CMMC Level 1 Self-Assessment Guide for DoD Contractors (2026)
A Petronella Technology Group plain-English walkthrough of the 17 NIST SP 800-171 Basic Safeguarding controls, the annual self-assessment cycle, the senior-official attestation, and the small-org scope-down patterns that keep Level 1 cost-effective for DoD subcontractors handling Federal Contract Information (FCI).
Speak with Penny - books a free 15-minute consult with the CMMC-RP team
What is CMMC Level 1?
A short, plain-English answer to the question two CMMC L1 leads asked us by phone today: what does Level 1 actually require, and what does it not?
The Cybersecurity Maturity Model Certification (CMMC) is the U.S. Department of Defense framework that pulls long-standing federal cybersecurity practices into a tiered, contract-binding model for the entire defense industrial base. CMMC has three tiers. Level 1 is the entry tier and the only tier that is satisfied by an annual self-assessment rather than a third-party audit.
CMMC Level 1 is built on the 17 controls in NIST SP 800-171 Basic Safeguarding Requirements, which themselves trace back to the FAR 52.204-21 Basic Safeguarding clause that has been in DoD contracts since 2016. If your firm has been operating under FAR 52.204-21 for years, you are already practicing the substance of Level 1. CMMC Level 1 simply adds two formal expectations: an annual self-assessment, and a senior-official attestation submitted through the Supplier Performance Risk System (SPRS).
Critically, Level 1 is the FCI-only tier. FCI - Federal Contract Information - is information not intended for public release that is provided by or generated for the government under a contract. FCI is everything that is not openly published but also not Controlled Unclassified Information (CUI). If your contract delivers a commercial-off-the-shelf widget, a non-sensitive service, or back-office work that touches government data without ever touching CUI, Level 1 is your tier.
FCI vs. CUI: the line that decides your CMMC level
FCI is non-public contract information that the government has not marked or designated as CUI. Examples: unsigned contract drafts, internal price lists tied to a specific procurement, scheduling data the government wants kept off the open internet.
CUI is information the government has formally designated as requiring protection or controlled dissemination under the CUI Program (Executive Order 13556 and 32 CFR Part 2002). Examples: technical drawings of weapon systems, controlled technical data, certain procurement-sensitive information specifically marked CUI.
If your scope is FCI-only, Level 1 is your destination. Add CUI to the mix and you move to Level 2 or Level 3.
Phase 2 timeline. Under the DoD's phased CMMC rollout, contracts containing FAR 52.204-21 begin including the CMMC self-assessment requirement during Phase 2, which begins November 10, 2026. By that date your firm must be able to produce a current self-assessment and an active senior-official attestation in SPRS to bid on or perform work under in-scope contracts. The annual cycle starts the day your senior official signs the attestation.
Level 1 is sometimes called the "good cyber hygiene" tier, but that label undersells it. The 17 controls are real, the senior official's attestation is a personal accountability statement, and the False Claims Act risk for a knowingly false attestation is well-established. We treat Level 1 as a small, tractable, high-evidence-quality compliance program - not a checkbox.
Who needs CMMC Level 1?
Most subcontractors below the prime tier sit at Level 1. Here is how to tell whether your firm belongs at Level 1, Level 2, or somewhere in between.
The clearest decision criterion is data scope. Any DoD contractor that handles Federal Contract Information but does not handle Controlled Unclassified Information sits at Level 1. That covers an enormous portion of the defense industrial base, especially:
- Subcontractors below the prime tier who deliver goods or services to a prime that holds CUI but who never receive CUI themselves
- Commercial-off-the-shelf (COTS) suppliers selling unmodified commercial items that the prime then integrates into a CUI-bearing solution
- Service providers performing tasks like janitorial, landscaping, light fabrication, or general logistics on a federal facility where the data they receive is non-public but not designated CUI
- Engineering and AEC subcontractors doing facility-side work where their drawings cover building structure but not weapon systems or controlled technical data
- Small specialty manufacturers producing components shipped to a prime for integration, where the shop drawings live within the prime's CUI envelope rather than your shop's
The most common ambiguity we see is the firm whose contract has not yet been re-flowed to make the FCI / CUI line obvious. The 2026 CMMC rollout is forcing primes to mark and flow CUI more cleanly than they have historically, and a lot of subs are discovering that the data they have been handling for years is actually still inside FCI scope. This is where a focused scoping call with a CMMC-RP team pays for itself: 30 minutes on the phone often confirms your firm is correctly at Level 1 and not the more expensive Level 2.
