s) used to process, store, or transmit CUI or FCI per the contract.

CUI (Controlled Unclassified Information): Unclassified information that requires safeguarding or dissemination controls per Executive Order 13556.

FCI (Federal Contract Information): Unclassified information related to the contract that is not intended for public release.

POA&M (Plan of Action & Milestone): A documented plan to remediate non-compliant controls within 180 days.

CMMC Level: The cybersecurity maturity level required by contract (Level 1, 2, or 3).

C3PAO: Certified Third-Party Assessor Organization authorized to conduct CMMC assessments.

DIBCAC: Defense Industrial Base Cybersecurity Assessment Center; conducts Level 3 assessments.

Important Notes

1. Truthfulness: This attestation is legally binding. False statements subject the organization to criminal prosecution and civil penalties.

2. Ongoing Compliance: CMMC compliance is not a one-time certification. Organizations must maintain continuous compliance and update this attestation as systems and controls evolve.

3. Assessment Validity: Successful C3PAO or DIBCAC assessments are valid for 3 years. Self-assessments (Level 1) must be renewed annually.

4. No Retroactive Exemptions: CMMC effective date is December 16, 2024. All affected contracts subject to this attestation must demonstrate compliance by that date or as specified in the contract.

5. Subcontractor Responsibility: The prime contractor is responsible for ensuring subcontractor compliance. Non-compliant subcontractors create risk for the prime contractor and may result in contract termination.

Sources and References

Regulatory Authority

• 32 CFR Part 170 – Cybersecurity Maturity Model Certification (CMMC) Program, Final Rule (October 2024, effective December 16, 2024)

• https://www.ecfr.gov/current/title-32/part-170

• NIST SP 800-171 Revision 2 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

• https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final

• NIST SP 800-172 – Security Requirements for Protecting Classified Information

• https://csrc.nist.gov/publications/detail/sp/800-172/final

DFARS Clauses

• DFARS 252.204-7012 – Safeguarding Covered Unclassified Information and Cyber Incident Reporting (72-hour notification)
• DFARS 252.204-7019 – Notification of CMMC Requirement
• DFARS 252.204-7020 – CMMC Compliance or Applicability – Waiver Request
• DFARS 252.204-7021 – Cybersecurity Maturity Model Certification Requirements (subcontractor flow-down)

Resources

• DoD CMMC Accreditation Body (AB) – https://www.acm-ccm.org/
• DoD CIO Cybersecurity Clearinghouse – https://dodcio.defense.gov/
• DCSA (Defense Counterintelligence and Security Agency) – https://www.dcsa.mil/
• Federal Acquisition Regulation (FAR) § 889 – Prohibition on Equipment, Services, and Software; and Certain Other Supply Chain Risk Safeguards

Document Control: This attestation should be retained for the duration of the contract plus 3 years. Updates are required upon significant system changes, subcontractor changes, or expiration of valid assessments.