(b) Program managers and requiring activities are responsible for identifying the CMMC Status that will apply to a procurement. Selection of the applicable CMMC Status will be based on factors including but not limited to:
- (1) Criticality of the associated mission capability;
- (2) Type of acquisition program or technology;
- (3) Threat of loss of the FCI or CUI to be shared or generated in relation to the effort;
- (4) Impacts from exploitation of information security deficiencies; and
- (5) Other relevant policies and factors, including Milestone Decision Authority guidance.