The 4-to-8 CUI-accessor pattern
A pattern we see again and again with smaller DoD subcontractors: only a handful of people in the company - often 4 to 8 - ever touch the CUI side of the business. Everyone else handles FCI, customer data, payroll, marketing, and general office work. For these firms, the right architecture is not a company-wide Level 2 environment. It is a scoped CUI enclave for the small group who needs it, while the rest of the company operates at Level 1. We cover this pattern in detail in our CMMC compliance hub and in the engagement-design section below.
Sister page: if you ultimately conclude you have CUI in scope, the upgrade path is documented on our CMMC compliance hub and on the deeper-dive compliance / cmmc-compliance page that walks through the full Level 2 + Level 3 architecture.
The 17 CMMC Level 1 Controls, by NIST 800-171 Family
Every one of the 17 Level 1 controls comes from NIST SP 800-171 Basic Safeguarding Requirements. Six families are represented: AC, IA, MP, PE, SC, SI. We list each below with a plain-English read and a one-line implementation note.
| Family | Control | Title | What it actually requires | Implementation note |
|---|---|---|---|---|
| AC | 3.1.1 | Limit System Access to Authorized Users | Each system that processes FCI must restrict access to identified, authorized users, processes acting on behalf of users, and devices. | Named user accounts, no shared logins. Document a current authorized-user list per system. |
| AC | 3.1.2 | Limit System Access to Authorized Functions | Limit what each authorized user is allowed to do on the system to the transactions and functions they need. | Role-based access. Standard users do not have local admin or domain admin rights. |
| AC | 3.1.20 | Verify and Control Connections to External Systems | Control and verify any connection to or use of external systems, including personal devices, vendor systems, and the public internet. | Document allowed external connections (cloud apps, vendor portals). Reject unsanctioned shadow IT. |
| AC | 3.1.22 | Control FCI Posted on Public Systems | Make sure FCI is not posted or processed on systems that are publicly accessible (your website, public cloud buckets, social media). | Pre-publish review process. Audit cloud storage permissions on a documented cadence. |
| IA | 3.5.1 | Identify Users, Processes, and Devices | Each user, process, and device that accesses a system handling FCI must be uniquely identified. | No "admin" / "office" shared accounts. One identity per human, one per service account, one per registered device. |
| IA | 3.5.2 | Authenticate Users, Processes, and Devices | Authenticate (verify) the identity of users, processes, and devices before granting access. | Strong passwords, locked-down auth flows. MFA is not strictly required at L1 but is the easiest L2 stepping stone. |
| MP | 3.8.3 | Sanitize or Destroy FCI Media Before Disposal | Media containing FCI must be sanitized or destroyed before disposal or release for reuse. | Documented destruction process for hard drives, laptops, USBs, and printed records. Vendor certificates of destruction. |
| PE | 3.10.1 | Limit Physical Access to Authorized Individuals | Limit physical access to systems, equipment, and operating environments to authorized individuals. | Locked server room or networking closet. Badge / key control list with periodic review. |
| PE | 3.10.3 | Escort Visitors and Monitor Activity | Escort visitors and monitor visitor activity in areas where FCI is processed. | Sign-in log, escort policy, and visitor badge program. Train your front-desk and reception staff. |
| PE | 3.10.4 | Maintain Physical Access Audit Logs | Maintain audit logs of physical access to facilities housing systems that process FCI. | Visitor log retained, badge access logs retained where electronic, retention period documented. |
| PE | 3.10.5 | Control and Manage Physical Access Devices | Control and manage physical access devices: keys, key cards, combinations, and similar. | Issued / revoked / inventoried list of badges and keys. Termination workflow recovers them. |
| SC | 3.13.1 | Monitor and Protect Communications at Boundaries | Monitor, control, and protect organizational communications at the external and internal system boundaries. | Production-grade firewall with logged rule changes. Default-deny posture on the perimeter. |
| SC | 3.13.5 | Implement Subnetworks for Publicly Accessible Components | Separate publicly accessible system components (web servers, guest Wi-Fi, customer portals) from the internal network on a different subnet. | DMZ or equivalent network segmentation. Guest Wi-Fi cannot route to the production LAN. |
