CMMC 2.0 level
PartsPerk targets CMMC 2.0 Level 2 readiness for the subset of business handling CUI, with the practices and processes from NIST SP 800-171 implemented as the control baseline. CMMC Level 1 (basic safeguarding of FCI per FAR 52.204-21) applies to broader business operations.
About the CMMC rule
The DoD's CMMC program rule (32 CFR Part 170) became effective December 16, 2024, with phased contract incorporation through 2025-2028. Solicitations citing DFARS 252.204-7021 require the assessment level identified in the contract.
NIST SP 800-171 r3 control families
| Family | Coverage |
|---|---|
| 3.1 Access Control | Role-based access; least privilege; session lock; remote access control. |
| 3.2 Awareness & Training | Annual security awareness; insider-threat awareness; role-based training. |
| 3.3 Audit & Accountability | Audit logging; protected logs; review and retention; clock sync. |
| 3.4 Configuration Management | Baseline configurations; change control; least functionality; whitelisting. |
| 3.5 Identification & Authentication | Unique identifiers; MFA on privileged and remote access; password protections. |
| 3.6 Incident Response | IR plan; testing; reporting (DFARS 7012 — within 72 hours). |
| 3.7 Maintenance | Controlled remote and on-site maintenance with multi-factor where required. |
| 3.8 Media Protection | Media sanitization; encrypted transport; controlled access to media. |
| 3.9 Personnel Security | Screening before access; access termination; access agreements. |
| 3.10 Physical Protection | Facility access control; visitor logs; alternate site protections. |
| 3.11 Risk Assessment | Periodic risk assessments; vulnerability scanning; remediation tracking. |
| 3.12 Security Assessment | Continuous monitoring; SSP and POA&M maintained. |
| 3.13 System & Communications Protection | Boundary protections; cryptography (FIPS-validated); session authentication. |
| 3.14 System & Information Integrity | Patch management; malicious-code protection; security alerts. |
| 3.15 Planning | SSP, security architecture, system-baseline planning. |
| 3.16 System & Services Acquisition | Supply-chain risk management; vendor security agreements. |
| 3.17 Supply Chain Risk Management | SCRM plan; sub-tier flow-down; counterfeit avoidance. |
SPRS self-assessment score
PartsPerk LLC maintains a Basic Assessment under NIST SP 800-171 DoD Assessment Methodology and posts the resulting score to the Supplier Performance Risk System (SPRS) per DFARS 252.204-7019 and -7020 when required by a contracting officer. The current score, scope, and assessment date are available on request to compliance@partsperk.com.
Cyber-incident reporting (DFARS 252.204-7012)
- Reportable cyber incidents on covered contractor information systems are reported to DoD via dibnet.dod.mil within 72 hours of discovery.
- Affected media are isolated and preserved for 90 days for DoD damage assessment.
- Customer notification is coordinated with the contracting officer per the underlying contract.
- Sub-tier suppliers handling CUI are flowed equivalent obligations.
Cloud services (DFARS 252.239-7010)
Where covered defense information is stored, processed, or transmitted using cloud services, those services are FedRAMP Moderate (or equivalent) authorized, and the underlying U.S. data residency commitment is reflected in the relevant sub-processor's contract.
Request our security package
Procurement, security, and program teams may request the SSP excerpt, POA&M summary, SPRS score, FIPS / FedRAMP attestations, and incident-response runbook under NDA at security@partsperk.com.
Question, request, or follow-up?
Reach the PartsPerk team for clarification, escalation, or to start a related conversation.
PartsPerk LLC · Delaware, United States · Doc /policies/cmmc-nist-800-171 · v1.0