CMMC certification requirements depend on your level, assessment type, and contract—but several elements are essential across most DIB organizations pursuing Level 2 or higher.

This guide covers:

Core technical and administrative requirements by level
Mandatory documentation (SSP, policies, evidence)
SPRS, POA&M, and annual affirmation obligations

Related guides:

Requirements stack

GIF via GIPHY

Key takeaways

Level 1 requires 15 safeguarding practices for FCI; annual self-assessment and SPRS entry.
Level 2 requires NIST SP 800-171 controls for CUI, plus robust documentation and evidence of operation.
Level 3 adds NIST SP 800-172 enhanced requirements on top of Level 2.
Assessments verify implementation, not policy documents alone.

Essential requirements by CMMC level

Level	Control set	Essential themes
1	FAR 52.204-21 (15 practices)	Access, media, FCI boundaries, basic hygiene
2	NIST SP 800-171 Rev. 2 (110 requirements)	MFA, logging, encryption, IR, configuration management
3	800-171 + NIST SP 800-172	Advanced monitoring, segmentation, supply chain, resilience

Organizations must also maintain accurate scope: systems, environments, and personnel that process or store in-scope data.

Documentation and reporting requirements

Typical essential artifacts include:

System Security Plan (SSP) describing architecture, boundaries, and control implementation
Policies and procedures aligned to assessed practices
Plan of Action & Milestones (POA&M) for gaps (where permitted)
Evidence of operation: logs, tickets, training records, review minutes
SPRS score submission and updates per assessment outcomes

See CMMC controls explained.

Assessment and affirmation requirements

Beyond controls, CMMC programs require:

Assessment at the frequency defined for your level (self, C3PAO, or DIBCAC)
Annual affirmation of continued compliance by a senior official
Timely POA&M closure where conditional status is allowed (commonly 180 days for limited items)

Contract language determines whether Level 2 allows self-assessment or requires a C3PAO certification assessment.

Track requirements in SecureSlate

SecureSlate maps NIST practices to owners, due dates, and evidence—so requirement status stays visible between assessments.

Get started for free

FAQ

Are all 110 NIST 800-171 requirements always applicable?

You document not applicable determinations with justification in your SSP; assessors validate those calls.

What happens if we fail a control?

You may remediate before assessment close, use an approved POA&M where allowed, or receive conditional status depending on level and assessor rules.

Disclaimer (legal note)

Requirements evolve with DoD policy updates. Validate obligations against your contract, 32 CFR, and assessor guidance.

What are the essential requirements of CMMC certification?