| SI | 3.14.1 | Identify and Remediate Flaws in a Timely Manner | Identify, report, and correct system flaws (vulnerabilities, missing patches) in a timely manner. | Documented patch cadence. Critical patches inside a published SLA. Evidence kept. |
| SI | 3.14.2 | Provide Protection from Malicious Code | Provide protection from malicious code at appropriate locations within the system. | Endpoint protection (EDR or commercial AV) on every covered endpoint. Centrally managed where possible. |
| SI | 3.14.4 | Update Malicious Code Protection Mechanisms | Update malicious code protection mechanisms when new releases are available. | Auto-updating signatures or definitions. Documented review cadence on the management console. |
| SI | 3.14.5 | Perform Periodic and Real-Time Scans | Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed. | Real-time on-access scanning enabled. Scheduled full-system scans on a documented frequency. |
The 17-control distribution
Six families. Four AC controls, two IA, one MP, four PE, two SC, four SI. The PE-heavy weighting is what often surprises first-time L1 firms - half of Level 1 is about who can physically reach your equipment and who watches them when they do. The other half is about clean account hygiene, basic boundary protection, and patch / antivirus discipline.
CMMC Level 1 vs. Level 2 vs. Level 3 - When to Upgrade
Three tiers, three data types, three assessment models. The trigger for moving up is almost never "we want more security." It is "the contract changed."
Level 1: FCI
17 controls from NIST SP 800-171 Basic Safeguarding. Annual self-assessment plus senior-official attestation in SPRS.
Trigger: any DoD contract that involves non-public contract information but no CUI. Most subcontractors below prime tier.
Level 2: CUI
110 controls from the full NIST SP 800-171. C3PAO third-party assessment every three years for prioritized acquisitions; annual self for the rest.
Trigger: contract introduces CUI. Often happens when a sub starts receiving controlled technical data, ITAR-adjacent drawings, or designated procurement-sensitive material.
Level 3: High-priority CUI
110 NIST 800-171 controls plus a subset of NIST SP 800-172 enhanced requirements. DIBCAC government-led assessment.
Trigger: handling CUI inside high-priority programs where advanced persistent threats are part of the threat model. Limited population of contractors.
When does a Level 1 firm need to move to Level 2?
The honest answer: when CUI lands on your systems. Not when your prime asks you to "be ready," not when a generic compliance checklist scares you, not when a vendor tries to upsell you. Look at the data flowing into your firm. If any of it is marked CUI, or if the prime has formally flowed down a CUI handling clause and you cannot confidently say no, you have crossed into Level 2 territory.
Three real-world triggers we see repeatedly:
- Prime starts flowing CUI markings on transmittals that previously came in unmarked. The prime's CMMC L2 readiness work has surfaced your tier as an upgrade candidate.
- Contract scope shifts from commodity goods to integration / engineering work that exposes you to controlled drawings or technical data.
- You become a sub on a designated high-priority program, which can pull you toward Level 3 if you handle the CUI directly.
Whichever direction you go, the work is sequential. A clean, well-evidenced Level 1 program is the foundation underneath any Level 2 or Level 3 program. The 17 L1 controls do not disappear at L2 - they stay, and 93 more controls get added on top. Build L1 cleanly first.
Read more on the upgrade decision in our CMMC compliance hub, the in-depth compliance / cmmc-compliance guide, and the broader cyber security overview that frames Level 2 controls inside a real defense-in-depth architecture. If your firm is thinking about ongoing program ownership rather than one-time compliance work, our virtual CISO (vCISO) service is the operational pattern.
The CMMC Level 1 Self-Assessment Process
A four-stage annual cycle: scope, evaluate, attest in SPRS, renew. The discipline that keeps a Level 1 program defensible is treating this as a recurring operating cycle, not a one-shot project.
Stage 1: Scope Definition
Define the boundary of your assessment. The question to answer is: which systems, networks, devices, and physical locations process, store, or transmit Federal Contract Information? The output is a written scope statement plus an asset inventory. The asset inventory should cover servers, workstations, mobile devices used for FCI handling, applications and SaaS subscriptions in the FCI flow, network infrastructure (firewalls, switches, Wi-Fi access points), and physical locations where FCI is stored or processed. Anything not on this list is either out of scope or you have a scoping problem.
The most useful scoping artifact is the data flow diagram for FCI: where it enters your environment, where it lives, where it leaves, and who touches it along the way. This is also where the small-org enclave pattern becomes visible. Many firms find that 80%+ of the company never touches FCI at all, which lets the scope (and the cost) shrink dramatically.
Stage 2: Control Evaluation
Walk through each of the 17 controls. For each one, document whether the control is met or not met, plus the evidence backing the determination. "Partial" is not an allowed self-assessment outcome at Level 1 - the answer is binary per control. Either the control is in place across all in-scope systems, or it is not, and a "not met" determination must be remediated before you can submit the attestation cleanly.
Evidence quality matters. The attesting senior official should be able to point to specific artifacts for each control: an authorized-user list (3.1.1), a screenshot showing role-based access controls in your directory service (3.1.2), the cloud app inventory (3.1.20), the website governance process (3.1.22), the unique-identity policy (3.5.1), the password and authentication standard (3.5.2), the media destruction certificates (3.8.3), the badge-issuance log (3.10.5), the firewall configuration export (3.13.1), the network diagram showing DMZ separation (3.13.5), the patch management runbook with last-30-days evidence (3.14.1), the EDR / antivirus management console screenshot (3.14.2 / 3.14.4 / 3.14.5), and the visitor logs (3.10.3 / 3.10.4).
Stage 3: Senior-Official Attestation in SPRS
The Level 1 self-assessment is filed in the Supplier Performance Risk System (SPRS). The senior official - typically the company president, CEO, or another officer with accountability for cybersecurity decisions - reviews the assessment and submits the attestation. This is a personal accountability statement: the senior official is signing under their own name that the firm has met all 17 controls.
The attestation creates real legal exposure. Knowingly submitting a false attestation could trigger False Claims Act liability, debarment from future DoD contracts, and personal exposure for the signing officer. We coach senior officials before they submit to confirm that the underlying evidence supports each "met" determination, that any "not met" controls have been remediated rather than papered over, and that the attestation date is anchored to a real assessment date.
Stage 4: Annual Renewal
Level 1 is an annual cycle. Each year, the assessment is repeated, evidence is refreshed, and the senior official re-attests. Between annual cycles, the program does not go quiet - new hires, departures, hardware changes, and contract changes all need to be reflected in the asset inventory and evidence. The cleanest pattern is a quarterly review of the inventory plus a half-year mid-cycle check on the technical controls (3.14.1 patching, 3.14.4 / 3.14.5 antivirus, 3.5.x identity hygiene), then a full re-evaluation in the month or two before the annual attestation date.
If your firm is operating without a designated owner of this annual cycle, it usually goes silent. Picking an internal owner - even a fractional one - or engaging an outside advisor for the annual re-evaluation is the single biggest investment in keeping a Level 1 program defensible over time.
Eight Common Mistakes That Undermine a Level 1 Program
Patterns we see across DoD subcontractors when reviewing existing Level 1 work. Most are fixable in days, not months, once they are visible.
1. Treating Level 1 as a one-time project
The most damaging pattern. A firm runs a one-time gap closure, signs the SPRS attestation, and never opens the program again. Twelve months later the asset inventory is stale, employees have departed without offboarding, and the next attestation rests on year-old evidence. Level 1 is an annual recurring cycle - calendar it, own it, refresh evidence on a documented cadence.
2. Conflating FCI and CUI scope
Treating every piece of contract data as CUI is over-engineering and pulls you toward unnecessary Level 2 work. Treating CUI as FCI is under-engineering and creates compliance and contractual exposure. The fix is a written data classification policy plus a periodic walk-through of inbound transmittals to confirm marking discipline. Catch this drift early and Level 1 stays Level 1.
3. Missing or dated senior-official attestation in SPRS
The SPRS submission is not optional and not delegable below the senior-official threshold. We have reviewed firms whose internal team did the assessment work but the attestation never got filed - meaning, contractually, no Level 1 status exists. Equally common: an attestation was filed but is now over a year old. Either situation fails the Phase 2 contracting check.
4. Shared admin accounts (violates 3.5.1 and 3.1.1)
The persistent "office" / "admin" / "manager" shared login. Justified historically by convenience, fatal at Level 1. Each human gets their own account, period. Service accounts get their own non-human identities. Devices get their own machine accounts. The control text is explicit and the evidence demand is unambiguous.
5. No periodic review of authorized users (violates 3.1.20)
Departures happen, contractors finish their engagements, vendors change. The control requires verifying who currently has access to systems handling FCI - including external connections and cloud apps. Without a calendared review (we recommend quarterly), the authorized-user list silently rots. The remediation is a documented process plus a recurring calendar invite, not a tool.
6. Internet-exposed services without DMZ separation (violates 3.13.5 and 3.1.22)
The on-prem file server reachable through a port-forward "for vendor access." The marketing-team WordPress on the same VLAN as the production accounting system. Guest Wi-Fi that routes to the office subnet because someone "fixed" a printing problem. Each of these violates 3.13.5 directly. The fix is a clean DMZ design and a Wi-Fi VLAN that goes nowhere except the internet.
7. Patch management without evidence retention (violates 3.14.1)
Many firms patch on a reasonable cadence, but throw away the evidence. The L1 control requires you not just to patch, but to be able to show that you do - within the timeframe you have committed to. Keep the patch management console reports, screenshots of the last 30 / 60 / 90 days, and the documented SLA. "We patch regularly" is not an answer; "we patch critical vulnerabilities within 14 days and here is the report from the last cycle" is.
8. Treating the "self" in self-assessment as "informal"
Self-assessment does not mean unsupported by evidence, signed by the IT manager, or filed without senior-officer review. The False Claims Act risk attached to a knowingly false attestation is real, and at Level 1 the senior official's name is on the line. Run the assessment with the same evidence rigor you would apply if a C3PAO were sitting across the table - because in a year or two, if your contract scope shifts, one might be.
How Petronella Technology Group Structures CMMC Level 1 Engagements
A four-phase engagement archetype, scoped to your asset count, your number of FCI accessors, and whether your scope is single-site or multi-site. Pricing is custom and tied to your real scope, not a published menu.
Phase 1: Scope Discovery + Asset Inventory
We sit down with your operations leadership, contracts team, and IT lead. We map every contract that brings FCI into your environment, every system that touches it, and every person who handles it. Output: written scope statement, current asset inventory, FCI data flow diagram, and a candid read on where your organization actually sits on the L1 / L2 line.
Phase 2: Control-by-Control Evidence Build
For each of the 17 controls, we either confirm an existing implementation (pulling the evidence into a single defensible folder) or design and deploy what is missing. Heavy emphasis on PE family controls, identity hygiene, and boundary protection - the three areas where smaller firms most frequently have gaps. Output: a complete control-by-control evidence binder mapped to NIST SP 800-171, ready for senior-official review.
Phase 3: Self-Assessment + Senior-Official Attestation Coaching
We run the formal self-assessment as a structured walk-through, document each "met" determination against the evidence, and prepare the senior official to file the attestation in SPRS with full understanding of what they are signing. Output: completed self-assessment, attestation submitted in SPRS, a written senior-officer briefing memo summarizing the program for board / leadership reference.
Phase 4: Annual Renewal Support
Quarterly check-ins on the asset inventory, mid-year technical-control health check, and the full annual re-evaluation in the months leading into the next attestation date. We also flag any contract-scope drift that might be pulling you toward Level 2, before that drift becomes a costly surprise. Optional vCISO retainer wraps this into a broader cybersecurity program.
Small-org enclave pattern: the 4-to-8 CUI accessors carve-out
If your firm has a small group (typically 4 - 8 people) who occasionally touch CUI for a specific contract while the rest of the organization stays in FCI-only territory, the cost-effective architecture is a scoped CUI enclave for that group, with the rest of the company operating cleanly at Level 1. We design the enclave so the L2-grade controls are concentrated where they need to be, the L1 controls cover the rest of the company, and the scope boundaries are documented well enough to defend in either tier of assessment.
This pattern is the single biggest cost lever we have seen for smaller defense-industrial-base firms. It is also one of the most common scoping errors when a firm self-engineers without a CMMC-RP advisor: they inherit a single-environment Level 2 design that is two to three times more expensive than they need.
Why Petronella Technology Group for CMMC Level 1
Real credentials, named team, verifiable registries. We do not stretch claims and we do not call ourselves things we are not.
Petronella Technology Group is a North Carolina cybersecurity firm founded in 2002. We have been a managed service provider for 23 years and a CMMC consulting firm since the model was first introduced. We hold the credentials and registry listings the DoD contracting community looks for:
- CMMC-AB Registered Provider Organization (RPO) #1449 - verified at the CyberAB Marketplace registry. RPO is the formal registration tier the CyberAB grants to organizations providing CMMC consulting and advisory services.
- Whole-team CMMC-RP certified - every consulting member of the team holds the Registered Practitioner credential. That includes Craig Petronella (CMMC-RP, CCNA, CWNE, DFE #604180), Blake Rea (CMMC-RP), Justin Summers (CMMC-RP), and Jonathan Wood (CMMC-RP).
- BBB A+ accreditation since 2003 - a 23-year continuous record of customer-facing accountability.
- PPSB accreditation for the cybersecurity practice.
- Founded 2002 - 23 years operating as a North Carolina IT and cybersecurity firm. The same engineering bench that runs our managed-service customers' day-to-day infrastructure runs the CMMC engagements.
- Headquarters: 5540 Centerview Dr., Suite 200, Raleigh, NC 27606.
- Phone: (919) 348-4912 (talk to Penny, who can book a free 15-minute consult on the calendar of the CMMC-RP team).
What we are not: we are not a C3PAO and we do not perform the formal third-party Level 2 certification audit. That is by design - the CyberAB ethical-separation rules keep advisory firms (RPOs) and assessor firms (C3PAOs) on opposite sides of the engagement so that consulting work is not assessed by the same firm that did it. When a Level 2 third-party audit is needed we hand off to a C3PAO partner. For Level 1, no third-party assessor is required at all - the work begins and ends with the RPO advisory engagement and the senior-official attestation.
We also do not claim to be an "NVIDIA Authorized Partner" or to hold credentials we do not actually have. The closest authorized claim we make is access to NVIDIA hardware via the NVIDIA Elite Partner Channel through our hardware sourcing relationships, which is irrelevant to a Level 1 engagement.
We work primarily with North Carolina DoD subcontractors but accept engagements nationwide where remote-first delivery and a single on-site visit during Phase 1 fit the client's needs. Engineering firms, AEC subcontractors, and small specialty manufacturers are our most common Level 1 client profile - see our engineering firms cybersecurity practice for context on how the L1 work fits inside a broader engineering-firm cybersecurity program.
CMMC Level 1 Frequently Asked Questions
The questions we hear most often during scoping calls, answered plainly.
Do I need a third-party assessor for CMMC Level 1?
No. Level 1 is an annual self-assessment. You evaluate your own implementation of the 17 controls, document your evidence, and your senior official files the attestation in SPRS. There is no C3PAO audit at Level 1 and there is no fee owed to a third-party assessor body. Engaging a CMMC-RP advisory firm (Petronella is RPO #1449) is optional but commonly chosen because the senior-official attestation carries personal accountability and most firms want a second set of CMMC-trained eyes on the evidence before submission.
Does Level 1 require a SPRS score?
Yes. The Level 1 attestation is filed in the Supplier Performance Risk System (SPRS) by your firm's senior official. The submission records your self-assessment status against the 17 controls and the date of attestation. SPRS is the contractual checkpoint the DoD uses at award time, so the attestation needs to be current (less than 365 days old) and accurately reflect your environment. Note that the Level 1 attestation is qualitatively different from the NIST SP 800-171 self-assessment basic / medium / high score that sometimes appears in Level 2 conversations - they live in the same system but they are separate filings.
What is the difference between Level 1 and Level 2?
Three differences. First, data scope: Level 1 protects FCI; Level 2 protects CUI. Second, control count: Level 1 covers 17 controls (NIST SP 800-171 Basic Safeguarding subset); Level 2 covers all 110 controls in NIST SP 800-171. Third, assessment model: Level 1 is annual self-assessment with senior-official attestation; Level 2 is, for prioritized acquisitions, a third-party C3PAO assessment every three years (with annual self-assessments for the rest). The trigger for moving up is the introduction of CUI into your contract scope.
How long does a Level 1 self-assessment take?
For a small-to-mid DoD subcontractor with reasonable IT hygiene, a clean Level 1 engagement runs 6 - 8 weeks end-to-end: 2 weeks of scoping and asset inventory, 3 - 4 weeks of evidence build and any gap remediation, and 1 - 2 weeks for the formal self-assessment and senior-official attestation in SPRS. Firms with significant gaps (no documented patch program, shared admin accounts, no DMZ, no media destruction process) can take longer because remediation must be completed before "met" can be honestly attested.
What happens if I "fail" Level 1?
There is no formal "failure" notice from a third party - you are self-attesting. But filing an attestation that does not actually reflect compliance is the wrong outcome. Two real risks: first, the senior official's personal accountability attaches to the signature, and a knowingly false attestation could trigger False Claims Act exposure and debarment. Second, your firm is contractually ineligible for in-scope DoD work without a current and truthful Level 1 attestation. The right sequence when remediation is needed is: do the remediation work first, then attest. Do not invert the order.
What is a Level 1 control "partial" implementation?
It is not a valid attestation outcome. Each of the 17 Level 1 controls is binary in the self-assessment - either met or not met. A partial implementation across part of your scope is a "not met" determination that needs to be remediated before the attestation. This is one of the biggest behavioral differences between Level 1 and Level 2: Level 2 has a graded scoring model for the NIST SP 800-171 self-assessment; Level 1 does not. Build your evidence with that binary in mind.
Do we need Level 1 if we only sell COTS?
Generally yes, but read the contract. The exemption that has historically applied to commercial-off-the-shelf items is narrow, and the FAR 52.204-21 Basic Safeguarding clause flows down broadly. If your firm is selling unmodified COTS through a federal contract vehicle and you receive any non-public contract information (purchase orders, schedules, point-of-contact lists, performance reports), you are likely in scope for FCI handling and therefore for Level 1. The cleanest answer comes from a 30-minute scoping call where we walk through your specific contract language together.
How do we prepare for the annual Level 1 renewal?
Three habits keep renewal painless. First, maintain the asset inventory continuously: every onboard / offboard, every new device, every new SaaS subscription gets reflected as it happens. Second, do quarterly mini-reviews of identity hygiene (3.5.1), authorized users (3.1.20), and patch / antivirus health (3.14.x). Third, schedule the formal annual re-evaluation 60 - 90 days before the attestation expires so there is room to remediate any newly-discovered gap. Firms that adopt this cadence treat renewal as routine; firms that do not treat it as a fire drill.
Will Level 1 transition to Level 2 if our contract changes?
Not automatically - you do not "promote" a Level 1 status to Level 2. What happens instead is that a contract change introducing CUI flows down a Level 2 obligation, and your firm has to stand up the additional 93 controls (110 total at Level 2 minus the 17 you already have at Level 1) before you can perform under the new contract. The annual self-assessment becomes a different posture, and depending on whether the new contract is on the prioritized-acquisition list, a C3PAO assessment may be required. Watch for prime flow-downs and contract amendments - they are the leading indicator.
Can we use Microsoft 365 Commercial for Level 1?
Generally yes, with reasonable configuration. Level 1's data scope is FCI (not CUI), and Microsoft 365 Commercial can be configured to satisfy the 17 Level 1 controls when paired with conditional access, restricted external sharing, named user accounts (no shared mailboxes for FCI handling), and basic logging hygiene. CUI scope is a different conversation entirely - Level 2 environments often require GCC or GCC High depending on the CUI category. If you are confident your scope is FCI-only and you are likely to stay there, Commercial is usually adequate. We confirm during Phase 1 scoping whether your configuration is currently aligned and what specific tenant settings need adjustment.
Ready to start your CMMC Level 1 self-assessment?
Two CMMC L1 leads phoned us today. Three more wrote in this week. The Phase 2 enforcement date of November 10, 2026 is closer than it looks, and the firms that scoped early have the cleanest programs. Let us run a no-cost 15-minute scoping call to confirm your tier, your asset count, and the right shape of engagement for your firm.
Penny, our AI receptionist, will book a 15-minute consult with the CMMC-RP team